Privacy & Information Security Law Blog

On August 7, 2017, the UK Government’s Department for Culture, Media and Sport published a Statement of Intent setting out the planned reforms to be included in the forthcoming Data Protection Bill, which we previously reported is expected to be laid before the UK Parliament in early September.

The EU General Data Protection Regulation (“GDPR”) is set to become law in the UK on May 25, 2018, without the need for national implementing law. With the UK set to leave the EU in March 2019, however, the Statement of Intent clarifies that the GDPR will be transposed into domestic law to prepare for the UK’s post-Brexit relationship with the EU. The Statement of Intent also sets out the proposed derogations from the GDPR which the UK wishes to implement into UK law, such as:

• reducing the age at which a child can consent to data processing from 16 to 13 years of age;
• extending the right to process personal data relating to criminal convictions and offences to enable organizations other than those vested with official authority to process it (taking a similar approach to that for the special categories of personal data);
• creating an exemption from an individual’s right to object to automated decision making where suitable measures are in place to safeguard individuals’ rights; and
• exempting processing for scientific or historical research organizations, organizations gathering statistics or organizations performing archiving functions in the public interest where compliance would seriously impair their ability to carry out their work.

The Statement of Intent also makes clear the UK Government is “committed to ensuring the uninterrupted data flows” between the UK, the EU and other countries around the world, which will be welcomed by businesses, both UK and international. In a positive move regarding securing the adequacy decision that would preserve uninterrupted data flows, the Statement of Intent also commits the Data Protection Bill to establishing a suitable data protection framework for the processing of personal data for national security.

The Data Protection Bill also will implement the EU’s Data Protection Law Enforcement Directive, which must be implemented in EU Member States by May 6, 2018.