The Data Protection Bill is currently making its way through Parliament and when enacted, will introduce legislation that aligns the UK with the EU Data Protection Regulation (GDPR). Regardless of the final Brexit arrangement, there will be similar requirements and punitive measures for non-compliance in an attempt to ensure that the data flows between the UK and EU remain unhindered. With just ten days to go to D-day we asked Stewart Dresner, of data protection experts Privacy Laws & Business for an update.
The Data Protection Bill in now at a critical and almost final stage having gone through a Third Reading in the House of Commons on 9th May. All that is left is for the Commons and the Lords to agree on the points on which they have disagreed until now.
For example, the Government has proposed that the age of 13 is set as the age of consent to use online services. At least seven other Member States, including Spain, Ireland and Denmark, have also proposed a 13 years age limit.
Another amendment to be agreed would allow the Information Commissioner to consider “distress” when assessing the “damage suffered by data subjects” and the resulting penalty.
The Bill allows for proceedings to be brought against a director, or a person acting in a similar position, as well as the body corporate, where it has been proven that breaches of the Act have occurred with the consent, connivance or negligence of that person. Directors’ liability also extends to nuisance calls.
The Opposition wants to include a provision stating that privacy is a fundamental right. Labour argues that this provision is important for the UK’s future ‘adequacy’ application.
They also want the Bill amended to allow for collective action to be initiated by consumer groups without there being a complaint by a named individual. This type of ‘super complainant’ (such as Which? The Consumers’ Association) would help individuals by bringing representative actions and creating a stronger enforcement framework. The Government remains of the view that ‘the opt-in model is the right one and sufficient to allow not-for-profit bodies to represent individuals at the current time’. However, this amendment would allow for a review to be concluded in 2.5 years’ time and powers to implement the outcome of that review.
Stewart Dresner, Chief Executive, Privacy Laws & Business www.privacylaws.com
UPDATE 24th May 2018
UK Data Protection Act receives Royal Assent and enters into force on 25th May 2018.