The New Data Protection Environment: The Legislative Framework
Andrew Charlesworth – Reader in IT Law, University of Bristol
When considering the impact of the General Data Protection Regulation (2016/679/EU), which becomes part of UK law on 25 May 2018, it is important for organisations to understand the new DP regulatory environment that the GDPR both helps to create and integrates with.
The update of the EU data protection regime will mean the repeal of the EU Data Protection Directive (DPD), and, in the UK, repeal of the Data Protection Act 1998 (DPA 1998), which implemented the DPD. The GDPR, as an EU Regulation, automatically becomes part of UK law. It will be supplemented in the UK by a new Data Protection Act 2018 (DPA 2018). This makes provision for the national discretions and exemptions that are permitted under the GDPR, provides for the Information Commissioner’s Office and its powers, and extends the UK data protection regime to certain types of data processing not covered by the GDPR. The GDPR does not, for instance, cover personal data processing activities which fall outside the scope of EU law; related to the investigation, detection or prosecution of criminal offences (see below); or which are carried out by natural persons as part of a 'purely personal or household activity' (but see Woolley v Akram (2017) for use of home CCTV systems falling outside ‘personal or household activity').
What the GDPR does do is replace, and make a range of significant changes to the scope of, the existing DP framework. These changes include: enhancing transparency requirements, tightening the rules on consent; providing specific rules for consent by minors; expanding the scope of personal data and ‘special category’ (formally known as ‘sensitive’) data; and introducing data breach notification requirements. There are greater data subject rights, e.g. data portability and the right to be forgotten; increased legal responsibility for data processors; and the mandating of Data Protection Impact Assessments and the designation of an independent Data Protection Officer for some data controllers and processors, including those engaged in regular and systematic monitoring of data subjects, e.g. public area CCTV systems.
Turning to the DPA 2018, this initially appears considerably larger than the DPA 1998, with seven Parts and 18 Schedules. While it does not transpose the GDPR, the Act makes constant reference to it, so to follow the Act’s meaning, it is necessary for any reader not blessed with a photographic memory to read them side-by-side. Fortunately, for most data controllers, the key elements will be contained in Parts 1-2 and Schedules 1-4. These, in conjunction with the GDPR, comprise the core elements of the new data protection framework, many parts of which map to existing features in the 1998 Act and secondary legislation. Data controllers might, however, wish also to take note of Part 6, the DP enforcement mechanisms, including the ICO’s powers and monetary penalties.
In parallel with the GDPR, the EU has adopted a new Directive (2016/680/EU) on personal data processing for criminal investigations, which replaces a non-binding Framework Decision (2008/977/JHA). This requires Member States to implement its provisions, and the necessary provisions are included in the DPA 2018 (Part 3). The DPA 2018 also regulates the use of personal data processing by the intelligence services (Part 4), not provided for in either the GDPR, or the new Directive.
The EU Commission had hoped to replace the Privacy and Electronic Communications Directive 2002 (2002/58/EC) (PECD) and its 2009 updating Directive (2009/136/EU) at the same time as the GDPR. However, the proposed ePrivacy Regulation remains to be agreed by the EU institutions, and most commentators do not expect agreement on the proposal until late 2018, with a probable entry into force in late 2019. In the interim, the existing national legislation implementing the 2002 Directive - in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and amendments (PECR) - will remain in force.
When the ePrivacy Regulation emerges, it will cover issues such as website tracking and cookies, machine to machine communications (Internet of Things), use of communications metadata, spam, and ‘over-the-top’ communications, e.g. Skype. It will also link more closely with the GDPR than the PECD did with the DPD – its enforcement will fall under national independent supervisory authorities, e.g. the ICO, and the penalties for breach will be similar to those under the GDPR. A key point to note: when addressing processing of personal data in the field of electronic communications, the ePrivacy Regulation will override the GDPR should they conflict.
This means that many UK data controllers will need to be familiar with 3 pieces of DP legislation, the GDPR, DPA 2018, and PECR 2003. Depending upon the final form of the proposed ePrivacy Regulation, there may also be further national legislation required to fill gaps, or to apply national discretions and exemptions. As the DPA 2018 will allow for the making of further UK regulations by statutory instrument, further changes to DP law may yet be implemented through either primary or secondary legislation.
The passage of the DPA 2018 will provide plenty of work for the editorial team at the government’s online legislation website
In one of the several judgments (No.7) rendered during the Douglas v Hello legal saga of the early 2000s, the Judge referred to the DPA 1998 as being “of notorious obscurity”. Unfortunately, the drafters of the DPA 2018 appear to have viewed this less as a plea for clarity than as a challenge, with an experienced barrister rather charitably describing it as: “not immediately straightforward to navigate, … its language is often turgid and bewildering”. In part, this is down to the increasing complexity of the personal data environment since the 1990s. But there is also a sense of a Government trying to do a bit too much – to not only pull together the disparate elements of national and EU DP law, but also to prepare for an impending deadline, and not necessarily that of 25 May 2018, but perhaps also that of 29 March 2019.
Woolley v Akram 2017 S.L.T. (Sh Ct) 17.
Robin Hopkins, The Data Protection Bill: a brief overview, Thompson Reuters (2017).
The Privacy and Electronic Communications (EC Directive) Regulations 2003 and amendments
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
UK Data Protection Bill
Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) Brussels, 10.1.2017, COM(2017) 10 final.
Investigatory Powers Act 2016
The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018