11 Aug Government outlines new data protection law

The Government has announced a ‘statement of intent’ for a data protection bill. The proposals for the most part incorporate into UK law the EU’s General Data Protection Regulation (“GDPR”).

This will become law in May 2018 in any event, but putting it into UK law allows the government to fill in various gaps, and ensures the law will remain the same after Brexit.

The Bill will also bring into force the EU’s Data Protection Law Enforcement Directive which deals with the handling of personal data in a policing and criminal justice context. The Bill itself is expected in September.

Changes include a broadening of the definition of ‘personal data’, confirming that things like IP addresses and DNA do indeed count as personal data.

Companies and individuals who process personal data will no longer have to register with the Information Commissioner’s Office (“ICO”), and pay a fee. Also, it will no longer be possible to charge the £10 fee when someone makes a subject access request – companies should update their policies accordingly.

For children, the minimum age at which they are able to give consent to access online services using their personal data will be 13. The GDPR specifies 16 but allows countries to lower the age. 13 accords with the policies of the main social media platforms. There will also be a requirement for social media companies to remove material posted by children if they request it on turning 18.

This is an extension to the so-called ‘right to be forgotten’. Adults will also be able to ask for data to be removed by those that hold it if it is no longer necessary, they withdraw consent, the organisation holding the data has no legitimate interest in doing so or there has been a breach of data protection laws. However, organisations can refuse to remove the data where they are exercising the right to freedom of expression or hold the data for other public interest reasons, such as for public health or research purposes.

The maximum fine the ICO can levy for the most serious breaches will be raised from £500,000 to £17m or 4% of global turnover – this replicates the GDPR which refers to €20m. Organisations will be required to notify the ICO within 72hrs if they have a data breach which puts people’s rights and freedoms at risk. There will also be new criminal offences: deanonymizing anonymised data, and altering records to prevent their disclosure via a subject access request. The existing offence of unlawfully obtaining personal data will be widened to include unlawfully retaining data which was initially obtained lawfully.

Those planning to process data in a way which presents a high risk will be required to undertake a data protection impact assessment before doing so. This is good practice in any event, but will now be enshrined in law.

Importantly for the media, the government confirms it intends to keep the exemption for journalism, art and literature – currently section 32 Data Protection Act 1998 – broadly as it is.
This is important where it is vital to use particular data in a journalistic endeavour, but it is not possible to get consent, where other reasons for processing the data don’t apply and/or where the data is ‘sensitive personal data’ such as data relating to health, or people’s sex lives. Although it must be remembered that the exemption does not apply to all data protection rules, and only applies where publication is envisaged, would be in the public interest, and it is not possible to comply with the rules whilst still producing the piece of journalism. If in doubt, seek legal advice.
The government also says it will ‘amend provisions relating to the ICO’s enforcement powers to strengthen the ICO’s ability to enforce the re-enacted section 32 exemptions effectively.’ We will have to wait for the Bill to see exactly what is meant by this, but this may refer to the regime whereby any court action is stayed until the ICO decides whether or not personal data are being processed for the purposes of journalism, art or literature. zoom-in will report on this when more is known.