On September 13, 2017, the UK Government published a new Data Protection Bill regulating the use of individuals’ personal data.
The Bill, which is intended to replace the UK Data Protection Act 1998, would serve a range of functions, most notably setting out how the UK intends to make use of its leeway to derogate from basic rules in the new EU General Data Protection Regulation 2016/679 (the “GDPR”). For instance, the GDPR allows countries in the EU to modify its rules or introduce additional sanctions where necessary to protect freedom of expression, research, or other public interest objectives.
The Bill would also apply “GDPR-like” rules to data that is not covered by the GDPR (such as data in unstructured paper-based files), implement of the new EU Police and Criminal Justice Data Protection Directive (the “PCJ DPD”), and set down privacy and data security rules for its intelligence agencies.
The Bill will now undergo further debate and amendment, and should hopefully clear both Houses of Parliament in advance of May 25, 2018, when the GDPR will become law in the UK subject to any modifications implemented by the Bill.
This post discusses some of the Bill’s salient points for commercial organizations.
In drafting the Bill’s GDPR-modifying provisions, the UK Government appears to have had two objectives: making substantial use of Member State leeway to derogate from some of the GDPR’s more stringent rules, where appropriate, while maintaining an approximation of the UK legal status quo where possible.
While imperfect (and even more complex to navigate than its predecessor, which UK judges had characterized as “cumbersome and inelegant”), the proposed Bill appears to have done a good job meeting those objectives.
1) Permitted uses of data
The Bill would consolidate the wide range of permitted grounds on which sensitive data (such as data pertaining to health, political opinions, or ethnicity) can lawfully be collected, used and shared. At present, the grounds are scattered across the 1998 Act and secondary legislation issued over the past two decades.
Typically, the government has also preserved the same conditions and limits of each ground. Scientific research and statistics, for example, can use sensitive data without consent, provided that the use:
- Must be in the public interest;
- Must not be for the purposes of measures or decisions with respect to a particular data subject; and
- Must not be likely to cause substantial damage or substantial distress to an individual.
This reproduces an existing basis under the UK’s Data Protection (Processing of Sensitive Personal Data) Order 2000 – though some have questioned whether those conditions remain fit for purpose, fearing for example that they might not be broad enough to support valuable advances in machine learning and artificial intelligence, particularly in sectors handling large amounts of sensitive data, such as healthcare.
2) Exceptions to individuals’ rights
In certain situations, the GDPR permits Member States to limit or set aside the rights it otherwise gives individuals – for instance rights to access, amend or erase data concerning them, or to “port” the data to a competing service.
The Bill would make quite full use of that leeway. It contains a substantial list of exceptions (and associated safeguards) covering activities as diverse as journalism, academia, scientific research, statistics, employment (including diversity monitoring), corporate finance, management forecasting, negotiations, attorney-client privilege, self-incrimination, fraud detection, law enforcement, mandatory disclosures, the functions of public bodies and regulatory authorities, and the protection of other individuals.
Many of these exceptions (and associated conditions and safeguards) are carried over from current law, but with some changes – academia, for instance, becomes a significant beneficiary or exemptions hitherto reserved for journalism, literature or art.
3) Age of consent for digital services set at 13
The Bill would set as low as possible the age at which apps, websites and other digital services can obtain consent directly from a child rather than their legal guardian, before collecting and using that child’s personal data. The default GDPR threshold is 16, but Member States are allowed to set it as low as 13.
The threshold will only apply where collection and use of the data is justified by consent, rather than being based on one of the law’s many other (non-consensual) grounds for collecting personal data.
4) Extraterritorial scope
The Bill’s broad extraterritorial scope could be a concern. As drafted, the Bill would apply to companies even when they are based in another EU country (not the UK), when offering goods or services to persons in the UK or monitoring their behavior. This would mark a significant departure from current law, and could lead to non-UK companies around the world (including elsewhere in the EU) having to analyze up-to-the-minute location data about users, staff etc. in order to determine whether or not they need to comply with UK law.
If the Bill’s example is followed in other EU Member States, EU-based organizations could find themselves simultaneously subject to the data protection laws of any EU country they advertise or provide services to (or monitor individuals in, for instance on the Internet) – even if they have no other connection to those EU countries. The result could be unworkable, particularly for businesses that are active online.
5) New offences
The Bill would debut several new offences that are subject to unlimited fines, and potentially the personal liability of consenting, complicit or negligent company officers and directors. New offences include:
- knowingly or recklessly re-identifying de-identified personal data without consent of the “data controller” responsible for de-identifying the data;
- knowingly or recklessly processing the illegally re-identified data, again, without the consent of the controller originally responsible for the de-identification; and
- altering, deleting or concealing information that should have been disclosed to an individual exercising their rights under the GDPR to access or port their data. It would be a defense to prove that the change would have happened anyway (e.g., through automated, periodic purging of backup copies), or that the defendant acted in the reasonable belief that the requester was not entitled to receive that data.
The Bill would also extend an existing offence of knowingly or recklessly obtaining personal data without consent of the data controller: under the Bill, this would also penalize retaining the personal data without such consent.
The practical application of these offences may need to be clarified as the Bill proceeds through Parliament. For instance, it is not clear whether companies that obtain or acquire data from a third party source are liable for “unauthorized retention” prosecution if the source subsequently “revokes” their consent to its retention.
7) Universities face loss of the “legitimate interests” ground for using personal data
Under the GDPR, “public bodies” are no longer permitted to process personal data on the basis of their or a third party’s “legitimate interests,” and will therefore need to point to other grounds – such as a legal obligation, or consent from each individual – before they can use personal data.
The Bill would define public bodies to include entities subject to the UK’s Freedom of Information Act 2000. As this includes universities, this would deprive them of the legitimate interests ground, which could potentially complicate their use of data from staff, pupils, and/or research subjects, including as part of research collaborations with the private sector.
The Bill would however give the UK government the ability to pass secondary legislation effectively “de-designating” entities as public bodies; a carve-out for universities may be forthcoming.
8) Lack of clarity over legal privilege and a company’s Data Protection Officer
The GDPR requires many organizations to appoint a Data Protection Officer (“DPO”) to oversee and be consulted on all GDPR compliance matters. While the Bill states that legal privilege can be asserted over communications to/from the organization’s professional legal advisors, it is less clear as to whether communications to/from the DPO – which could be particularly sensitive – would benefit from similar protection if the DPO is not also a practising lawyer.
These and many other potential issues may come up during the Bill’s journey through Parliament over the coming months. Its first substantive debate is expected on October 10th.
Covington is helping organizations understand the potential impact of this Bill and its counterparts in other EU Member States. If you would like to know more, please contact Daniel Cooper, who heads Covington’s Data Privacy and Cybersecurity team in London.