On the 14th of September, the Government published the new Data Protection Bill. And it’s the most sweeping overhaul of data protection laws for two decades. Tod Davies, our trainee solicitor, explains what the Bill means for Data Protection.
Digital Minister, Matt Hancock, boasted that the new Bill will ‘give us one of the most robust, yet dynamic, set of data laws in the world, to give people more control over their data, require more consent for its use, and prepare Britain for Brexit’.
The Bill will transfer the European Union's General Data Protection Regulation (GDPR) into UK law – and will be retained post-Brexit. It’ll come into force in May 2018 to coincide with the GDPR. Our existing data rules must be updated to match them, so that organisations can still send data back and forth throughout Europe after Brexit.
Recent research found that 80% of people feel they don’t have complete control of their online data. To help combat these fears, the Bill:
- makes it simpler for people to withdraw consent for their personal data to be used
- expands the definition of personal data to include IP addresses, cookies, and DNA
- includes the ‘right to be forgotten’, so individuals have more power to get companies (including social media) to wipe their data
- states that all data before a person turns 18 (like social media posts) must be deleted if they ask. Parental consent won’t be needed to process data online from 13 years old
- makes it harder for firms to pass data onto third parties, like cold callers. People will now have to explicitly opt-in, rather than ticking a box to opt-out.
The Bill will also carry the exemptions to the GDPR (that’ve been in place since the Data Protection Act 1998) over to the new law. These safeguard:
- journalists who access personal data on the grounds of freedom of expression and to expose wrongdoing
- scientific/historical research organisations, like museums/universities, from certain obligations that would hinder their work
- anti-doping agencies who’re trying to catch drug cheats
- financial services firms who handle personal data on suspicion of terrorist financing or money laundering.
These exemptions allow journalists to preserve their sources’ anonymity, or access personal data without consent, if it’s in the public interest. With anti-doping, agencies can handle an athlete's personal data without consent – preventing them taking advantage by simply withdrawing consent during the testing process.
If justified, the Bill will allow the processing of sensitive/criminal conviction data without consent, including to allow employers to comply with employment law.
To enforce the new laws, the Information Commissioner's Office will impose heavy fines on companies who don’t protect personal data (increasing the max. fine from £500,000 to £17 million – or 4% of global turnover). For larger social media companies and search engines, this could mean billions of pounds worth of fines.
Some experts, including Mike Cherry, National Chairman of the Federation of Small Businesses, have warned that businesses (particularly small ones) are completely unprepared for the new rules. This ‘creates a real risk of companies inadvertently facing fines’ before they can adapt.
The Government says the Bill will make the UK’s data protection laws fit for the digital age. It’ll empower people to take control of their data, and strengthen individual rights. It’s also said that, as far as possible, existing lawful data processing should continue – to cause as little interruption to businesses as possible.