Racing against time with the implementation of GDPR, UK authorities have completed the formalities in introducing the new version of Data Protection legislation effective from 25th May 2018 co-terminus with the applicability of EU GDPR. This will continue even after BREXIT.
UK-DPA 2018 should be considered as an extension of GDPR and entities to whom UK DPA 2018 is applicable may have to read both the DPA 2018 and GDPR side by side.
The office of ICO provides further information about the Act. (Refer here).
The DPA 2018 copy as released on 23rd may 2018 contains 215 articles divided into 7 parts and 20 Schedules.
While Data Protection Legislation advise Companies to make their consents “Simple” and expressed in easily intelligible language, UK’s DPA is as complicated as any legislation can be and alien to the principle of simplicity. It will take some time for the industry to fully digest the provisions and be confident of compliance.
As we have often highlighted, laws that are simple are more likely to be complied with and a complex law will have a lower level of voluntary compliance requiring rigid penalties and enforcement.
India is in the process of completing its Data Protection Act and I wish that Indian legislators donot make the law as huge and as complicated as the UK DPA and opt for a more simpler legislation which can be equally effective.
Law makers need to remember that laws are made not to show how knowledgeable the law maker is, but to ensure that the citizen understands it for compliance.
However we shall continue to try demystifying the UK DPA 2018 over a time.
The PDF version of the Act as made available is a 353 page document that requires a detailed study.
Some of the salient features for immediate consumption is given below:
Under Article 207, this act is applicable to
a) processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom
b) It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—
(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—
(i) the offering of goods or services to data subjects in the United
Kingdom, whether or not for payment, or
(ii) the monitoring of data subjects’ behaviour in the United
The Act is about “Processing of Personal Data” and Personal data is defined as ” any information relating to an identified or identifiable living individual”. The Act does not say whether it is the Personal data of a UK citizen or a citizen of other countries.
Jurisdiction of Courts
The Jurisdiction conferred on a Court under UK_DPA 2018 is excercisable in England and Wales, Northern Ireland and Scotland.
This effectively recognizes the limitations of the law making body which derives its powers from the sovereign Government that it represents. The EU GDPR ignored this limitation and arrogated itself the responsibility for protecting global citizens as if it is a global legislative body.
However as a humble servant of the EU which the majority of UK voters voted to exit, the legislators have vowed to legitimize GDPR within this legislation. Considering the details to which this legislation went, there was no need for making it a subordinate legislation to the GDPR but it appears that the UK legislators were under some thing like a “Stockholm Syndrome” and could not break themselves from expressing their past loyalties to EU by importing GDPR into its own legislation. UK seems to have lost its mental independence to stand up as an independent sovereign country and feels obliged to follow its EU masters.
Part 2 of the Act is devoted to supplement GDPR
Chapter 2 of this part applies to the types of processing of personal data to which GDPR applies by virtue of Article 2 of GDPR. Further the Act confirms that Chapter 2 has to be read with the GDPR.
Chapter 3 of Part 2 has some provisions which is defined as “Applied GDPR”.
Article 21 states
This Chapter applies to the automated or structured processing of personal
data in the course of—
(a) an activity which is outside the scope of European Union law, or
(b) an activity which falls within the scope of Article 2(2)(b) of the GDPR (Coming under Treaties of EU),
The term “Outside the scope of European law” is a loose statement that is amenable to mis interpretation.
The Applicability of UK DPA 2018 cannot extend beyond the jurisdiction of Courts as defined under Article 180 and all other narrations represent legislative imperfections.
Penalties as specified in EU GDPR Article 83 are applicable under UK DPA 2018 also.
More Codes to follow
The ICO has to develop certain code of practice such as data sharing code, Direct Marketing Code, age appropriate designing code, Data Protection and Journalism Code etc., These codes need to be approved by the British Parliament and hence the industry needs to await for the codes which will be important from compliance point of view.
UK DPA 2018 mandates the designation of a DPO by all organizations other than a Court or a Judicial authority. (Article 69)
Principles and Rights
UK DPA 2018 re-states the Principles of Privacy and Data Subject’s Rights as in GDPR.
Cross Border Transfer of Data
Cross border transfer of data is subject to requirements similar to EU which includes “Adequacy Decision” (Article 74) or Safeguards (article 75). Adequacy is as decided by the EU and Safeguard includes a legal instrument that binds the recipient of the data for protection of personal data. Additionally special circumstances such as where the vital interests of the data subject, legitimate interests of the data subject (not the data controller… Ed: Could be a drafting error), public security, law enforcement and legal requirements.
Responsibilities of Controller and Processor
The Act re-states the responsibilities of the Controller and Processor as in GDPR.
UK DPA 2018 defines the following offences related to personal data
a) Unlawful obtaining of personal data, selling personal data
b) Re-identification or de-identified personal data
c) Alteration to prevent disclosure
The person who commits the offence is liable for summary conviction to a fine. Prosecution may be instituted only by the Commissioner or with the consent of the Director of Public prosecutions.
The directors of a company maybe liable for offences committed by a body corporate if there is negligence on their part.
These are some preliminary observations and more discussions may follow in due course.