GDPR and Data Protection Act 2018 (Key differences)
While the Data Protection Act 2018 is essentially translating data processing standards set by the GDPR, the GDPR makes no mention to regulations surrounding data processing and law enforcement as well as intelligence services. Instead, DPA 2018 implements Law Enforcement Directive (EU) 2016/680 into UK law. The Law Enforcement Directive means that personal data can be processed by competent authorities which in the definition is any public authority that is competent for the prevention, investigation, Identification, prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Although the GDPR does not refer to data processing regarding law enforcement, it would be argued that it is extremely dangerous to allow law enforcement data processing to be based solely on the provisions set out by the Law Enforcement Directive. Thus, the Law Enforcement Directive as outlined in the DPA 2018 interacts with the principles set out in the GDPR for greater safeguarding of personal data, including other purposes within law enforcement agencies such as internal personnel management/ human resources management.
Processing of personal data in conjunction with national security by relevant security agencies (the Secret Intelligence Service and the Government Communications Headquarters) is not within the scope of the GDPR or the Law Enforcement Directive, however complying with the standards of the modernised Convention 108, leading to data processing by intelligence services being in line with future international standards. In addition to this, in the DPA 2018, intelligence services’ data processing is exempted from standards set by the GDPR, as was the case in the DPA 1998. Instead, it complies with standards established in domestic law such as the Investigatory Powers Act 2016, which provides for agency-specific warrants which are relevant to how the agencies hold and use personal data. The Investigatory powers Act 2016 also creates a series of offences of misused data within an agency.
Data processing with the purpose of serving public interests is where the Data Protection Act 2018 varies from the guidelines set by the GDPR. For example, processing of special categories of personal data such as data related to race, political opinions, and health is prohibited from processing unless explicit consent is obtained. Under special circumstances, the GDPR allows for domestic law to determine the processing of special categories of data. This would involve data regarding criminal convictions, pricing of risk in financial services and the operation of anti-doping programmes in sport. Thu, DPA 2018 can be seen as a continuation of former provisions in the DPA 1998 which allowed for the processing of special categories of data. This is aimed at allowing organisations to be able to continue to process data lawfully as it serves ‘substantial public interests’.
Further provisions have been carried over from the 1998 Data Protection Act which falls short of the standards set in the GDPR, such as limiting individual rights where there are on-going investigations into their conduct where it could be of benefit to limit individual rights. For example, section 29(1) of the 1998 Act enabled Her Majesty’s Revenue and Customs (“HMRC”) to withhold certain personal data on a case by case basis from an individual customer who submitted a subject access request if providing that personal data would be likely to prejudice specified crime and taxation purposes. It also meant that HMRC was not obliged to send a privacy notice to an individual when obtaining personal data from a third party if it would tip them off about an ongoing investigation into their tax affairs. The Act makes equivalent provision. Another way in which DPA 2018 differs from the GDPR is that it further elaborates and adds extra provisions on principles outlined in the GDPR. For example, the policy of storage, the GDPR states that personal data can be processed for the purpose of archiving which is in the public’s interest, or it could store data for historical research and/or statistical research purposes. DPA 2018 adds the provision that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes, thus being exempted from complying with the standards of individual’s rights as set out in the GDPR.
The Data Protection Act 2018 further allocates power to the Secretary of State to make further exemptions in the future which may seem appropriate in dealing with unforeseeable circumstances. This may involve restricting individual rights as outlined in the GDPR to protect public interests.
Data Protection Act 1998 and Data Protection Act 2018
There is continuity between the Data Protection Act 1998 and the Data Protection Act 2018 as essentially the Data Protection Act 2018 is a revision of the Data Protection Act 1998 to ensure it complies with the standards set by the GDPR. However, important revisions have been made such as the GDPR specifies that persons giving consent to the processing of personal data need to have a certain level of understanding of what they are being asked, so parents or guardians must permit personal data on behalf of young children using information society services. While DPA 1998 did not set a minimum age at which a child can consent to such data processing, the GDPR allows the UK to set a minimum age of 13 the DPA 2018 to allow such data processing.
Continuity between the Data Protection Act 1998 and Data Protection Act 2018 can be seen when it comes to automated data processing. This is a type of processing where there is no human intervention as is the case for data being collected about an individual’s finances, which is then processed using an algorithm to decide creditworthiness. The GDPR requires additional safeguards to ensure individuals the right not to be subject to a decision based solely on automated processing. Section 12(2) of DPA 1998 provides that the requirement of safeguards as stated by the GDPR is adhered to.
ICO and Data Protection Act 2018
The Information Commissioner oversees the enforcement of the Data Protection Act of 2018. Powers given to the Commissioner involve the ability to investigate and sanction data protection breaches and over recent years (post-2008) issue a civil monetary penalty notice of up to £500,000 over the occurrence of more serious breaches. The GDPR adopts a zero tolerance policy regarding more serious breaches as it has given the Commissioner to impose fines of £17 million or 4% of turnover is most serious cases. However, the Commissioner does not have free reign as a notice of intent must first be issued before a fine to allow for the opportunity to appeal the proposed fine or the amount specified in the notice. The DPA 2018 also reintroduces many of the criminal offences in the DPA 1998, altered to comply with the standards set in the GDPR. It also introduces a small number of new offences to deal with emerging threats. For example, section 171 criminalises the deliberate re-identification of individuals whose personal data is contained in anonymised data.
ePrivacy and Data Protection 2018
Due to the introduction of the Data Protection Act 2018, ePrivacy is only strengthened due to giving the increased individual control over their data. This is done through the principles of data processing as mentioned above with principles such as Accountability being evident through the Senate hearing of Mark Zuckerberg of Facebook where a controller is held accountable for selling of data which led to influencing elections, violating the nearly all the principles of Data collections. Also, the individual will be able to exercise control over ePrivacy through individual rights. The individual has the right to informed, right of access, right of rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights in relation to automated decision making and profiling. While the individual rights have been strengthened which strengthens ePrivacy, the Data Protection Act 2018 falls short. The failure of the GDPR to include provisions regarding law enforcement and intelligence services means that ultimately government agencies are exempt from the standards set out in the GDPR, ultimately suggesting that ePrivacy remains weak in that the government can impede upon it in the ‘public interests’.
Data Protection Act 2018 summary
The Data Protection Act, 2018 is the result of a series of events (Facebook selling off data, Yahoo data breach) leading to the European Union rethinking its Data processing laws in the form of the GDPR, resulting in the introduction of the Data Protection Act which modernised UK data processing laws. Ultimately, the Data Protection Act 2018 is a revised version of the Data Protection Act 1998, adding additional provisions to give the individual greater control over personal data (Individual’s rights) but also ensuring the Commissioner has greater powers to hold the controller accountable by increasing his/her power to impose fines for more serious breaches. The Data Protection Act also goes on to modernise the legal framework for data processing in the form of the modern convention 108, which ensures that data processing standards are in line with international standards which would be vital for trade post-Brexit.