On September 13, 2017, the UK Data Protection Bill (the “Bill”) was introduced in the House of Lords. The UK government announced its intention to propose new legislation to update existing UK data protection law (namely the Data Protection Act 1998 [the “1998 Act”], which will be repealed) in the Queen’s Speech on June 21, 2017. A Statement of Intent published by the Department for Digital, Culture, Media, and Sport in August stated that the new rules would modernise UK data law for the digital age and ensure that the UK’s rules are aligned with the rest of the European Union (“EU”) to allow for free cross-border flow of data after the UK has left the EU.
To this end, the Bill covers four main areas—general data processing, law enforcement data processing, data processing for national security purposes including processing by intelligence services, and regulatory oversight and enforcement—and implements the EU General Data Protection Regulation (“GDPR”), which comes into force on May 25, 2018, and the Law Enforcement Directive, which is already in effect and must be transposed into domestic legislation by Member States before May 6, 2018.
Much of the Bill replicates the 1998 Act and is, therefore, uncontroversial. However, some of the 194 sections have attracted debate. For example, Section 82 of the Bill tightens the definition of “consent.” Consent means offering individuals genuine choice and requires affirmative action; pre-ticked boxes, “opt-outs,” or any other method of consent by default will not be a valid indication of consent under the new regime. Consent should be explained in clear and plain language, and, to avoid any ambiguity, consent requests should be kept separate from other terms and conditions. Individuals should also be informed of their right to withdraw consent at any time, and it should be simple for them to do so. Public authorities and employers will need to take particular care to ensure that consent is freely given.
Other notable changes proposed in the Bill are:
-
Expansion of the definition of personal data to include IP addresses, internet cookies, and DNA (Section 4);
-
Right for data subjects to request that data relating to them is erased (Section 45);
-
Increased powers for the UK Information Commissioner's Office (“ICO”) to issue fines of up to £17 million or 4% of annual global revenues in cases of data breaches (Section 150); and
-
Creation of two new criminal offences of altering personal data to prevent disclosure, and re-identifying de-identified personal data (Sections 161 and 162).
The Bill is due for its second reading in the House of Lords on October 10, 2017, when the members of the House will debate the key principles and highlight any concerns or specific areas where they think amendments to the Bill are required.
The copy of the Bill can be found here, and the accompanying Explanatory Notes here.