Charities and businesses will be aware that the EU’s General Data Protection Regulation (GDPR) is scheduled to become UK law from 25 May next year. The regulation has “direct effect” meaning that it is binding in the UK and does not need implementing legislation (such as a new Act of Parliament).
However, GDPR does allow the UK to “derogate” from (add to or amend) certain rules in GDPR, as they apply in the UK. As a result, while organisations are expected to comply with the new UK law in just nine months, the law itself is not finalised in many respects.
From April to May this year, the Department for Digital, Culture, Media & Sport (DCMS) ran a consultation on how the UK should approach these derogations. The consultation was very broad, not revealing the government’s position on what the new UK law should look like. BWB responded with some key points, while suggesting that government should also consult on any draft Data Protection Bill. Yesterday morning, the government published its response.
While much of the press has reported the response as heralding a “new privacy law”, a large part of the government’s response deals with issues (e.g. the unacceptability of pre-ticked boxes as a means of obtaining consent; the ‘right to be forgotten’) which are part of GDPR, and so have already been decided in 2016, at EU level. However, the government has provided some helpful clarification on a number of issues, including the following:
- Children: the response states that government will legislate to set the minimum age at which a child will be able to consent to processing of their personal data at 13. The draft Data Protection Bill, when released, will presumably make clear whether this rule applies to “information society services” (as is set out under GDPR) or more broadly when children are providing consent to data processing. In our response, BWB requested greater clarity about how organisations are expected to verify children’s ages, and government indicates that this issue will be addressed in an “Internet Safety Strategy”, as part of the government’s Digital Charter. Watch this space!
- Processing of criminal data: BWB suggested that, under the new law, the UK should create a clear legal basis for organisations to process data about criminal convictions and offences (under the current law, it is treated as “sensitive personal data” and so can be processed by anyone as long as certain conditions are met). Organisations clearly have many reasons to legitimately process this kind of data, such as running criminal records checks. Government agrees and intends to “take a similar approach to that taken for the processing of special (i.e. sensitive) categories of personal data” – i.e. to reflect the current law. More broadly, government notes that GDPR does not deal with the processing of personal data for law enforcement purposes and public security, and plans to incorporate other EU law (which addresses this issue) into the draft Bill.
- Consent to fundraising: while GDPR already states that pre-ticked boxes do not constitute consent, it is worth noting that the government repeats this, stating “[w]e will ensure that the default reliance on the use of default opt-out or preselected “tick boxes” - which are, in any case, largely ignored - will become a thing of the past”.
- Criminal liability: criminal sanctions for breaches of data protection law will be expanded. For example, two new offences will be created – an offence of ‘intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data’ and an offence of ‘altering records with intent to prevent disclosure following a subject access request’. The maximum penalty for these offences, in England and Wales, would be an unlimited fine. Government also proposes to widen the existing offence of unlawfully obtaining data, “to capture people who retain data against the wishes of the [organisation]”. It remains to be seen how this will look in practice.
- Automated processing: GDPR grants individuals the right not to be subjected to decision making based on automated processing of their personal data. The government has stated that it will implement a limited exemption from this, which allows processing by automated means where there are legitimate grounds for processing and safeguards are put in place – the example given is when banks are undertaking credit checks.
- Freedom of expression in the media: the government plans to broadly replicate the current exemptions in s.32 of the Data Protection Act 1998, which allow a more lenient regime in some circumstances where data is processed for the purposes of journalism, literature and art.
Overall, the government has stated that it wishes to “offer further clarity and certainty to business” and “to alleviate administrative and financial burdens on data controllers”; while simultaneously “strengthening individuals’ rights” and making organisations “more accountable”. The consultation response provides some clarity to organisations about when the current law will be replicated to fill “gaps” in GDPR, and when they should expect the law to change.
However, many questions remain unanswered, and will continue to do so until a draft Data Protection Bill is published.
Posted on 08/08/2017 in Legal UpdatesBack to Knowledge