United Kingdom's Government announces details of upcoming Data Protection Bill
Today, the United Kingdom (UK) government’s Department for Digital, Culture, Media & Sport announced their plans for the upcoming implementation of the European Union’s (EU’s) General Data Protection Regulation (GDPR) in an official statement of intent.
Along with being included in the UK’s laws, GDPR, which will continue to be in effect after Brexit, will be added-to by the UK’s own upcoming data protection legislation, known currently as the Data Protection Bill.
Stephen Robinson, Chief Executive Officer at Xyone Cyber Security, welcomed today’s announcement: “This is the detailed and positive response the industry has needed to clarify our position on data protection and information security post-Brexit. Aligning our own Data Protection legislation with the European GDPR is a huge step in ensuring our clients will be in a position to continue to trade with the single market. It’s also huge news for individuals, who will have the greatest amount of control of their own data, not only in the world today, but also in the history of the World Wide Web.”
As the UK government’s Digital Minister Matt Hancock made clear in a statement of intent today, in terms of the UK’s Data Protection Bill, “The Bill includes tougher rules on consent, rights to access, rights to move and rights to delete data“. As GDPR will be included in UK law (including the frequently-reported civil sanctions increase for potential fines, of “up to £17m (€20m) or 4% of global turnover“), much of today’s announcements detail the additional intentions of the New Data Protection Bill.
On the enforcing of the Bill, Matt Hancock continued by stating that “When it comes to law enforcement, the Bill will ensure that the data of victims, witnesses and suspects of crimes, are protected in the context of criminal investigations and law enforcement action“. In its intent, the Bill should not interfere with the amount of information/data required by ongoing and future criminal investigations.
One of the most significant additions for data protection in the UK-specific terms of the Bill is the reference to criminal sanctions on data handling. Precisely, there will be the potential for an unlimited fine for those found guilty of “intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data“. Each of the “Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine“. The data handling of intentionally anonymous/hidden identities – whether of anonymous individuals, victims of crimes with newly assigned identities, or for other reasons unidentifiable persons – may bear no limit in terms of fines issued to those attempting to discover or make-known their actual identity.
Today’s statement also detailed the ways in which law enforcement will be affected by the Data Protection Bill. The Data Protection Law Enforcement Directive (DPLED), included as part of the UK’s Data Protection Bill, “is not “directly applicable” EU law“, and as such, the UK’s situation is that provisions for enforcing the Bill must be implemented by the UK before the 6th May 2018. For law enforcement, the Data Protection Bill’s aim is to “create a bespoke regime for law enforcement data protection, tailored to meet the needs of not only the police, but also prosecutors and other criminal justice agencies“, including organisations specific to the UK such as “Her Majesty’s Revenue and Customs, the Environment Agency, or the Driver and Vehicle Licensing Agency“.
The UK government will also have the added ability to request the deletion of information from social media platforms, as stated today, with individuals having “the ability to require social media platforms to, on request, delete information held about them at the age of 18“. Before this age, the UK government have legislated to allow a “child aged 13 years or older to consent to their personal data being processed“. In addition, in terms of information processing, if an “individual requests information on the ways in which their personal information is processed, the data controller will be required to provide that information free of charge“. There is an exemption to this obligation, if the request(s) are found to be excessive or unfounded, this may not apply.
Today’s statement also includes reference to the key role Cyber Security plays within the current and future efforts of data protection. As stated by the Department for Digital, Culture, Media & Sport, “the Cyber Essentials accreditation scheme offers a mechanism for organisations to demonstrate that they have taken basic technical measures to protect their systems against the most common cyber threats“. This comes as part of the government’s observations on Cybersecurity and Data Protection, following up from the National Cyber Security Centre’s (NCSC’s) ’10 Steps to Cyber Security’, which can be found at https://www.ncsc.gov.uk/guidance/10-steps-cyber-security.
The General Data Protection Regulation will have direct effect from 25th May 2018. The Data Protection Bill will repeal the Data Protection Act 1998, include GDPR’s legislative details, and add new legal mandates as can be found in the full statement of intent issued today at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf.
Department for Digital, Culture, Media & Sport, Consultation outcome – General Data Protection Regulation: Call for Views, https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views
Matt Hancock (Minister of State for Digital), Ministerial Foreword, A New Data Protection Bill: Our Planned Reforms, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf, Page 2
Department for Digital, Culture, Media & Sport and The Rt Hon Matt Hancock MP, Press Release: Government to strengthen UK data protection law, https://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law
Department for Digital, Culture Media & Sport, A New Data Protection Bill: Our Planned Reforms, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf
Department for Digital, Culture Media & Sport, Information on Data Regulators for the UK: “A tough regulator”, A New Data Protection Bill: Our Planned Reforms, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf, Page 10
Department for Digital, Culture Media & Sport, A New Data Protection Bill: Our Planned Reforms, Section 4. Looking Ahead: Cybersecurity and Data Protection, https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf, Page 23
Barney Thompson (Legal Correspondent), UK data bill to bring more protection and bigger fines, Financial Times, https://www.ft.com/content/bbdbdb04-7935-11e7-90c0-90a9d1bc9691
Ben Sullivan (Science and technology writer), UK gov prepares for Brexit with new data protection bill, Wired UK, http://www.wired.co.uk/article/uk-data-protection-act-gdpr-data-privacy
Warwick Ashford (Security Editor), Government to strengthen UK data protection law, Computer Weekly, http://www.computerweekly.com/news/450423941/Government-to-strengthen-UK-data-protection-law