The Department of Digital, Culture, Media and Sport (DCMS) confirmed that it intends to introduce the draft legislation as soon as it as it can once the summer parliamentary recess concludes, information law blog Hawktalk reported. Parliament is due to return from the summer break on 5 September before breaking up again on 14 September for the autumn party political conferences.
The government committed to introducing a new Data Protection Bill in the Queen's Speech in June. The Bill will update the UK's existing Data Protection Act to account for the EU's General Data Protection Regulation (GDPR), as well as a sister directive on data protection in a law enforcement context.
While the GDPR will apply unilaterally across the EU from 25 May 2018, requires each EU country to set its own rules on some data protection issues outlined in the Regulation and further provides for the option to do so in other cases. Earlier this year, the government issued a call for views on what flexibilities within the GDPR it should take advantage of. No indication of the government's policy intentions were contained in the consultation paper. The new Data Protection Bill could therefore contain a wide range of provisions.
UK-specific data protection rules are possible in relation to some aspects of personal data processing, including in the employment context. In addition, the government could use the Bill to limit the rights people will have to restrict, object to or access data about them, and obtain corrections to inaccurate information, where that data is being processed for scientific or historical research purposes or statistical purposes.
The new Bill could also set out specific conditions whereby 'special categories' of personal data processed in the UK can be transferred to so-called 'third' countries for important public interest reasons. Special categories of personal data include data about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and also encompass genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Other provisions of the Bill could set out the circumstances in which organisations operating in the UK would be expected to appoint a dedicated data protection officer (DPO). DPOs must perform specific tasks under the GDPR.
The Bill will also address the issue of sanctions for data protection breaches under the new regime.
Under the GDPR, stiff financial penalties are envisaged for businesses that breach the Regulation. In certain cases, fines of up to 4% of a business' annual global turnover, of €20 million, whichever is highest, could be imposed.
However, the Regulation leaves it up to each EU country to determine "whether and to what extent" fines can be imposed on public sector organisations in their jurisdiction.
In addition, EU countries are obliged to set out their own rules on what other penalties, beyond fines, can be imposed on organisations that breach the Regulation. The Regulation requires that the penalties are "effective, proportionate and dissuasive".
In Germany, a new Federal Data Protection Act (FDPA) has been passed into law to fit with the GDPR. The main provisions of the FDPA are due to take effect from 25 May 2018, the same date that the GDPR will apply from.