The UK government has announced plans, in a "statement of intent" for a new Data Protection Bill (Bill) which largely just reflects the requirements within the EU General Data Protection Regulation (GDPR).
The GDPR is a directly applicable Regulation which is already "law" but is not yet in force. It will come into force on 25 May 2018, which will be before Brexit occurs and regardless of whether or not the new Bill has become or does become law at that point. Nevertheless we are still often asked by clients what will happen to the GDPR on Brexit and whether a "soft" or "hard" Brexit might have an impact.
The announcement of the Bill reinforces the position that, putting aside questions of the source of law, the GDPR will be here to stay. It is the UK government's intention to strengthen UK data protection laws in order to provide individuals with more control of their data and maintain a landscape which is in tune with EU minimum standards.
There are some interesting derogations and further snippets trailed in the statement of intent which are worth noting, however:
The Government intends to extend the right to process personal data on criminal convictions and offences so as to enable organisations other than those vested with official authority to process criminal convictions and offences data. This will be a relief to private sector processors of such data – such as certain financial services providers - which, under a literal reading of the GDPR, would have been prohibited from doing so.
The protection for ‘investigative journalism’ in s 32 of the Data Protection Act 1998 is also to be renewed.
The default position under GDPR is that individuals have the right not to be subject to decisions based on the automated processing of personal data. In the world of algorithms which we increasingly exist in this already sounds anachronistic. Unsurprisingly, the Government will legislate for a "legitimate grounds" exemption in this space. The UK government considers there to be, "legitimate functions which are dependent on automated decision making" and recognises that a balance must be struck. The draft Bill will allow businesses to use automated decision making, such as automated credit reference checks, where there are legitimate grounds to do so. It remains to be seen how these legitimate grounds are defined but there appears to be a focus on the availability of timely recourse involving human intervention acting as a legitimising backstop. It seems inevitable that the more damaging an "incorrect" decision may be, the more important it will be for the data subject to have a timely and convenient route to redress if the automation of that decision making process is to be justified.
Maximum fine - £17million
Under the GDPR, businesses that commit a serious data breach could be fined up to 20 million euros or 4% of global turnover. In the Statement, the Euro figure has been pinned at £17 million pounds.