On 7th August 2017, the UK Government published a Statement of Intent (SoI) in relation to a new Data Protection Act. The Bill will be published in September and the Act must be in force by 25th May 2018.
The purpose of the Act is to import into domestic law the EU General Data Protection Regulation (GDPR) and the EU Data Protection Law Enforcement Directive (DPLED) which replace the 1995 Framework Directive. Despite Brexit, the UK is committed to importing the Directives into domestic law – not to do so would create fundamental, if not insuperable, problems for businesses, regulators and law enforcement agencies.
The Government states that the Bill will introduce:
The following changes will be made to the data protection enforcement regime under the auspices of a ‘tough regulator’. The Information Commissioner’s Office (ICO) will be empowered to take the following actions:
In particular, the Government promises to:
As with the DPA 1998, the GDPR applies to ‘personal data’. Personal data is currently defined as data which relate to a living individual who can be identified from it, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
However, the GDPR’s definition is more detailed and makes clear that information such as an online identifier, for example an IP address, can itself be personal data. The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA 1998 definition and could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised can fall within the scope of the GDPR depending on how difficult it is to attribute a pseudonym to a particular individual.
The GDPR refers to sensitive personal data as ‘special categories of personal data’. These categories are broadly the same as those in the DPA 1998, but there are some changes. For example, the special categories specifically include genetic data and biometric data (where processed in such a way as uniquely to identify an individual). Personal data relating to criminal convictions and offences are not included, but additional safeguards apply to the processing of such data.
Different rules apply to organisations with more than 250 employees but, in essence, organisations must:
Organisations may:
In May 2017, the Government received 324 responses to their ‘Call for Views’ on the implementation of the GDPR.
The Law Society and the General Council of the Bar expressed a number of concerns in relation to:
The General Medical Council informed the Government that the GDPR raises problems with:
The Gambling Commission identified the following problems:
It remains to be seen whether, and if so how, the UK Government proposes to deal with those issues and others raised by commercial organisations and NGOs.
On 1st December 2016, the EU announced the creation of the EU-US data protection ‘Umbrella Agreement’ which put in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. Its commercial equivalent – the EU-US ‘Privacy Shield’ – remains contested and its implementation will be reviewed alongside the domestic implementation of the GDPR.
While the features of a new UK Data Protection Act are emerging from the GDPR, the detail, and much that is important for UK businesses, remains obscure. The Government of the Netherlands has opted to set the maximum level of fine for ‘egregious’ breaches of their new domestic criminal offences at 10% of global turnover. It remains to be seen whether the UK’s tough new enforcement regime will be as tough as it claims or might yet be tougher still.
Gavin Irwin is a specialist advocate in serious and financial crime. He regularly advises and appears in matters concerning fraud, money laundering and corruption. Gavin is instructed to advise individuals and businesses on regulatory and risk-management issues, including: sanctions and export licensing; data protection; consumer protection; and, professional conduct and discipline.
SUMMARY In 2017 a 24-year-old woman, Louella Fletcher Michie, died at the Bestival Music Festival,…
Camilla Fayed was declared not guilty of robbery after the prosecution offered no evidence. Camilla…