As data protection practitioners begin to digest the new Data Protection Bill (the "Bill"), published today, an immediate area for concern is the interplay between the Data Protection Bill, once passed, and the directly applicable General Data Protection Regulation ("GDPR") itself, during the period of overlap between May 2018 and the eventual passing of the Great Repeal Bill which is timetabled to come into force some time before March 2019. This represents a period during which both domestic data protection legislation and European legislation will be effective in the UK and although the Bill seeks to implement the GDPR, it also includes exemptions and derogations which are intended to make the GDPR provisions work better in the UK.
Here's a list of the key derogations in the Bill published by the Department of Digital, Culture Media & Sport:
- Consent for data processing. The Bill allows the processing of sensitive and criminal conviction data in the absence of consent where justification exists, including:
- to allow employers to fulfil obligations of employment law;
- to allow scientific research;
- to prevent unlawful acts and fraud;
- to support insurance processing;
- to support democracy and political representation;
- and to maintain the integrity of professional sports.
- Consent for data processing. The Bill includes exemptions for processing personal data for literacy, journalistic or academic purposes, largely reflecting the current system. The overarching aim of this is to strike the right balance between freedom of expression of the media and the right to privacy for individuals.
- Data rights. Scientific and historical research organisations are exempted from certain obligations which would impair their ability to carry out their core functions.
- Data rights. The Bill also limits rights where they could otherwise be abused to commit crime, disrupt legal proceedings, undermine safeguarding by public authorities, or disrupt the investigatory activity of regulators.
While the GDPR specifically gives national authorities the option to derogate in various instances, this will inevitably create discrepancies and tensions, as it did historically in relation to the Data Protection Act 1998's derogations from the EU Data Protection Directive. While in the long term, these tensions may be resolved during Brexit negotiations, we do not know how these issues will be dealt with in the interim, or indeed if there will be any legacy European involvement in the oversight of domestic data protection legislation post-divorce.
We will provide further updates on the interplay between the Bill and the GDPR throughout the passage of the Bill through Parliament and after both regimes come into force.