This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy



Digital Business Lawyer

The UK Government publishes its draft Data Protection Bill 2017

The UK Government introduced into the House of Lords on 13 September 2017 the new Data Protection Bill (the ‘Bill’), following the publication of a statement of intent in August; the Bill looks to update the UK’s data protection laws and will implement and supplement key parts of the EU General Data Protection Regulation (the ‘GDPR’) within UK law, while also explaining in what ways the UK will derogate from GDPR. The Bill will repeal the UK’s Data Protection Act 1998 (the ‘Act’) at the time it is enacted, which will likely be prior to the UK leaving the EU.

“The Bill reflects that the eight data protection principles in the Act are largely carried over to the GDPR, which also provides a new ‘accountability’ principle that the data controller will be responsible for, and be able to demonstrate, compliance with the principles,” said Rohan Massey, Partner at Ropes & Gray. “However, the Bill provides a complete data protection system, governing not only general data covered by GDPR, but all other general data, law enforcement data and national security data.”

The Bill has what Philip James, Partner at Sheridans, calls a “mongrel side” to it, since it is effectively implementing a Regulation - the GDPR - which, following the outcome of the UK’s referendum on membership of the EU in June 2016, it was possible that the UK would decide not to mirror in UK legislation. “The Bill’s mongrel-like character is evidenced in material sections of the Bill which seek to amend, on a piecemeal basis, certain provisions of GDPR,” explains James. “The good news, given the similarities to the original Act, is that the Bill has sought to maintain the derogations under the existing Act; whilst at the same time, enhancing these still further, for instance for the purposes of insurance or anti-doping in sport. Nevertheless, having reviewed some of the derogations, the Government does not seem to have been as progressive in the development of new derogations or improving upon the pre-existing ones.”

The Bill contains seven parts; among these, in chapter two of part two the Bill proposes lowering to 13 the age of consent for children using information society services without parental consent also being required, while parts five and six of the Bill cover the role of the Information Commissioner’s Office (‘ICO’) and enforcement matters.

Significantly for businesses, Section 162 of the Bill introduces a new criminal offence, that of intentionally or recklessly processing data, which is aimed at regulating situations where de-identified personal data could be pieced together by an organisation and re-identified. The new provision is, according to the Explanatory Notes to the Bill, designed to protect anonymised online patient/medical data from being re-identified; however, some commentators have suggested that as drafted, this provision could catch sectors other than those intended by the Government, for example organisations engaged in ad-targeting. “Although there is some comfort from the fact that the offence requires knowing or reckless intent, much will depend on what is meant by personal data that has been ‘de-identified’ and how the available defences for crime prevention or detection or use in the public interest are interpreted and applied,” said Liz Fitzsimons, Partner at Eversheds Sutherland. “Doubtless many in the digital arena and those working in research will have real concerns about the effect of this section.” “It should also be borne in mind that if a company does not carry out the de-identification of that data, if it comes into possession of such data, it may too be liable under this provision,” adds James. “Companies will therefore need to consider how they handle this in their commercial partnership and licence agreements. There is a defence, amongst others, if the processor responsible for the re-identification had the data subject’s consent or, ‘would have had such consent if the data subject had known about the re-identification and the circumstances of it.’ This latter defence is particularly interesting but would appear to be very difficult to prove. It’d be interesting to explore how this latter defence may be applied, and if it may be of genuine use to organisations going forward.”

Another source of criticism of the Bill is that it is necessary to read it alongside GDPR, but there is not yet a consolidated version of the Bill which takes into account the Bill’s changes to GDPR. Adding to this complexity is the fact that GDPR has direct effect in EU Member States from 25 May 2018, while the Bill is likely to be enacted before the UK leaves the EU, and so both pieces of legislation will for a time be operating together. “The Bill is very much a case of the UK getting its house in order so that a decision on the UK’s adequacy status can be prised out of the European Commission during the UK’s transition out of the EU,” said Massey. “One of the key issues is whether the Bill goes far enough to allow the UK to obtain an adequacy decision from the EU post-Brexit, which is clearly the intention of the UK Government. A failure to agree a mechanism for international data flows post-Brexit will have material adverse impact on UK businesses.”

The Bill has now begun its journey through Parliament, having had its first reading in the House of Lords on 13 September, with its next reading scheduled for 10 October 2017. “The derogations and exceptions are likely to be subject to extreme scrutiny by business to ensure insofar as possible a workable approach to compliance around GDPR and they will lobby for what they see as business friendly changes,” believes Fitzsimons. “They will also be keen to try to secure insofar as possible changes to ensure compliance with this legislation is as customer friendly as possible, with minimal impact to customer journeys.”

Search Publication Archives



Our publication archives contain all of our articles, dating back to 1999.
Can’t find what you are looking for?
Try an Advanced Search

Log in to digital business lawyer
Subscribe to digital business lawyer
Register for a Free Trial to digital business lawyer
E-Law Alerts
digital business lawyer Pricing

Social Media

Follow digital business lawyer on Twitterdigital business lawyer on LinkedIndigital business lawyer RSS Feed