The first draft of the Data Protection Bill (DPB) was released on 13 September 2017, following its second reading in the House of Lords. This bill is designed to bring the UK’s data protection laws in line with the European Union’s (EU) General Data Protection Regulation (GDPR).
Despite the UK government having triggered Article 50 of the Lisbon Treaty, and being in negotiations regarding leaving the EU, the UK will still be classed as a Member State when the GDPR compliance deadline is reached on 25 May 2018.
The DPB is the UK’s answer to the GDPR, evolving the country’s existing data protection laws for the 21st century with the aim of ensuring uninterrupted data flows between the UK and EU after Brexit. The existing data protection laws have become increasingly unwieldy, having been first introduced in 1998 – 10 years before Apple’s first smartphone was released.
The DPB aims to reinforce data protection regulation for new technologies, while allowing people to have more control over their data. This will be no easy task, as – given the definitions used in the DPB – the UK will have more than 60,000,000 data subjects (a person who has data stored about them) and approximately 500,000 data controllers (companies or organisations which store data about data subjects).
“Effective, modern data protection laws with robust safeguards are central to securing the public’s trust and confidence in the use of personal information in the digital economy, the delivery of public services and the fight against crime,” said the information commissioner Elizabeth Denham in a statement issued in September by the Information Commissioner’s Office (ICO).
Specific obligations for data processors
Like the existing data protection laws, the DPB and GDPR differentiate between data controllers and data processors. According to Clause 30(1)(a) of the DPB, a controller “determines the purposes and means of the processing of personal data”, while Clause 30(3) states a processor is “any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller)”.
The DPB also further regulates the relationship between the controller and processor by stipulating the expectations and requirements of both parties.
Chris Pounder, director of information law training firm Amberhawk, says: “Under the current Data Protection Act, the processor has no statutory obligations: they have contractual obligations linked to the controller. One of the major changes is that data processors have specific obligations under the GDPR – if a processor fails to report a data loss to their controller, then the processor can be subject to regulatory action from the commissioner, where that isn’t possible under the current Data Protection Act.”
Optional powers under GDPR
There are several differences between the DPB and the GDPR, due in part to the optional powers that exist in the GDPR. This is to allow countries to adapt the legislation to meet their own cultural backgrounds. “Last January,” according to Pounder, “the minister responsible for GDPR implementation, Lucy Neville-Rolfe, stated that the UK intends to use the maximum flexibility to minimise the impact of the GDPR on data controllers.”
The GDPR was intended to harmonise Europe’s data protection laws. However, the flexibility within it has naturally created variations of how the GDPR is to be implemented in each of the Member States.
One of the core differences between the current draft of the DPB and the GDPR is that the requirement to appoint a representative for controllers that operate within the EU, but are based outside the borders, has been removed from the current version of the DPB.
“This is a provision [in the GDPR], and the [other] 27 Member States are incorporating it,” says Matthew Rice of the Open Rights Group. “For some reason, the Data Protection Bill states any references to data protection representatives should be omitted.”
In the short term, some controllers might view not requiring a representative in the UK as an opportunity to save money. However, this could backfire should a data breach occur, or an investigation be conducted, as they would urgently require lawyers with expertise in UK data protection laws.
Despite a controller’s representative not being a legal requirement of the current draft of the DPB, it is nonetheless advised that companies should at least maintain a representative on retainer, in case a data breach occurs and/or a complaint is issued against the company. In that way, companies will have data protection expertise on call, without the exorbitant legal costs for an emergency service.
One of the optional powers that has not been taken up by the DPB is for independent bodies to be able to issue complaints against organisations. Article 80, Section 2 of the GDPR states: “Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.” (Emphasis not included in original text.)
This will mean that independent oversight bodies will require a named data subject to be represented in the complaint. It is difficult to see how this would fit with UK consumer law, where consumer groups, such as Which?, are able to independently issue complaints against anti-competitive practices.
One problem with independent bodies requiring named complainants would arise if a data breach occurred in an organisation that data subjects may be unwilling to be publicly associated with, such as Alcoholics Anonymous or Samaritans.
“Imagine someone wanting to become a named complainant in the Ashley Madison data breach case for the UK,” says Rice. “They would have to be pretty confident in their public persona to decide to take that on, but that is a data breach that should be investigated.”
Another variance allowed by the GDPR that could potentially be problematic is the variance in the age of children in relation to obtaining consent for “information society services” – a service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service. The GDPR lists a child as anyone under the age of 16. However, Clause 8(a) of the DPB states that: “references to ‘16 years’ are to be read as references to ‘13 years’.”
This could potentially cause problems for information society services sharing data in different countries, especially in the cases of children aged 13 to 15. These individuals would be considered as children under the GDPR, but as adults under the DPB. Those organisations that are classed as information society services will need to be aware of not only their own country’s data protection laws, but also those they share data with.
It is expected that in a few years’ time, once the GDPR has had time to become established, the European Data Protection Board (EDPB), which is to replace the Article 29 Data Protection Working Party, will review the various data protection laws of the Member States to ensure they are in line with the EU and have not deviated too far from the core text.
Should any country be found to have deviated too far from the GDPR, they could well be taken to court by the EDPB.
Keep working towards compliance once the deadline has passed
The ICO is aware of the complex nature of the GDPR and the DPB, and has said it will hold off on issuing statutory fines for non-compliance. “If people missed [the deadline], and I think a lot of people will miss it, they should just keep on going as quickly as they can,” says Pounder.
That said, if a company is found to be non-compliant with the existing data protection law, it will be liable to being fined. “If there was a transgression, that was a transgression under the current act, I do not think you would be spared,” says Pounder. “If it was a transgression under the new arrangement, then I think there will be some flexibility.”
Once a grace period has passed, companies could find themselves subject to severe penalties for not complying with the DPB. Clause 150(6)(a) states the maximum amounts that companies could be liable to as €10m, or 2% of the undertaking’s total annual worldwide turnover in the preceding year, whichever is higher.
Alongside the regulatory penalties, the DPB and GDPR also legislate the jurisdictional aspects of the data protection. Essentially, the jurisdiction of a data breach will be based on which country the data breach took place in, or – in the cases of complaints – on where the company is established.
“The regulation is very careful to make sure that the definition of ‘establishment’ is based on data protection grounds and not on tax law,” says Pounder. “The definition of establishment is; ‘where most of the decisions are made about the processing’.”
However, given that the DPB, as it currently stands, does not require representatives, this could potentially add further complications to any legal proceedings, should they take place in the UK.
One of the main concerns for companies at the moment is the uncertainty of what will happen when the UK leaves the EU. This is especially so, given the possibility of there not being a deal in place when the UK leaves the EU, which could have huge implications in regard to the data-sharing aspect.
When the UK leaves the EU, it becomes what is known as a “third country”. According to Clause 31(7) of the DPB, this is “a country or territory other than a Member State”. If there is no deal in place, this could have massive repercussions for data sharing, as Clause 71(1) of the DPB states: “A company may not transfer data to a third country.”
For the UK to share data with its European partners, an “adequacy assessment” will be needed. This is not as easy as it sounds, as adequacy assessments normally take more than a year. Likewise, an adequacy assessment endorsement cannot be issued to an existing Member State, as being a member precludes the necessity of having an adequacy assessment in the first place.
Should the UK leave the EU without a deal in place, EU organisations will need to have binding contractual arrangements in place every time they wish to share new information and data with their UK partners. Only once an adequacy assessment was in place could this be dispensed with.
“If there is a hard Brexit with no agreement, we are not going to get an assessment of adequacy,” says Pounder. “Businesses should be well advised not to rely on an adequacy determination, should personal data be transferred from the European Union to the UK.”
The priority for companies based in the UK should be consulting experts in data protection laws and ensuring compliance with the DPB, which in turn will ensure they are in compliance with the GDPR. Companies that operate in several countries should ensure that they are compliant with each country’s data protection laws. Those that process children’s data should especially ensure that they do not run into conflict with the varying age definitions for children.
Having the DPB in place will undoubtedly assist in the UK in gaining an assessment of adequacy from the EDPB, but companies should also have a ‘plan B’ in place, in case no deal is reached. This should incorporate setting up binding contractual rules for every time data-sharing agreements are made.
Although it is not required by the DPB, it is still recommended that organisations operating in the UK should appoint a regional representative. This will ensure organisations remain fully compliant with the complexities of UK data protection laws, as well as well as having access to prompt legal representation when necessary.
Read more about GDPR
- ICO hits out at misinformation about GDPR.
- The GDPR is not only relevant to CISOs and DPOs, but has a big impact on businesses.
- There is no time for businesses to delay in preparing for the GDPR, says UK privacy watchdog.
- GDPR: One year to compliance and opportunity.