New Data Protection Bill was read in the House of Lords on 13 September 2017
The Data Protection Bill, which will replace the Data Protection Act 1998, had its first reading in the House of Lords on 13 September 2017.The Data Protection Bill is intended to ensure that UK and EU data protection regimes are aligned post-Brexit. The aim is to demonstrate that the UK is an adequate jurisdiction for EU data and so achieve uninterrupted data flows once the UK has left the EU
The Bill will evolve into the Data Protection Act 2018.
How will the UK’s data protection regime work from 2018 onwards? Below are a few observations on how it will work.
First of all, once the UK leaves the EU, the GDPR will no longer be directly applicable in the UK. Crucially, however, a post-Brexit UK will need to have in place a data protection regime that mirrors the GDPR; otherwise, the transferring of personal data between the UK and the EU will be extremely problematic. The Bill therefore strives to make UK data protection law stand on its own two feet while tracking the GDPR.
Secondly, the GDPR is of course a Regulation, meaning that it will be directly applicable across the EU, without the need for any domestic implementing legislation. However, the GDPR leaves plenty of gaps for member states to fill in. For example, it is up to member states to particularise the grounds on which ‘special category’ personal data (formerly known as ‘sensitive personal data’ in UK law) can be processed. Exemptions from the rights and obligations conferred in Articles 12-22 of the GDPR (subject access, the right to be forgotten or to have personal data rectified, and so on) are also matters for member states. That is one of the main functions of the Bill: it fills in the gaps in the GDPR.
Thirdly, one of the Bill’s functions is to extend the GDPR into areas of data processing where it would not otherwise reach. For example, the GDPR does not apply to law enforcement or intelligence services activity, but the UK has voluntarily imposed a GDPR-like regime in those areas: see Parts 3 (law enforcement) and 4 (intelligence services) of the Bill. The same goes for other, less prominent areas of data processing, such as public authorities who hold unstructured manual files: see Chapter 3 within Part 2 of the Bill.