Details of the new Data Protection Bill were announced on 7 August 2017, which it is promised will replicate in domestic law the entirety of the General Data Protection Regulation (GDPR), due to take effect on 25 May 2018.
The Government promises the Bill will “strengthen individuals’ rights” to control their personal information and “protect people’s privacy”, notably providing a “right to be forgotten” for users which will allow them to request social media companies to delete stale information, especially those posted by a child, subject to “very narrow exemptions”. All of this is already contained in the GDPR so there are no surprises here.
While the proposals promise to mirror the GDPR fully, there is some important insight into the Government’s intentions regarding the derogations permitted under the GDPR which are to be included in the new Bill. The scope of derogations is eagerly-awaited as without this, how GDPR will work in practice in many areas remains wholly unclear. Indeed, the Statement of Intent says that the GDPR “requires some modification to make it work”.
The notable planned derogations are as follows:
- The Government has confirmed that it intends to substantively replicate the existing exemptions for journalists from certain provisions of the Bill. It is unclear how this will be reconciled with the right to be forgotten. However, there is an indication that the ICO may be given greater powers over enforcement action in relation to journalistic processing (as was recommended in the Leveson Report) which is likely to be controversial.
- The new Bill will increase the minimum age of consent to having data processed from 12 (which is the current age of consent in certain areas) to 13 years old (the GDPR allows for a range of 13-16 years old).
- Under the GDPR, only bodies with official authority will be permitted to process personal data on criminal convictions. The Government intends to create some derogations in this area along similar lines to those currently in place, allowing all organisations to process these as sensitive personal data in specified circumstances. This would fall short by some margin of the current purpose-based exemption for the processing in the context of preventing or detecting crime.
- The Government has confirmed that it will legislate for an exemption permitted under the GDPR which allows organisations conducting scientific, historical, statistical or archiving work in the public interest to be exempt from certain GDPR obligations, with appropriate safeguards, where such obligations would seriously impede these organisations from completing their work.
The Bill is expected to be produced to Parliament before the end of the year but no commitment on timing has been given.
Data Protection partner Jo Sanders said: “The Government itself recognises that for GDPR to be workable it depends on having clear and strong exemptions. The Statement of Intent is light on detail and there is an urgent need for the Government to publish the Bill so that businesses can see how it will affect their day-to-day operations well before 25 May.”
The Statement of Intent can be read in full here.
We continue to track developments in data law and practice in our quarterly eBulletins. You can find the latest one here.