Data Protection legislation is radically overhauled

Data Protection legislation is radically overhauled's Tags

Tags related to this article

Data Protection legislation is radically overhauled

Published 12 July 2018

Data protection law in the UK has been radically overhauled in recent months and further reforms are on the horizon. The EU's General Data Protection Regulation (GDPR) came into force in all Member States on 25 May 2018 and the majority of the provisions in the UK's Data Protection Act 2018 came into force on the same date. Following behind this is the EU's e-Privacy Regulation which is now expected to be approved in late 2018 and implemented in 2019.

The aim of the GDPR is to align the data privacy laws across all EU Member States and protect EU citizens' personal data regardless of where that data is processed (i.e. within the EU or beyond). Businesses that collect, record, use or disclose data relating to an identified or identifiable natural person are now required to comply with the GDPR standards on data processing, record keeping, risk management and data breach reporting, or face fines of up to the higher of €20m or 4% of annual global turnover.   

Alongside the GDPR, the UK has enacted the Data Protection Act 2018. This Act replaces the Data Protection Act 1998 with a new, comprehensive data protection framework designed for the digital age. It implements the GDPR standards side by side with UK legislation covering law enforcement data and national security data (areas where the EU does not have competency), and permitted exemptions to the GDPR. It aims to ensure modern data use can continue whilst strengthening the control and protection individuals have over their data. 

The new Data Protection Act is a lengthy piece of legislation, running to 339 pages. The key provisions in the Act include:

  • Implementing the GDPR standards into UK law across all general data processing.

  • Tailored exemptions from the GDPR for certain organisations operating in journalism, research, financial services and legal services.

  • Setting the age when children can give consent for the online processing of their personal data at 13. 

  • Giving citizens more control over their data including the right for those aged 18 years or older to have their data deleted if there are no legitimate grounds for retaining it.

  • Providing a bespoke regime for the processing of personal data by the police, law enforcement and criminal justice agencies.

  • Providing appropriate safeguards to enable the intelligence agencies to manage security threats.

  • Providing additional powers for the Information Commissioner to regulate and enforce data protection laws including the ability to levy fines up to the higher of €20m or 4% of an organisation's global annual turnover for the most serious breaches.

  • The preservation of offences in the 1998 Act and the introduction of new offences of (i) intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data and (ii) altering records with the intent to prevent disclosure.

Now that the GDPR and Data Protection Act 2018 are in force, horizon watchers will have their eyes on the incoming e-Privacy Regulation. Proposed by the European Commission in January 2017 as part of its "digital single market strategy", this regulation will replace the Privacy and Electronic Communications Directive 2002 ("ePrivacy Directive") and will bring in higher privacy standards for electronic communications. Electronic communications service providers will need to comply with strict rules covering the processing and storage of content and metadata, direct e-marketing communications and the use of cookies.

The new Regulation was intended to come in on 25 May 2018 to coincide with the GDPR, but it proved too ambitious to finalise the Regulation in time. At this stage, the e-Privacy Regulation is scheduled to be approved in late 2018/early 2019 and implemented sometime in 2019 but the date remains unfixed. It is unclear whether the UK will have left the EU by the implementation date but the UK has said it will maintain EU data protection standards after Brexit.

The e-Privacy Regulation will have the same territorial scope as the GDPR and will carry the same penalties for non-compliance.

Authors

Hans Allnutt

Hans Allnutt

London - Minster Court

+44 (0) 20 7894 6925

Joseph Fitzgerald

Joseph Fitzgerald

London - Minster Court

+44(0)20 7894 6875

< Back to articles