Government sets out details of new data protection legislation
The Government has today published a Statement of Intent setting out details of the forthcoming Data Protection Bill. Matt Hancock MP, the Digital Minister, says that the reforms will "bring our data protection law up to date" whilst transferring the General Data Protection Regulation ('GDPR') into domestic law. The text of the Data Protection Bill is expected in early September.
The full text of the Statement can be found here, with Matt Hancock's Letter to Stakeholders found here. The Statement confirms that the Government will implement the GDPR and indicates the derogations it intends to exercise. We set out some highlights below.
Article 8 of the GDPR provides for children to be able to give their lawful consent to processing in connection with the provision of information society services where they are at least 16 years old, unless Member State Law provides for a lower age being not less than 13.
The Government proposes to allow children above the age of 13 to give consent to processing, with those under the age of 13 requiring the consent of a parent/guardian.
The Statement also indicates that as well as enforcing age limits, the Government expects responsible websites to prevent the exposure of children to inappropriate content.
The Right to be Forgotten
In accordance with the Conservative manifesto commitment, individuals will be able to ask for their personal data to be erased in certain circumstances, including the removal of social media posts. This will include, but appears not to be limited to, the ability to require the deletion of material posted before the age of 18 "subject to very narrow exemptions".
The Government will implement the derogation under Article 22(2)(b) to allow automated processing in the absence of explicit consent or it being necessary for the entering or performance of a contract. Individuals will have recourse for unfavourable, and presumably unjustified, automated decisions.
No indication is given as to what will be considered "legal or similarly significant effects", and therefore the circumstances in which a human element must be introduced, so it may be necessary to wait for the ICO's guidance following its Feedback request on profiling and automated decision-making, which was published in April.
The criminal offence at s55 Data Protection Act 1998 will be extended to cover not only obtaining, disclosing or procuring the disclosure of personal data without the consent of the data controller but also the retention of data. The Government confirms that it shall introduce a new defence for journalistic activity, remedying the current discrepancy between the application of the public interest defence and the journalism exemption.
A new criminal offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data will also be introduced with an unlimited fine.
The journalism exemption set out in s32 of the Data Protection Act 1998 will remain, with the Statement specifically confirming that "the important role of journalists and whistleblowers in holding organisations to account and underpinning our free press will be protected by exemptions", with the current exemption used as a "baseline". The Statement goes on to state that the Government considers the "existing exemptions…strike the right balance between privacy and freedom of expression".
This suggests that the exemption will be expanded to cover new rights afforded by the GDPR but may not result in the conditions for the application of the provision being revised.
Data relating to criminal convictions
The GDPR allows the UK to authorise the processing of personal data relating to criminal convictions and offences otherwise than by a public body or authority. The government intends to exercise the derogation as there are many organisations that would not be classed as an 'official authority' who process criminal convictions data (e.g. insurers processing criminal convictions data for anti-fraud purposes or employers conducting permitted criminal records checks).
Public authorities, which are not defined under the GDPR, are restricted in the manner in which they can rely on the legitimate interests condition for processing. The Government has indicated that it intends to use the definition set out under the Freedom of Information Act 2000, which for some quasi-public organisations (such as public service broadcasters) could result in a purposive approach.
The ICO shall continue to be the sole supervisory authority in the UK and, together with the UK National Accreditation Service (UKAS), shall be accredited to certify and issue data protection seals and marks for the purposes of demonstrating compliance.
The draft Data Protection Bill itself is expected in early September.