What you need to know about the UK’s Data Protection Bill
LONDON — The Data Protection Bill will be debated in the House of Commons for the first time Monday afternoon. Here is what you should know about the bill, which will govern how data is used.
1. Brexit-proofing data flows
The Data Protection Bill is one part of Britain’s argument to the EU for an agreement to continue the free flow of data between the two sides after Brexit.
Data transfers between the EU and the U.K. are worth billions of pounds in trade and 75 per cent of the U.K.’s cross-border data flows are with EU countries, according to a U.K. government position paper last summer.
London must implement the General Data Protection Regulation — the EU’s sweeping new data protection rules — before May. Britain will remain a part of the European Union until March 2019.
But once Britain leaves, it will have to find a new agreement. EU rules dictate that personal data collected from the EU can only be transferred to a third country when an adequate level of protection is guaranteed.
If the U.K. is to have a chance of being granted “adequacy” — its favored framework — it needs to show its data protection standards are in lock-step with Brussels, and will continue to be.
In her Mansion House speech on Friday, Prime Minister Theresa May insisted that she wanted “more than just an adequacy agreement” on data. But she also threw a bit of red meat to Brexiteers with a promise of “domestic flexibility” to ensure that the U.K. regulatory environment can “respond nimbly and ambitiously to new developments” post-Brexit.
This is not necessarily a done deal. The European Commission issued a notice to stakeholders in January indicating companies were advised to consider how to prepare for the transfer of personal data to a “third country.”
2. The data protections
The European Commission’s new laws on data protection put new obligations on companies and public bodies that collect data while giving consumers new rights over how their data is handled.
For example, there is a requirement for those holding and processing data to show they have built in safeguards, and for those companies dealing with certain data to appoint a data protection officer.
The general public will also acquire new rights to know if their personal data is being processed, for what and where. They will also have the right to be forgotten and for their data to be deleted if certain conditions are met.
3. But not for everyone
There will be exemptions to the data protection rules around freedom of expression or in the public interest.
A clause in the Data Protection Bill will would exempt an organization like the Home Office from handing over information or to allowing people access the personal data they hold if they can show it would undermine effective immigration control is meeting resistance.
The campaigning groups — the 3million, a group that advocates for the rights of EU citizens living in the U.K., and Open Rights Group — have written to home secretary Amber Rudd to ask for the clause to be removed and is threatening legal action.
Shadow home secretary Diane Abbott says it is part of the government’s “constant anti-migrant” campaign.”
4. The spooks
GDPR does not apply to activities outside the scope of EU law, so national security is not covered by the Commission’s legislation.
A raft of principles for the intelligence services are set out in the bill, including that processing of data by intelligence services must be lawful, fair and transparent, specified, legitimate, explicit.
But it is followed by clauses which allow exemptions from certain provisions for safeguarding national security, if permission from a minister is sought.
The deputy counsel of the U.K. Parliament’s Joint Committee on Human Rights has raised concerns about whether there are appropriate safeguards for cross-border data transfers by the intelligence services. He also thinks exemptions from data protection rights are “excessively wide.”
5. Super fines
The Data Protection Bill gives the U.K. Information Commissioner, the watchdog, more powers to penalize data breaches, including to fine organizations up to 4 percent of annual global turnover, or $20 million — whichever is greater.
The Commissioner, now Elizabeth Denham, will also be able to bring criminal proceedings if a data controller or processor alters records with intent to prevent disclosure following a subject access request.
6. Age of consent
The Data Protection Bill allows the age of parental consent for activities such as online shopping, banking, using search engines and using social media to drop from 16 to the minimum age allowed under GDPR of 13. The Commission has allowed member states to legislate if they want the lower age of consent.
But a move in the House of Lords, where the legislation started life, by campaigner Beeban Kidron — supported by the U.K. government — will require the information commissioner to produce a code of practice on the age appropriate design of online services.
7. Rise of the robots
With algorithms increasingly used in everyday life, GDPR legislation gives people the right not to be subject to a decision based solely on an automated process.
Clauses to the U.K.’s Data Protection Bill include a requirement to notify someone if they are the subject of an automated decision “as soon as reasonably practicable,” and give them 21 days to request the decision is reconsidered or a new decision is taken which is not based solely on an automated process.
8. Henry VIII powers
The government has justified a clause that would give ministers the power to alter the application of GDPR — including adding or varying derogations — as giving it the “flexibility” to deal with changing circumstances.
As with the opposition to similar powers in the EU (Withdrawal) Bill, concerns were raised when the bill passed through the House of Lords. The U.K. government watered down some powers, but Liberal Democrat Lord Clement-Jones still didn’t think the case had fully been made and wanted to see ministers’ regulation-making powers further reduced.
9. Press regulation
Peers in the House of Lords used the bill to inflict defeat on the government with a requirement to launch a second inquiry into press misconduct (Leveson II) and to activate a clause in the Crime and Courts Act, which could leave media organizations open to large libel fines — including covering the legal costs of a claimant, even if they win — if they do not sign up to a press regulator approved by regulator recognized by the Press Recognition Panel (PRP), which was established by Royal Charter. Press regulation is a personal plight for Labour shadow culture secretary Tom Watson. The U.K. government is set to dig in to resist the measures added to the bill by the Lords. The issue is likely to take up quite a bit of the debate in the House of Commons.