UK: Statement of Intent on GDPR Bill

The UK Government yesterday published a Statement of Intent providing further insight into the UK’s new Data Protection Bill (“Bill“). The Bill was originally announced in the Queen’s Speech in June.

The Statement emphasises the commitment of the UK Government to implement the GDPR into UK law, to ensure the UK digital economy is underpinned by privacy laws that are at the forefront of global standards, and facilitate an uninterrupted flow of data between the UK and EU post-Brexit. The Statement separately sets out the Government’s commitment to adopting the Data Protection Law Enforcement Directive into UK law. It also confirms, following a recent consultation exercise, how the Government intends to approach those areas of the GDPR where the member states are permitted to apply local law permutations.

The specific areas to be addressed include:

  • Consent for processing the personal data of children – under the GDPR, the default position is that the provision of information society (internet) services requires consent from a child’s parent or guardian if the service involves processing of personal data for a child under the age of 16. The Statement explains that the UK intends to follow the lead of the Irish data protection regulator and reduce this to 13 years – the lowest age of consent permitted by the GDPR.
  • Processing criminal conviction and offence data – the GDPR prohibits processing of this data unless specifically authorised by Member State law. The Statement clarifies that the UK intends to include provisions within the Bill that will allow organisations to process criminal records data, provided other controls are adopted consistent with the requirements for processing as special categories of personal data. This is an important derogation for businesses who need to ask for and assess this information to manage risk for lawful reasons – e.g. employers who rely on criminal records checks to protect vulnerable individuals, or insurers who rely on offence data to facilitate the underwriting of driving insurance.
  • Research Organisation Exemptions – the Statement clarifies that the UK intends to create a range of derogations from the statutory rights available to individuals under the GDPR where compliance with the rights would seriously impede the ability to conduct effective research, provided in each case that appropriate organisational safeguards are put in place to keep data secure.

The Statement also reiterates messages within the Conservative Party’s manifesto to require social media platforms to delete, on request, information held about individuals which they posted before the age of 18. This expansion of the right to be forgotten is a reflection of the concern both the Government and the public have with the large volumes of data held by social media organisations.

In summary, the Statement of Intent is helpful in further articulating the UK Government’s commitment to the adoption of the GDPR in the Queen’s Speech and earlier white paper on Brexit. It also gives a good sense of direction as to where the UK policy team are likely to develop their thinking in the Bill, following the DCMS’ recent consultation with industry. However it lacks detail on the actual drafting we might expect to see in the derogations to support effective interpretation of the UK’s position on key areas at this stage. For that, we will need to wait for the draft Bill.