The Data Protection Bill (218-page / 852KB PDF) is primarily designed to complement the EU's General Data Protection Regulation (GDPR), which will have direct application in the UK from 25 May 2018, and implement another EU directive on the processing of personal data by law enforcement agencies.
"This is a complex piece of legislation that is best read with a copy of the GDPR and the Directive alongside – it may prove a challenge for all but the most dedicated reader," said data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com. "The Bill is likely to be heavily scrutinised in parliament and by external stakeholders and interests."
The GDPR sets out conditions for processing personal data, and provides for a number of rights for data subjects, including in relation to the accessing, rectification and erasure of personal data held about them, and further introduced a raft of new obligations for businesses, including around the notification of data breaches, documentation of processing, and the conducting of data protection impact assessments. It also sets out rules on data security and restrictions around the transfer of personal data overseas, among other things.
The new UK Bill builds on the provisions in the GDPR. Special rules regarding the processing of personal data by the media and researchers, for example, are to be maintained under the new regime, while the Bill also seeks to exempt other organisations, including insurers and anti-doping agencies in sport, from some of the general rules relating to personal data processing contained under the EU Regulation.
The GDPR sets out new powers that allow data protection authorities to conduct mandatory data protection audits of businesses. The UK's Information Commissioner's Office (ICO) scope to exercise those powers is provided for in the new Data Protection Bill within the context of new 'assessment notice' provisions.
The ICO would be able to serve assessment notices on businesses that would give them the right to enter business premises, access documents, equipment and other material, observe personal data processing and interview staff.
One of the main changes under the GDPR is a stiffer penalties regime which can impose fines of up to 4% of the annual global turnover of companies, or €20 million, whichever is highest, for certain breaches of the new laws.
Under the new Data Protection Bill, UK government ministers would have the power to introduce new regulations to stipulate "how an undertaking's turnover is to be determined" for the purposes of determining what level of penalty they should face for non-compliance.
According to the Bill, data subjects in the UK will have further scope to claim compensation from businesses that breach the new laws.
At the moment, individuals have qualified rights to compensation when they suffer damage as a result of a breach of data protection laws. Damage can come in the form of financial loss or distress. Under the proposed new regime, however, data subjects would also have a right to claim compensation for "other adverse effects" they suffer from a breach.
A number of new data protection offences are also outlined in the Bill, including knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent. Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed would also be an offence.
Taking steps, knowingly or recklessly, to re-identify information that has been "de-identified" could also result in a criminal conviction, although one of the defences that could be raised is where that action can be justified in the public interest.
In Germany, a new Federal Data Protection Act (FDPA) has been passed into law to fit with the GDPR. The main provisions of the FDPA are due to take effect from 25 May 2018, the same date that the GDPR will apply from.