United Kingdom

[GB] Government introduces Data Protection Bill into Parliament

IRIS 2017-10:1/19

Tony Prosser

University of Bristol Law School

The UK Government has introduced a Data Protection Bill in the House of Lords, which should complete its passage through Parliament and become law next year. The Bill is intended to implement a commitment in the 2017 Conservative Party manifesto to replace the current data protection laws (which date back to 1998, see IRIS 1998-8/21) to make them suitable for the digital age with ever increasing amounts of personal data being processed. The intention is also to update the law to comply with the EU General Data Protection Regulation (2016/679) (GDPR); after Brexit the GDPR will be retained as part of domestic law. The Bill also implements derogations and exemptions under the GDPR where member states have opportunities to make their own provision.

The Bill proceeds by defining what is meant by the ‘controller’ of data, supplementing the definition in the GDPR, and the meaning of ‘public authority’ which the GDPR does not define. It sets out the conditions in which data may be lawfully processed, including those relating to special categories of personal data concerning race, political opinions, health etc. One aim is to secure that sensitive health and safeguarding data can continue to be processed in confidence. It also makes provision for limiting the rights of access of individuals to data in special cases, such as those of regulatory bodies, the judiciary and ongoing investigations.

The Bill extends the scope of the relevant articles of the GDPR to general data outside the scope of EU law. It seeks to make provision for the transposition into UK law of the EU Law Enforcement Directive (2016/680) relating to the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences, including the prevention of threats to national security. It also applies to the domestic processing of personal data for such purposes. Provision is made additionally to regulate the domestic processing of personal data by the security services. This is currently outside the scope of EU law, so the UK approach is based on the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS108).

The Bill re-enacts provisions relating to the Information Commission as the competent authority in this field. The GDPR substantially increases the power of the competent authorities to issue fines for breach of rules; the Bill provides for procedural safeguards in this process, and appeal to the First-tier Tribunal is retained. It also modifies criminal offences for breach, and creates some new criminal offences to deal with emerging threats; for example, the deliberate re-identification to avoid disclosure of individuals whose personal data is contained in anonymised data.

Although the Bill is long and complex, it does not depart radically from the previous scheme in the Data Protection Act 1998, which it will repeal. It remains to be seen to what extent the Bill will be amended during its passage through Parliament.