Last week the UK Government finally introduced their much anticipated Data Protection Bill [pdf], which is required to deal with certain aspects of the General Data Protection Regulation. I have spent some time since then reading through the Bill and this blog post is intended as an initial introduction to the new Bill.
The first thing to note is that the Bill is not an easy read and certainly much of the commentary and discussion has centred on how uneasy a Bill it is to read. This may well create some difficulties for practitioners going forward, and indeed may also cause some difficulties for data subjects who are trying to understand what their data protection rights are.
There are a few things of note which clarify a number of matters. The GDPR requires public bodies to appoint a Data Protection Officer, but the GDPR does not stipulate what is and what is not a public body; this was left up to member states to deal with. The proposed answer comes in Clause 6 of the Bill which gives it the same meaning as public authority in the Freedom of Information Act 2000 and Scottish public authority in the Freedom of Information (Scotland) Act 2002. So, a public authority for the purposes of FOI is also a public authority for the purpose of the GDPR. The definition does not include those bodies who are subject only to the Environmental Information Regulations 2004 or the Environmental Information (Scotland) Regulations 2004.
It should be noted that it is proposed that the Secretary of State will have the power to provide, in regulations, that a public body, as defined by clause 6, is not in fact a public body for the purposes of the GDPR. It is also proposed that the Secreatry of State shall have the power to provide that a body that is not a public body, as defined by clause 6, is in fact a public body for the purposes of the GDPR. There has been no indication as yet that the Secretary of State intends on making any Regulations under these powers and so for the time being it would be prudent to work on the basis that every person and organisation who is subject to the provisions of either the UK or Scottish FOI Acts is a public body for the purposes of the GDPR.
Although the Scottish Ministers cannot directly decide that a person or body ought to be (or ought not to be) a public body for the purposes of the GDPR, the exercising of their powers under Sections 4 and 5 of the Freedom of Information (Scotland) Act 2002 can result in persons or bodies becoming, or ceasing to be, public bodies for the purpose of the GDPR. This effect is something to consider when the Scottish Government is seeking to extend the coverage of the Freedom of Information (Scotland) Act 2002; the obvious example is housing associations in Scotland. The Scottish Government is currently considering whether they ought to be Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 or not. If they lay Regulations to make housing associations a Scottish public authority this will have the effect of making housing associations a public body for the purposes of the GDPR as well. Of course, the Secretary of State would have the power to then make Regulations which would have the effect of not making housing associations in Scotland a public authority for GDPR purposes.
This may well have an effect on how quickly an order under Section 5 of the Freedom of Information (Scotland) Act 2002 can come into force. The data controller would become a public authority for the purposes of the GDPR immediately upon the coming into force of the “Section 5 Order”; if they do not already have a Data Protection Officer appointed then they will need to recruit an dappoint someone in advance of the Section 5 Order entering into force.
The definition of who is a public body also has implications beyond the need to appoint a Data Protection Officer. Public bodies are not allowed to rely upon the “legitimate interests” condition for processing personal data in the performance of the public body’s tasks.
In relation to consent, the GDPR allows member states to set an age between 13 and 16 for the purposes of when a child can give consent for the processing of their personal data by ‘information society services’ (e.g. Twitter, Facebook, Snapchat); Clause 8 of the Data Protection Bill proposes setting this at 13 in the UK. It should be stressed that this only applies to consent provided to information society services and not consent more generally. A child who is younger than 13 may be capable of providing consent more generally under the GDPR (and ineed, the presumtion in Scotland will continue to be that a child of 12 can provide consent).
The GDPR allows data controllers to charge fees, in limited circumstances, when dealing with subject access requests. Clause 11 of the Data Protection Bill provides that the Secretary of State may “by regulations specify limits on the fees that a controller may charge”. The inclusion of this power within the Bill suggests that it is the Government’s intention to place a cap on what can be charged by data controllers in those circumstances where a fee can be charged. The general right to charge a fee in order to process a subject access request, that is in place under the current Data Protection Act, will go. A more detailed blog on the topic of subject access requests under the GDPR shall follow.
The Monetary Penalty Notice is to remain (although it will now just be a penalty notice) and this is the way in which the Information Commissioner will be able to exercise her powers under the GDPR to issue administrative fines. The procedure adopted under the current monetary penalty regime is retained with the requirement for the Commissioner to issue a “notice of intent” in advance of serving a penalty. It will also continue to be a requirement that the penalty notice be issued within 6 months of the notice of intent (see Schedule 16 of the Data Protection Bill). The Commissioner will be able to issue a penalty notice to a data controller who has failed to comply with an enforcement notice.
These are just a few of the notable points from the new Data Protection Bill and there is plenty more to write about, but that will come in future blog posts. The Bill has only just been introduced to the House of Lords and still has to go through the full process of scrutiny in both the House of Lords and the House of Commons; therefore, it is entirely possible that the Bill’s 194 clauses and 18 schedules will be amended during the passage of the Bill through Parliament. The Bill is due to have its Second Reading in the House of Lords, at which the House of Lords will agree (or not) to the general principles of the Bill, on 10th October 2017.
If you would like advice on the General Data Protection Regulation or on the new Data Protection Bill then contact our Alistair Sloan on 0345 450 0123 or by completing the form on the contact page of this blog. Alternatively, you can send him an E-mail directly.