A few comments on the Data Protection Bill as announced in the Queen's Speech. Note that it is a Bill (i.e. primary legislation) covering all aspects of data protection including law enforcement as does the current Data Protection Act.
As is well known, Member State law can allow modifications to Articles 4(7), 4(9), 6(2), 6(3)(b), 6(4), 8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4), 10, 14(5)(b), 14(5)(c), 14(5)(d), 17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b), 23(1)(e), 26(1), 28(3), 28(3)(a), 28(3)(g), 28(3)(h), 28(4), 29, 32(4), 35(10), 36(5), 37(4), 38(5), 49(1)(g), 49(4), 49(5), 53(1), 53(3), 54(1), 54(2), 58(1)(f), 58(2), 58(3), 58(4), 58(5), 59, 61(4)(b), 62(3), 80, 83(5)(d), 83(7), 83(8), 85, 86, 87, 88, 89, and 90 of the GDPR.
There is no "phasing in" leeway and the GDPR becomes directly applicable next May, except in the areas where Member States are permitted by the GDPR to enact variations. It follows that there is no need to legislate for the GDPR except to implement such variations and exclusions. The Bill should therefore not be called the “Data Protection Bill”; a more accurate Short Title would be the “Data Protection (Exemptions from the GDPR) Bill”.
The fact that the Bill has several Parliamentary stages allows data subjects, NGOs and data controllers to propose modifications in the Articles identified above. Assuming that the Bill appears after the Summer Recess, representative bodies for data controllers, processors and data subjects should prepare drafting and arguing for their proposed changes in terms of that list of Articles.
For example, I would like to see the UK implement Recital 142 and permit NGOs to take cases directly to the Commissioner on behalf of a class of the data subjects (i.e. remove from Section 42 of the current DPA, the requirement that a person asking for an assessment has to be “directly affected” by the processing of personal data).
The timetable is tight also. Assuming a Data Protection Bill commences its Parliamentary stages in October, it won’t be until December until the actual UK GDPR implementation will emerge. This leaves 5 months or less when the actual law is available for study.
The Government has to decide whether it will follow the structure of the current Act. When the 1984 Act was replaced with the 1998 Act, the Government deliberately chose to keep the same legislative structure (e.g. Scope and key definitions at Part 1, Sections 1-5, Principles in Schedule 1, Interpretation at Schedule 1 Part II, Rights in Part II, exemptions in Part IV) and retain certain terms (e.g. “exempt from the non-disclosure provisions”).
In my view, it would be helpful to keep this structure again as staff with data protection responsibilities know roughly where things are in the DPA; are familiar with terms used in the DPA and keeping the same structure will allow for easier comparisons with the provisions of the new DP Bill.
The Government states in its Queen’s Speech Briefing Notes that “a new law will ensure that the United Kingdom retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online”.
I am not sure about the validity of the “world class” claim given that the European Commission consider the current DPA to be a defective implementation of Directive 95/46/EC and has stated that it is looking to see if the errors in DPA implementation re-appear in the UK’s GDPR implementation.
The definition of filing system, ICO powers, and Member State flexibility in the definition of “data controller” will become a litmus test in this regard (see references for a list of “not quite world class” issues). For instance, will the UK follow the Irish lead and legislate for public authority data controllers not to face Monetary Penalty Notices?
The Home Office will be drafting the sections of the new Data Protection Bill that relate to exemptions for national security, law enforcement and policing. This returns to the dark ages of the 1984 Act as the Department with the responsibility for the public bodies that invade privacy as part of their day job, is drafting the exemptions that allow that to happen. I always remind people that the DPA (and FOIA) are both Home Office piloted legislation which contain, unsurprisingly, generous exemptions for Home Office interests.
To allow the Home Office free reign to design legislation that covers its own Departmental responsibilities in policing, immigration and national security is a conflict of interest too far. It is as if Dracula were in charge of drafting legislation to obtain pints of blood from the Blood Transfusion Service.
I am therefore half expecting the Home Office to take the opportunity to degrade the protection afforded by the current Data Protection Act. For instance, by permitting disclosures to law enforcement authorities in connection with an investigation rather than failure to disclose prejudicing an investigation (the standard currently required by section 29(3)). Permitting data sharing “in connection with….” has become the legislative standard with respect to disclosures since the passage of the DPA (e.g. data sharing in the Digital Economy Act 2017).
All exemptions in the GDPR implementation need to be compared with their DPA equivalents as UK flexibility in Article 23 appears to be untrammelled. However, with respect to national security, there will be another Parliamentary opportunity to ensure National Security Certificates are considered as included as part of the double lock procedure of the Investigatory Powers Act instead of being wholly excluded from it.
One purpose of the Bill is to “require major social media platforms to delete information held about them at the age of 18”. I am not sure about the over emphasis on the Right to be Forgotten as there is a natural balance between respect for private life and freedom of expression, and the Government's commitment does not appear to be balanced at all. For instance, should juvenile data subjects who have committed widely reported serious offences (e.g. serious assaults, stabbings, murders etc), have an automatic right to be forgotten at 18?
Finally, the Bill would apply to the UK and “Data protection is a reserved matter” for the Westminster Parliament. I don’t see why this should be the case all. Why can’t the processing by, for instance, Scottish Public Authorities or Scottish Data Controllers, be subject to the Scottish Parliament?
If FOISA can be devolved successfully (e.g. some limited public authorities in Scotland remain subject to the FOIA enacted in Westminster), I cannot see why the DPA cannot become a devolved matter. SNP please note.
Other Publicity
Forthcoming Amberhawk’s courses in summer:
- DP Practitioner Course: 11 July (London)
- DP Foundation Course: starts 4 July (London)
- Next GDPR Workshop: 20 July (London), 12 September (Leeds)
References
‘Serious concern’ over exemption of public bodies from data protection fines. https://www.irishtimes.com/news/politics/serious-concern-over-exemption-of-public-bodies-from-data-protection-fines-1.3120643
Queen’s Speech Background Briefing Notes: https://www.gov.uk/government/topical-events/queens-speech-2017
List of defects in the UK’s DPA that the European Commission and UK Government keep secret: http://amberhawk.typepad.com/amberhawk/2017/03/uks-gdpr-law-will-not-be-judged-adequate-if-it-contains-provisions-that-made-the-dpa-inadequate.html
National security and the exclusion of data protection from the Double Lock: for example http://amberhawk.typepad.com/amberhawk/2016/06/message-to-data-subjects-national-security-purpose-is-free-of-constraints-such-as-lawful-or-compatib.html