Out-Law Analysis | 13 Apr 2017 | 3:20 pm | 6 min. read
While the General Data Protection Regulation (GDPR) will apply unilaterally across the EU, it allows each EU country to set its own rules on some data protection issues outlined in the Regulation.
The government has previously confirmed that the GDPR will come into effect in the UK on 25 May 2018, as in other EU countries, despite the UK being in the process of leaving the EU, and has now invited stakeholders to comment on the derogations it is free to make (14-page / 393KB PDF) under the Regulation. It has not revealed its own thinking on the issues identified in the consultation paper, but instead invited views to be submitted up until 10 May.
The UK's digital minister Matt Hancock had promised to consult stakeholders on whether to "apply flexibilities" in the GDPR earlier this year.
We look at some of the areas in which UK-specific data protection rules could be applied that the government is consulting on.
Processing of personal data
Like is the case under existing EU data protection laws, the processing of personal data under the GDPR must be fair and lawful. The primary conditions by which processing would be considered lawful are set out under article 6 of the Regulation.
One of the conditions where personal data processing is lawful, according to the Regulation, is where the processing is "necessary for compliance with a legal obligation to which the controller is subject".
Another condition is where the processing is "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".
The Regulation gives each EU country freedom to "maintain or introduce more specific provisions" in relation to those two conditions of lawful processing.
The derogations allow the UK and other EU member states to set rules that would qualify the rights of people to restrict the processing of their data, and compel data processors to process personal data outwith instructions imposed by data controllers. They also allow national lawmakers to restrict the circumstances in which organisations would need to carry out data protection impact assessments in some cases and to set their own rules on the disclosure of personal data contained in official documents held by public bodies.
In addition, the UK is free to set its own data protection rules regarding the processing of personal data in other specific contexts, including where data is processed for journalistic purposes and the purposes of academic, artistic or literary expression, as well as in the context of employment.
The rules on processing for employment, for example, could set out specific laws on the processing of data for the purposes of the recruitment, the performance of the contract of employment, equality and diversity in the workplace and health and safety at work, as well as for the purpose of the termination of the employment relationship, among other examples listed in the Regulation.
Processing of 'special categories' of personal data
The GDPR sets out stiffer conditions on the procession of 'special categories' of personal data than that which apply to personal data more generally
Special categories of personal data are considered to include data about a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
The Regulation provides each EU country with the opportunity to set specific rules relevant to some of the conditions where special categories of personal data can be processed.
It also permits member states to introduce their own conditions on when genetic data, biometric data or data concerning health can be processed.
Processing for scientific research purposes
The GDPR gives each EU country the right to limit certain rights that people enjoy under the Regulation where their personal data is processed for scientific or historical research purposes or statistical purposes.
People's rights to access data about themselves, demand speedy corrections to inaccurate data about them, as well as to restrict or object to data processing activities can be governed by national law where data is processed for scientific or historical research purposes or statistical purposes in certain circumstances explained in the Regulation.
National laws in such areas can restrict those rights where their application is "likely to render impossible or seriously impair the achievement of the specific purposes" and it is "necessary" for the rights to be restricted. The national laws, however, must contain "appropriate safeguards" that ensure people's rights and freedoms are accounted for.
Data transfers to third countries
The transfer of personal data outside of the EU has become a political issue in recent times. A framework facilitating EU-US data transfers was effectively invalidated by the EU courts, and its replacement, the EU-US Privacy Shield, has been the subject to heavy scrutiny and legal challenges. In addition, model clauses used to underpin data transfers from the EU to third countries have also been challenged in the courts.
The GDPR sets out more extensive rules on data transfers than those contained in current data protection laws in the EU.
The Regulation provides for data transfers to countries where the European Commission has deemed that there is adequate data protection equivalent to that available in the EU, or where "appropriate safeguards" for such transfers have been put in place, including where businesses have agreed binding corporate rules for intra-group transfers with regulators. There are also other circumstances in the Regulation where data transfers will be permitted in line with the rules.
One of the conditions where data transfers are permitted under the Regulation is where "the transfer is necessary for important reasons of public interest".
It is open to each EU country to set their own limits in national law on when data transfers concerning special categories of personal data can take place for important public interest reasons.
Appointment of data protection officers
Many organisations will be obliged to appoint data protection officers under the GDPR, including most public bodies.
Businesses whose "core activities" consist of data processing which "by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale" are required to appoint a DPO under the Regulation, as are those whose "core activities" involve processing special categories of personal data and personal data relating to criminal convictions and offences on a large scale.
The Regulation provides EU member states with the option of outlining further cases where organisations must appoint a DPO.
Codes of conduct and certification
The GDPR provides for the establishment of industry codes of conduct on aspects of data protection to help businesses sign up to those codes to demonstrate their compliance with the Regulation more generally.
Industry codes on fair and transparent processing, pseudonymisation, data breach notification and data transfers to third countries are among those envisaged under the Regulation.
In addition, the Regulation provides for businesses to be able to voluntarily sign up for certification of their data protection practices as means of demonstrating compliance.
The GDPR requires EU countries to encourage the development of codes of conduct and certification schemes. It also requires that member states ensure that either data protection authorities, or independent accredited 'certification bodies' with "an appropriate level of expertise in relation to data protection", operate the certification schemes.
Under the GDPR, stiff financial penalties are envisaged for businesses that breach the Regulation. In certain cases, fines of up to 4% of a business' annual global turnover, of €20 million, whichever is highest, could be imposed.
However, the Regulation leaves it up to each EU country to determine "whether and to what extent" fines can be imposed on public sector organisations in their jurisdiction.
In addition, EU countries are obliged to set out their own rules on what other penalties, beyond fines, can be imposed on organisations that breach the Regulation. The Regulation requires that the penalties are "effective, proportionate and dissuasive".
At the moment, the UK's Information Commissioner's Office (ICO) has a range of tools by which it can address data protection failings by organisations. As well as powers to fine businesses up to £500,000 for serious breaches of the Data Protection Act, it can agree undertakings with businesses to prompt changes in those organisations' policies and practices, and issue enforcement notices to compel changes on its terms. The ICO can also publicise the data protection failings of businesses as a way to deter others' non-compliance.