The British government published its statement of intent earlier this month regarding the country's upcoming revision to its data protection law, claiming it would set a global "gold standard" for such legislation.
The Data Protection Bill is largely intended to ensure that the U.K.'s legal regime is in step with the EU's General Data Protection Regulation, which will come into effect in May 2018. Brexit will only take place the following year, so the GDPR will apply in the U.K. for a period of time. And even after that, the U.K. will need to show that its data protection laws offer equivalent protections as those in the EU, if the free flow of data between the two is to continue unabated.
But is the new U.K. Data Protection Act going to be a straight cut-and-paste of the EU regime? "I don’t think that’s right at all," said Jonathan Armstrong of London-based Cordery Compliance.
A large amount of what's described in the statement of intent — a far shallower document than the bill itself will be when published — will indeed seem very familiar to GDPR observers. Fines will max out at 4 percent of global annual turnover or £17 million (a bit less than the EU's €20 million at current exchange rates), people will be able to order the deletion of their old personal data, default opt-out checkboxes for data collection will be banned, and data portability is supported. The age of data-collection consent is set, as permitted by the GDPR, at 13.
However, the bill will go further than the GDPR in creating new criminal offenses for "intentionally or recklessly re-identifying individuals from anonymized or pseudonymized data," knowingly handling or processing such data, and "altering records with intent to prevent disclosure following a subject access request."
The bill will go further than the GDPR in creating new criminal offenses for "intentionally or recklessly re-identifying individuals from anonymized or pseudonymized data," knowingly handling or processing such data, and "altering records with intent to prevent disclosure following a subject access request."
For the re-identified data offenses, there is no cap on the potential fines. The same goes for the alteration offense — which has a precedent in the U.K.'s current freedom-of-information law — in England and Wales, though in Scotland and Northern Ireland this offense would incur a "Level 5" fine of £5,000.
"The U.K. has always been slightly different than the [EU Data Protection Directive] in criminalizing certain aspects of bad data practice," Armstrong explained. "We have under the existing legislation these offences of unlawfully obtaining data, and they are relatively well used."
Particularly regarding the record-alteration offence, Armstrong said it will be interesting to see what the bill's actual wording says.
"The issue is that is seems what you may have to do is freeze data if an subject access request is made, a little bit like the litigation-hold process in the U.S.," he said. "But where it's different, I think, is let's say I make a subject access request to a large multinational. How do you tell everybody in the business not to destroy my data without identifying me as the person who's made the request? Identifying me to the organization is also processing my data."
Armstrong suggested companies should concentrate not on the potential for unlimited fines — after all, the authorities don't have a track record for levying high fines under existing legislation — but the criminal aspect of these new rules. This might potentially make it difficult to do future business with public authorities, he noted.
"The fact these offences are criminalized will make businesses have to pay attention," Armstrong said, adding that the subject-access-request offence "might involve system changes for some businesses, and there isn't a lot of time left, because you've got the rest of your GDPR project to do, and business as usual to do."
One aspect of the bill that requires close tracking is that of consent. In its statement announcing the notice of intent, the government said the bill will "require 'explicit' consent to be necessary for processing sensitive personal data."
For now, businesses don't know what the bill's final wording will be, nor precisely when it's coming. The culture department, which is handling the legislation, has only said it will be presented before Parliament after the summer recess.
One aspect of the bill that requires close tracking is that of consent. In its statement announcing the notice of intent, the government said the bill will "require 'explicit' consent to be necessary for processing sensitive personal data." The GDPR, of course, provides several other legal bases for the processing of sensitive personal data, such as the public nature of the data, or obligations under employment law.
Is the U.K. law going to be much stricter in this regard than the GDPR? Armstrong reckons the phrasing was "probably just a slip." And indeed, The Privacy Advisor understands the upcoming bill will allow other legal bases for the processing of sensitive data.
There's one other big outstanding question, too: will the U.K.'s new data protection law ensure adequacy in the eyes of EU regulators, or will the country — which after Brexit will no longer be able to demand a blind eye for its national security arrangements — find itself in similar hot water to the U.S.?
"The difficulty remains that the UK is viewed as saying that it respects privacy and sometimes doing differently," said Armstrong. "Particularly the Investigatory Powers legislation causes some issues there … There are some in the European Parliament, particularly, who might want to see more evidence of this gold standard, rather than just a statement that it is so."
photo credit: StefanJurcaRomania Elisabeth Tower via photopin(license)