The Data Protection Bill had its first reading in the House of Lords on the 13 September. In its early form, the Bill appears somewhat confused – not surprising, considering the awkwardly shaped gap the Bill must fill.
To understand the Bill, why it exists, and why the draft is a somewhat challenging read requires some context. Namely, one has to understand both EU and UK data protection regimes and their relationship.
A potted history of data protection in the EU and UK
Data protection in the EU and the UK is widely considered the ‘gold standard’ of data protection regimes. It has a long history but let us rewind to October 1995 and the adoption of the EU Data Protection Directive (95/46/EC) or DPD.
The DPD arose from concerns regarding the varying levels of data protection between Member States and provided the legal framework to regulate the processing of personal data in the EU. Being a Directive, the DPD was not directly effective in each national legal order. Rather, it required each Member State to pass its own national legislation to comply with the terms of the DPD before October 1998. While each Member State is accorded some latitude in complying with directives, ideally national legal orders must reflect the principles, remedies, and scope of implemented directives. The UK passed the Data Protection Act 1998 to comply with this new EU data protection regime. The 1998 Act transposed (somewhat) the Directive’s requirements into the UK legal order, although some lack of harmonisation remained.
Until recently, this is how data protection worked in the UK - the DPD and the 1998 Act being the two controlling pieces of law.
Adopted in April 2016, the EU General Data Protection Regulation (GDPR) now dominates data protection in the EU. Understandably, the new UK Data Protection Bill makes extensive reference to its provisions. However, the Bill’s relationship with the GDPR differs markedly from the 1998 Act-DPD relationship. As a regulation, the GDPR is directly effective in the EU Member States - it does not require a national law to implement its provisions. From its date it comes into force, the GDPR is directly applicable in the UK.
As a regulation, the GDPR reaches into the UK legal order, dominating the field of data protection. More than this, Case 39/72 Commission v Italy tells us that EU regulations preclude even simple duplication of their contents into national law. Consequently, the new Bill cannot legislate for areas that the GDPR covers, or not without facing the European Court of Justice.
What does the Data Protection Bill legislate for?
The new Data Protection Bill is not meant to mirror the GDPR. On the contrary, the Bill is a composite instrument, designed only to legislate where the UK legally can. Given this, while the EU (via the GDPR) has competence to regulate areas such as general data processing, the UK has competence to regulate data processing insofar as this processing relates to areas specified in the GDPR as subject to Member State law, such as health and social care exceptions. The UK also has competence to regulate areas that fall outside the GDPR such as national security. Moreover, while the EU has competence to legislate for law enforcement data processing, this has been implemented in the form of a Directive, namely the Law Enforcement Directive.
The new Bill is therefore designed to fit around the GDPR competence, implementing GDPR principles while not treading on the toes of EU supremacy. Indeed, one finds evidence of this in the very first section of the Bill. Section 1(2) tells us that ‘Most processing of personal data is subject to the GDPR’. Moreover, Section 1(3)-(4) makes clear that the Bill only legislates where the GDPR does not apply. Like a legislative game of tag, the Bill seeks to implement GDPR standards but never get caught in the GDPR’s area of competence. The Bill is therefore a composite piece of legislation which includes those areas related to data protection but which are not in the domain of the GDPR.
Like a legislative game of tag, the Bill seeks to implement GDPR standards but never get caught in the GDPR’s area of competence.
An already complex task has been further complicated by Brexit. The GDPR will be directly applicable from May 2018. Brexit negotiations must be concluded by April 2019. Given the time lag, it is likely the UK will be obligated as a Member State to be GDPR compliant before Brexit takes effect. During this period, the GDPR will be directly applicable and so a part of the UK legal order. When Brexit occurs, as per the government’s plans, the GDPR will be incorporated into the UK’s domestic law using the European Union (Withdrawal) Bill. There are two points to note here.
Firstly, for as long as the UK is a Member State, the Regulation is a part of the UK legal order, yet not a part that the UK Parliament may change (unilaterally at least). After Brexit, the GDPR will be incorporated into UK law and, the UK Parliament will have the power to change its domestic version of the GDPR as it sees fit. Consequently, the GDPR is a part of the UK legal order in two very different ways at two very different times.
Secondly, because this Bill spans pre and post Brexit, the Bill must serve two masters - making for incredibly clumsy drafting. For example, Section 20(1) states that the ‘GDPR applies to the processing of personal data to which this Chapter applies but as if its Articles were part of an Act extending to England and Wales, Scotland and Northern Ireland’ [my emphasis]. The wording ‘as if’ is legally dubious. This kind of wording is worryingly common in the operative parts of the Bill, the legislation separating the GDPR proper and the applied GDPR - the Bill seeking to modify only the latter. In short, legislation that deals with EU regulations and is meant to operate both pre-Brexit and post-Brexit requires contortionist-like drafting.
The wording ‘as if’ is legally dubious. This kind of wording is worryingly common in the operative parts of the Bill, the legislation separating the GDPR proper and the applied GDPR - the Bill seeking to modify only the latter.
Transposition into UK law
The above analysis assumes that HM Government transposes the GDPR without substantive change into UK law upon Brexit - but this is far from a given. The European (Withdrawal) Bill does not commit the government to simply transposing the entire corpus of EU law to the UK legal order. On the contrary, modifications - sometimes without Parliamentary oversight - are provided for and perhaps likely. Given this, the pre-Brexit version of the GDPR the Bill legislates around has the potential to be very different from the GDPR found post-Brexit. The Bill cannot guarantee much if the law it references heavily is left unsecured.
Impact upon health and medical research data
The Bill provides some important clarifications about the possible exemptions that might be available when processing special categories of personal data which, pursuant to Section 9 of the GDPR, must be done in accordance with ‘Union or Member State law’. For the most part, this includes retaining provisions that are currently in the DPA and relevant Regulations made under section 30 of that Act. We will explore the impact of these proposals in future blogs.
A taste of the future?
What the new Bill means for data protection more generally is difficult to gauge. It is clearly not the unified law that can define the UK’s data protection regime, nor does it not provide certainty for most personal data and processing - it is characterised more by what is left out. However, the Bill could well be a harbinger of Brexit legislation yet to come: awkward, conflicted, and unwieldy.