New data protection legislation
No doubt your e-mail inbox has recently sprouted numerous messages from organisations telling you they take your privacy seriously and so are "refreshing" consent or revamping their privacy policies. The cause is the General Data Protection Regulation (GDPR), which is the new, directly applicable law across Europe to protect personal information. It has triggered a change in the law of the United Kingdom, supplemented by the enactment of the Data Protection Act 2018 (DPA 2018).
What is the relationship between the GDPR and the DPA 2018? What has actually changed?
The answer to the first question is that the GDPR and the DPA 2018 sit side-by-side, with the DPA 2018 supplementing the GDPR in areas where each EU member state has flexibility – chiefly the exceptions or exemptions from GDPR requirements (see Part 2, Chapter 2, and Schedules 1-3) and expanding the powers of the ICO (Part 5).
But the DPA 2018 does more than just this − hence its length. It covers areas that are not covered by the GDPR. Firstly, it deals with the processing of personal data by certain authorities for law enforcement purposes by bringing the Police and Criminal Justice Directive (Law Enforcement Directive or LED) into UK law (Part 3). Secondly, it applies a modified form of the GDPR to processing that is outside both the LED and the GDPR (Part 2, Chapter 3). Thirdly, it tries to ensure that the UK would be able to exchange freely data with the EU after Brexit (see the adequacy issue below) (Part 3, Chapter 5).
Very many of the obligations under the DPA 1998 remain the same or slightly enhanced. What has changed materially is the regulatory reach of the ICO, with greatly increased potential fines and a mandatory breach notification requirement. This has meant that organisations that were not much concerned about the DPA 1998 are now keen to comply with data protection obligations. However, there are five features of the new DPA/GDPR arrangement which materially differ from its predecessor:
1. Increased consent requirement – This is one of the key GDPR headlines: "Previous Consent Not Good Enough! You Need Consent for Everything!" Much of the hype is mythology. However, it is correct that the definition of consent has changed and that it is more stringent. Consent is defined in Article 4 (11) of the GDPR and it should be given "by a statement or by a clear affirmative action" showing a "freely given, specific, informed and unambiguous indication" that data subjects agree to the processing of their personal data. Some consent obtained under the DPA 1998 will meet this standard. But some will not – particularly if it was gained by individuals omitting to do something (like unticking a box).
The biggest change around consent is, however, not about obtaining it. It is about withdrawal of consent. The GDPR requires that consent can be withdrawn at any time. It must be as easy to withdraw as to give consent. This gives individuals real choice and requires organisations to have proper withdrawal procedures and to stop processing individuals' personal information if consent is withdrawn. It also means that organisations must move away from getting consent if they are not actually going to stop processing personal data when consent is withdrawn. For public authorities, this will require a significant change in mindset, as they shift the lawful basis of processing away from consent and to the new "public task" basis.
2. The right to erasure ('right to be forgotten') – Article 17 of the GDPR establishes that the individuals whose personal information is being processed ("data subjects") have a right to have their personal information erased under certain circumstances. This is not an absolute right. It does not apply if, for example, data processing is necessary to exercise the right of information and expression; to comply with a legal obligation; and for public interest and security reasons.
The DPA 2018 sets out a number of exemptions to this right. However, the right to be forgotten does give individuals a new avenue to seek to control their personal information, particularly where it has been uploaded to social media in a more innocent time, when the repercussions of posting drunken photos or purple prose were less well understood. The media interest in the right to be forgotten has brought attention to this data protection right, so organisations will need to put in place processes to deal with requests to be forgotten.
3. Children's data – One of the key concerns of the GDPR is to enhance the protection of children's data. The key change is that organisations will need to obtain parental consent, but only when they are providing "information society services" direct to children – i.e. when they are providing an electronic service online for remuneration, which can be a paid service by the user or paid for by adverts directed at the user. For example, signing up to and posting personal data on social media; providing personal data to make an online purchase; making in-app or in-game purchases. The default definition of a "child" in the GDPR is anyone under the age of 16.
However, all member states were given a choice about how to define "a child". The DPA 2018 lowers the default age so that a child is anyone under the age of 13. On this point, the Government seems to have listened to concerns from children's charities, who encourage respecting the agency of young people and who considered the prospect of 14 and 15-year-olds needing parental consent for much of their online activity as a backwards step.
Protections for young people should come from the systems themselves being designed securely, rather than reliance on parental consent. This big change for online operators will be setting up parental consent systems when they are needed, and having a way of showing that they operate properly to verify age.
4. Right to data portability – This is a significant new right, which has not thus far received much press coverage, but which has surreptitiously been changing individuals' ability to access their personal information.
Data portability gives individuals a right to obtain from organisations an electronic copy of their personal information, in "a structured, commonly used and machine-readable format", when the organisations have obtained that personal information on the basis of consent or because of a contractual relationship with the individual. This is an enhanced right of access to electronic information, and is the reason that Facebook and Google now have an easy way for individuals to download all their personal data from those organisations.
The right to data portability also empowers individuals to require organisations to "port over" to other organisations the personal information the individual has given them, making it much easier for people to switch providers. In its report, the House of Lords Committee on AI has welcomed this new right as a way of promoting competition and preventing the creation of data monopolies, and it may drive innovation.
5. Automated decision-making and profiling – Acknowledging the increasing relevance that AI and machine learning, as well as the capabilities of big data analytics, have in today's society, the GDPR addresses the risks related to automated decision-making, including profiling.
Individuals have the right proactively to be informed about (and to object to) "the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the [individual]".
This has its challenges. For example, it remains unclear what constitutes a "meaningful explanation", as automated decision-making process are often unable to provide much insight into how they came to the decision. The incentive for developing XAI, or explainable AI, is clear.
There is also a regulatory spat brewing about automated decision-making, with the EU Data Protection Board, the main EU body responsible for producing guidance on the GDPR, currently consulting on guidance that states that certain types of automated decision-making are prohibited unless the individual consents or the decision is required by a contractual relationship.
The adequacy issue
What happens after Brexit? Digital minister Matt Hancock has said on several occasions that the UK will replace the DPA 1988 with legislation that mirrors the GDPR. The DPA 2018 begins to do this, as it works alongside the "applied GDPR". This is essentially shorthand for the GDPR as it will be brought into the law of the UK through the European Union (Withdrawal) Bill. The DPA 2018 does not make sense unless it is read alongside the GDPR.
Although the GDPR will become part of the law of the UK, Brexit is creating a lot of uncertainty around the UK's status when personal information is transferred internationally – i.e. when it flows to the UK from EU and other EEA states, and vice versa. At the moment, this happens easily and without any need for enhanced protections for the personal information, because the UK is an EEA member state. When Brexit happens, the UK may become a "third country", which will mean anyone in the EEA who wants to transfer personal information to the UK will need to provide adequate safeguards for the transfer, or identify a "derogation" on which they can rely.
As a result, the UK has been trying to negotiate an "adequacy" determination from the European Commission, so that organisations in EEA member states are able to presume that the personal information transferred to the UK is adequately protected and will not need to take any further steps.
The problem is twofold:
- If the UK government decides to depart from the existing UK-EU model, by amending the DPA 2018, or by including within it some derogations that do not fit well with that model (like a wholesale exemption for immigration data), or by expanding the powers of the police and intelligence services to use personal data, it may not get adequacy finding from the EC.
- Even if it gets adequacy finding from the EC, the UK will still be regarded as third country, which means that, for example, it will not have a seat on the European Data Protection Board. In addition, adequacy decisions can take many years.
The DPA 2018 is not an easy piece of legislation to navigate and unpick, and it has to be read next to the GDPR to be understood. Although many of the obligations under the DPA 1998 remain, there are some important areas of change and some that are still in flux. If you need advice about the DPA 2018 and what it means for you, the Cornerstone Data Protection Team can help.
If you have any questions about what our barristers can do please contact firstname.lastname@example.org