Chapter 1: Introduction
1.The Data Protection Bill was introduced in the House of Lords on 13 September 2017. It received its second reading on 10 October and is expected to begin its committee stage on 30 October.
2.The Bill repeals and replaces the Data Protection Act 1998 (the 1998 Act). It creates a new, comprehensive regime of data protection designed to safeguard the personal data of individuals. A key aim is to meet the need for enhanced data protection in the digital age. To this end the Bill responds to recent and ongoing changes in European Union and Council of Europe data protection law.
3.UK data protection law already closely dovetails with European law. The 1998 Act implemented the European Data Protection Directive.1 This will be replaced by the General Data Protection Regulation (GDPR)2 which comes into force on 25 May 2018. The Bill will operate alongside, and be supplemented by, the GDPR until that time. The GDPR is a major overhaul of data protection law in the EU and the UK Government is keen to reform domestic law to maintain compatibility with European standards. The Government’s intention is that the GDPR will be incorporated into law in the UK as the UK withdraws from the EU, becoming part of “retained EU law” as a consequence of clause 3 of the European Union (Withdrawal) Bill. To this end the Data Protection Bill implements the exemption and derogation powers in the GDPR.
4.The Bill also gives effect to the Law Enforcement Directive,3 another EU measure designed specifically to deal with matters of law enforcement and obligations on public authorities engaged in the administration of justice.4 In addition, the Council of Europe is preparing to update the Convention for the Protection of Individuals with Regard to the Processing of Personal Data (Convention 108);5 the Bill seeks to reflect the terms of this updated convention. The close attention paid to the GDPR, the Law Enforcement Directive and the Council of Europe Convention suggests that the Government is keen for data protection law in the UK to continue to mirror European laws after Brexit in order to maintain the flow of data across borders.
5.The Bill also goes further than the various European instruments. The GDPR for example, although fairly comprehensive, is restricted to those areas in which the EU has competence. The Bill seeks to apply similar data processing rules to all areas of personal data processing, including areas not covered by the GDPR. In particular, it goes beyond the European area of regulation in creating a distinct national security regime and by creating new criminal offences.
6.We draw attention to the interlocking relationship between the powers in this Bill and current EU law, which after Brexit will become “retained EU law” under the European Union (Withdrawal) Bill. Bills such as this will need careful scrutiny to ensure, so far as possible, that their provisions will continue to function post-Brexit without needing significant amendment.
1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 (23 November 1995)
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation), OJ L 119/1 (4 May 2016)
3 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, OJ L 119/89 (4 May 2016). This instrument replaced the 2008 Framework Decision for the police and criminal justice sector, which was transposed into UK law via part 4 of the Criminal Justice and Data Protection (Protocol No 36) Regulations 2014 (SI 2014/3141).
4 Extensive parliamentary scrutiny of both the GDPR and the Law Enforcement Directive has already taken place: ‘Data Protection Bill [HL] (HL Bill 66 of 2017–19)’, House of Lords Library Briefing LLN-2017–0065, 5 October 2017, pp 3–4. The proposals for the Bill were also subject to consultation by the Government: Department for Digital, Culture, Media and Sport, ‘General Data Protection Regulation: Call for Views’, updated 7 August 2017: https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views [accessed 25 October 2017]
5 Council of Europe (CoE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108), opened for signature in 1981 and signed by the UK on 14 May 1981.