Department for Digital, Culture, Media & Sport publishes Data Protection Bill statement of intent
A few days after we wrote about wide-ranging changes to European data protection law coming into force in May 2018, under the EU General Data Protection Regulation (GDPR), the UK government published a statement of intent regarding plans to introduce a UK Data Protection Bill (Bil).
The GDPR will apply directly in all EU member states from 25 May 2018 , before either Brexit is finalised or the Bill is passed. Once the Bill passes into law it will repeal the UK Data Protection Act 1998 and incorporate the GDPR and related UK derogations into UK law.
The Minister of State for Digital, Matt Hancock, writes in the statement that the Bill will "bring our data protection laws up to date" and also "bring EU law into our domestic law". The Bill is intended to reflect the GDPR which itself brings significant changes to the data protection framework across the EU.
The Bill will exercise the available derogations in the GDPR that the UK government has negotiated, including allowing people to ask for their personal data held by companies to be erased, setting the age of consent at 13 years old (the age of consent is set at 16 years old under the GDPR) and allowing organisations to process personal data for scientific, historical, statistical and archiving purposes and be exempt from data subject rights. The Bill will also apply the new data protection standards to all general data, not just areas of EU competence.
The issue of sanctions for data protection breaches will also be addressed in the Bill. The Bill will mirror the GDPR’s level of fines where up to 4% of a business' annual global turnover or €20 million (£17 million), whichever is higher, could be imposed. In contrast the GDPR allows each EU country to determine other criminal sanctions and the Bill is expected to include two new offences of intentionally or recklessly re-identifying individuals from anonymised data, with an unlimited fine, and altering records with intent to prevent disclosure following a subject access request, with an unlimited fine in England and Wales and a maximum fine of £5,000 in Scotland and Northern Ireland.
The Department of Digital, Culture, Media and Sport intends to introduce the draft legislation as soon as possible after the autumn party political conferences.
Jaymini is an associate in the Corporate team.