The future of data protection law and enforcement in light of Brexit
In the summer, the government expressed its thoughts about the UK’s future data protection law. Nicola Fulford and Gemma Lockyer look at the derogations from the GDPR. On 23 June 2016,… Read more
In the summer, the government expressed its thoughts about the UK’s future data protection law. Nicola Fulford and Gemma Lockyer look at the derogations from the GDPR.
On 23 June 2016, the United Kingdom voted to leave the European Union and whilst that leaves us in a period of uncertainty in many respects, we have received some guidance as to where the UK’s data protection law and strategy is going. On 7 August 2017 the Department for Digital, Culture, Media and Sport published their statement of intent for the planned reforms that will form the new Data Protection Bill (Statement of Intent). The Data Protection Bill will bring the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) into our domestic law as the government seeks to ensure that the UK maintains high standards of data protection, even after leaving the EU.
The GDPR will apply from 25 May 2018 and much has been written on the new rights of individuals and the new obligations on data controllers and processors that this will bring. The GDPR allows Member States to implement certain derogations at national level and the Statement of Intent sets out the UK government’s intentions in this regard. We have discussed the key derogations set out in the Statement of Intent below and also the views of the ICO on their international strategy looking ahead to 2021.
Key derogations giving consent to process data and protecting children online: In order for controllers to rely on consent when processing personal data, the person giving consent needs to have a certain level of understanding of what they are consenting to. Article 8 of the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorisation and requires that reasonable efforts be expended to verify that a parent or guardian has given the appropriate consent. The GDPR sets the minimum age for consent at 16 but also allows member states to set a lower age, provided this is no lower than 13, at which a child can consent in their own name to data processing. In the United States, the age of consent is set at 13 by the Children’s’ Online Privacy Protection Act and the Federal Trade Commissions’ subsequent COPPA Rule and so with varying standards between EU member states, as well as the difference between EU standards and the United States, there will be challenges for companies offering international services.
The safety of children online is one of the government’s current priorities. The government intends to establish a Digital Charter that has the aim of making online environments safer for children and young people. Despite this, the UK has decided to set the age limit at the lower end and allow a child aged 13 years or older to consent to the processing of their personal data. Carrying out age verification checks at the age of 18 is more straight-forward, with the possibility of credit checks, checking driving records and the electoral register. However, it is not possible to carry out checks of this nature on young children and so websites will need to find a new way to work with users to verify age. Whilst setting an age limit which is consistent with the United States may ease some tensions or international service providers, it will likely to prove difficult for data controllers to demonstrate they have the necessary consents from someone of an approved age.
Processing criminal conviction and offence data: Information relating to criminal convictions and offences is highly sensitive and the GDPR permits only bodies vested with official authority to process personal data of this nature. Currently, under English law, organisations are able to process personal data on criminal convictions and offences in certain specified circumstances, the examples given in the Statement of Intent include when carrying out employment checks and underwriting driving insurance policies. Employers are currently entitled to seek and be provided with varying levels of information on a prospective employee’s criminal record. The Data Protection Bill will preserve this right for organisations not vested with official authority to process personal data of this nature. There is a public policy reason for allowing employers to continue to process data of this nature to ensure that vulnerable members of society are not put at risk and the wrong people are not placed in positions of power that are at risk of abuse.
Automated individual decision-making: The GDPR introduces a new right for an individual not to be the subject of an automated decision, including profiling, which has a legal or other significant effect on the individual. This right does not apply when the automated decision is necessary for entering into or performing a contract with the data subject; authorised by Member State law if the law lays down suitable measures to safeguard the data subject’s right and freedoms and legitimate interests; or is based on the explicit consent of the data subject.
The Data Protection Bill will legislate for an exemption to the right to ensure that processing by automated means is possible where there are legitimate grounds. The examples given in the Statement of Intent are the automatic refusal of an online credit application or e-recruiting practices that do not involve any human intervention; on the basis that these business processes would become impossibly burdensome if businesses are unable to rely on computer processing powers and each decision has to reviewed by a human. However, we know that machine learning tools do not always get it right. If the data set that informs the learning contains unconscious bias then the machine is likely to generate biased answers (e.g. assuming that female CVs are more suitable for nursing roles because Google image results for “nurse” show predominately females). This derogation has the potential to seriously undermine a data subject’s right under the GDPR not to be subjected to a decision based solely on automated processing. Communicating how human intervention has been involved will be important to ensure that there are safeguards in place where a decision might have been reached which is fundamentally wrong but allowing a computer to carry out the “first pass” could be an effective use of resources.
Freedom of expression in the media: Section 32 of the Data Protection Act 1998 provides an exemption for organisations to comply with the data protection principles (except the seventh data protection principle – the requirement to keep personal data secure) where the personal data are processed for special purposes. This includes if the processing is undertaken with a view to publication, that publication is in the public interest and compliance with the principles is incompatible with the special purpose. Through this exemption, the legislation has sought to reconcile data protection law and freedom of expression. It is intended that the exemption in section 32 will be broadly replicated in the Data Protection Bill although the enforcement powers of the ICO to enforce the exemption is expected to be strengthened.
Research: The GDPR requires organisations to comply with certain rights belonging to data subjects, including the right for data to be rectified without delay, the right to restrict further processing, right of access and the right to erasure. The GDPR also allows the UK to legislate to allow scientific or historical research organisations, organisations that gather statistics or organisations performing archiving functions in the public interest to be exempted from these obligations. The intention is to allow for research organisations and archiving services not to have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Provided that appropriate organisational safeguard are in place to keep the data secure, research organisations will also not have to comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work. The examples given in the Statement of Intent to justify the exemption include the necessity to archive inaccurate data so that it is possible to audit a decisionmaking process that led to an unfavourable outcome or where statistical data may be compromised if an individuals’ personal data is later removed from the statistical pool.
The ICO’s international strategy
The Rt Hon Matt Hancock MP stated in the ministerial foreword to the Statement of Intent that under the Data Protection Bill “enforcement will be enhanced, and the Information Commissioner given the right powers to ensure consumers are appropriately safeguarded”. In the Information Commissioner’s Office’s International Strategy for 2017 – 2021, four challenges are highlighted which the ICO will face in the changing digital global environment.
1. To operate as an effective and influential data protection authority at european level while the UK remains a member of the EU and when the UK has left the EU, or during any transitional period: The ICO intends to maintain its relationship with its EU partners, including the European Data Protection Board and the Article 29 Working Party because, as well as overseeing enforcement of the GDPR, the European Data Protection Board will also issue guidance, making it influential in setting the direction for data protection and privacy standards. The ICO will advise the UK government on the data protection implications of leaving the EU and will seek to maintain a strong working relationship with individual EU Data Protection Authorities to ensure that UK organisations are able to continue to transfer data internationally to facilitate business growth.
2. Maximising the ICo’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies: The ICO intends to continue to engage with leading international privacy networks and explore relationships with networks that the ICO has not engaged with previously. The ICO intends to share information and knowledge with other independent bodies responsible for enforcing and promoting freedom of information laws. This will allow the UK to take international best practices and choose the best tools, which are most applicable to UK interests and apply them to ensure that the UK is taking the best from the widest pool of experiences.
3. Ensuring that UK data protection law and practice is a benchmark for high global standards: The ICO wants to ensure that the UK retains a high standard of data protection law to provide effective safeguards for the public. The ICO intends to collaborate with the international community to support work to turn the GDPR’s accountability principles into a robust but flexible global solution. Continuing to take part in the international conversation around data protection will allow the ICO to maintain its status internationally as a leading player in the data protection landscape.
4. Addressing the uncertainty of the legal protections for international data flows to and from the EU, and beyond, including adequacy: International data transfers are an important part of the digital economy. The ICO will seek to ensure that there are effective safeguards for these data transfers in the uncertainty that flows from Brexit. The ICO has stated that it intends to explore a “global data protection gateway” which will allow the UK to interoperate with different legal systems that protect international flows of personal data and will support work to develop new mechanisms to enable international transfers, such as codes of conduct and certification under the GDPR.
Impact of Brexit and conclusions
There are questions around the process under which UK organisations will be able to transfer data internationally (both to the EU and elsewhere) and so including a requirement for organisations to revisit and put in place any necessary mechanisms to facilitate the transfer of data in contracts which will continue following Brexit should be considered best practice. UK companies who operate in Europe will also have to consider their lead supervisory authority following Brexit.
The ICO’s strategy suggests that it will continue to take a tough stance on data protection in the coming years. It is clear that the ICO wants to ensure that the UK has a strong reputation for protecting the rights and freedoms of data subjects, potentially with a view to obtaining a European Commission finding of adequacy, which will cover international data transfers post Brexit. However, we may find there are some tensions with the UK government as the proposed derogations appear to unpick some of the protections offered by
GDPR (e.g. the lower age of consent by children to processing and the increased opportunities to use automated decision-making). It will also be interesting to see how the proposed Data Protection Bill and European Union (Withdrawal) Bill will interact, especially given the time taken to get this far with the Statement of Intent and the looming 2018 and 2019 deadlines.
This article was first published in PL&B UK Report, September 2017, www.privacylaws.com.
Share this blog
Gemma Lockyer
is a commercial technology senior associate
Share this Blog
- Adtech & martech
- Agile
- Artificial intelligence
- EBA outsourcing
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- KLick Trade Mark
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel