The draft Data Protection Bill [HL] 2017-19 will get it’s second reading in the House of Commons today, Monday 5th March 2018, moving one step closer to receiving Royal Assent. In preparation for the second reading, the House of Commons issued a 60-page briefing paper which includes a summary of the Bill and the House of Lords debates.
In May 2018, as we all know, there will be some changes to the EU’s data protection framework – the General Data Protection Regulation (GDPR) will apply from 25th May and as it is a Regulation it does not need to be transposed into domestic law. But prior to that, the Police and Criminal Justice Directive, also known as the Law Enforcement Directive (LED), needs to be transposed into UK law by 6 May.
GDPR widens the scope of the previous Data Protection Directive, (which was the EU legislation that unpinned the Data Protection Act 1998), to provide data subjects with greater protection for their personal data and also extends data subject rights. The Regulation reduces the principles from 8 to 6, but introduces 8 data subject rights, some of which are a continuation of rights under previous legislation, (like subject access requests), but some are new. Data controllers must be able to demonstrate compliance with all the principles (accountability) and there are new obligations for data processors.
The LED will apply to both the cross-border and domestic processing of personal data for law enforcement purposes and repeals the previous 2008 Framework Decision. The Directive is designed to protect the personal data of individuals involved in criminal proceedings, whether they are witnesses, victims or suspects. In addition, it is anticipated that the LED will “facilitate a smoother exchange of information between Member States’ police and judicial authorities, thereby improving cooperation in the fight against terrorism and other serious crime in Europe.
An overview of the LED can be found at:
Council of Europe Convention on Processing Personal Data
The Council of Europe is not an EU institution and the UK will continue to be a member after Brexit. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No108) was the first binding instrument on data protection. The UK ratified the Convention in August 1987 and it entered into force on 1 December 1987:
“[The Convention]…protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the trans frontier flow of personal data.”
The Convention will be modernised and will reflect the same principles as GDPR. A draft version is available online https://www.coe.int/en/web/data-protection
The Draft Bill
The draft Data Protection Bill (‘the Bill’) has a number of purposes:
It sets out how the UK would apply the derogations available under GDPR
It will bring the Law Enforcement Directive (LED) into UK law
It updates the laws governing personal data processing by the intelligence services
It aims to ensure that the UK would be able to freely exchange data with the EU post-Brexit
It will repeal the Data Protection Act 1998
The Bill was originally introduced into the House of Lords on 13th September 2017, but it’s passage has been slow due to a number of concerns around the age of consent for children to have access to information society services, immigration control and freedom of expression in journalism.
GDPR allows Member States a limited number of derogations, and following consultations in 2017, the Government confirmed it would exercise those derogations in the following areas:
The age of consent for children to access information society services
Processing criminal conviction and offence data
Automated individual decision-making
Freedom of expression in the media
The Bill was introduced to the House of Lords on 13th September 2017 and following much debate it was introduced to the House of Commons on 18th January 2018.
The Department for Digital, Culture, Media and Sport (DCMS) factsheet provides a succinct summary of what the Bill will do –
The Bill is split into seven Parts and eighteen schedules:
Part 1: Bill overview and definition of key terms
Part 2: General data processing in line with GDPR and other general data processing in areas outside the scope of EU law
Part 3: LED and law enforcement processing
Part 4: Nation Security Processing through a modernised Council of Europe Convention
Part 5: Functions and Duties of the Information Commissioner – including requirement to publish codes of practice of data sharing, direct marketing, age appropriate design for online services likely to be accessed by children
Part 6: Enforcement regime and ICO Powers
Part 7: Various issues including regulation to be made under the Act, penalties for offences and the Act’s territorial application
The Briefing Paper also includes a summary of the House of Lords debates for those who are interested in reading more http://researchbriefings.files.parliament.uk/documents/CBP-8214/CBP-8214.pdf which the full debate transcripts are available of the House of Lords website.
So, for those of you using the 80 days (inc weekends and bank holidays) to prepare for GDPR what does this mean? Well, if you don’t carry out any national security or law enforcement processing then your GDPR preparations will stand you in good stead, although you may want to glance at the draft Bill and specifically the section around the Information Commissioner and Enforcement. If you do carry out national security or law enforcement processing, then you have probably already been preparing for the changes under the LED but you will need to familiarise yourself with the Parts of the Act that are relevant to you. Everyone will need to monitor the Governments Brexit negotiations, as once we leave the EU the UK will be a ‘Third Country’ and there may be additional requirements to enable the transfer of data between the EU and member states.
If you need further advice, let us know. We can provide initial free guidance under our Ask the Compliance Expert scheme.
 European Commission, Questions and Answers – Data protection reform packages, 24 May 2017 - http://europa.eu/rapid/press-release_MEMO-17-1441_en.htm