This week there’s been much in the media about the UK’s upcoming new Data Protection Bill. Unfortunately some of the reporting has been unclear, providing very woolly information on some of the new rights of individuals, and the circumstances they do – or do not – apply. Nonetheless, the main story is that the Data Protection Act will be replaced and that it will include the requirements of the EU’s General Data Protection Regulation (GDPR).
In other news, the ICO has taken further action against companies who fail to follow the current Data Protection Act and PECR regulations. This week the spotlight falls on companies who fail to screen their call lists against TPS. This illegal behaviour has resulted in fines of £150,000 for the week.
Data Protection Bill set to be read out in Parliament in September
The government has said that it plans to give the Data Protection Bill, announced in the Queen’s speech in June, an airing in Parliament at some point next month. This has been confirmed by the Department for Digital, Culture, Media and Sport (which continues to be officially abbreviated as DCMS, despite the recent addition of ‘Digital’).
The new Bill will replace the existing Data Protection Act 1998 and one of its chief aims is to implement the EU-wide General Data Protection Regulation (GDPR). The UK must adhere to GDPR during its time as a member state and almost certainly beyond – albeit under different legal provisions. The manner in which this EU initiative could apply in the UK after a finalised Brexit is discussed in the next story.
This first reading of the Bill next month is largely a formality. It gives lawmakers, consultants and interested parties a chance to inform themselves and gather the information they need before a second reading takes place, during which a parliamentary debate is properly staged.
Last month, Germany became the first EU member state to approve its data protection legislation meeting the requirements of GDPR – the German Federal Data Protection Act (‘Bundesdatenschutzgesetz‘).
House of Lords publishes a report on the EU data protection package
Responding to the government’s plans outlined in a White Paper on The United Kingdom’s exit from and new partnership with the European Union, the House of Lords has reviewed various options regarding the data protection policy aspect of this new relationship in a report published on 18th July.
Since the government has stated that it wants to “maintain unhindered and uninterrupted data flows with the EU post-Brexit,” the House of Lords has assessed this commitment with a view to providing a more detailed set of practical objectives.
The report summarises that the UK has two feasible options if it wants to continue uninterrupted data flow with the EU, which is now a lynchpin in our service-driven economy. There will be a transitional period of adopting the General Data Protection Regulation (GDPR) and the Police and Criminal Justice Directive (PCJ) while the UK remains an EU Member State, regulations which the government plans to implement with the aforementioned new Data Protection Bill. But the report states that after Brexit, the UK will either have to pursue an ‘adequacy decision’ from the European Commission, “certifying that [the UK] provides a standard of protection which is ‘essentially equivalent’ to EU data protection standards,” or else individual data controllers will have to implement their own data protection safeguards, which would “include tools such as Standard Contractual Clauses, and Binding Corporate Rules.”
The report favours the former, that is, adequacy decisions conferred to the UK as a third state in its relation to the EU, provided under Articles 45 and 36 of the GDPR and PCJ respectively. The report states that the Lords were “persuaded by the Information Commissioner’s view that the UK is so heavily integrated with the EU – three quarters of the UK’s cross-border data flows are with EU countries – that it would be difficult for the UK to get by without an adequacy arrangement.”
The report concludes that there is no prospect of a clean break, since the UK will have to continue to update its domestic data protection policies to remain aligned to the standards of EU data protection in the event of changing regulations – that is, if the UK wants the seamless transfer of data with EU countries that is regarded as crucial to the digital economy and the UK’s competitive position in the modern globalised market.
Information Commissioner’s Office (ICO) levies £150,000 of fines for nuisance calls
The ICO has issued official warnings, “reminding companies making direct marketing calls that people registered with the Telephone Preference Service are ‘off-limits,’” after two Bradford-based firms were fined a total of £150,000 for flouting this preference.
HPAS Ltd (t/a Safestyle UK) and Laura Anderson Ltd (t/a Virgo Home Improvements) have been fined £70,000 and £80,000 respectively for making illegal nuisance calls to people on the TPS register. Both firms have been issued enforcement notices and will face court action if the practice continues.
The ICO received 264 complaints about Virgo over 20 months (despite repeated warnings and formal monitoring), and 440 complaints about the latter in 19 months. Virgo Home Improvements had already been fined £33,000 just over a year ago, bringing their total fines for making nuisance calls up to £113,000.
One complaint about Safestyle quoted by the ICO read, “this harassment has been going on for over five years now. I want it to stop.” Members of the public are becoming increasingly aware of data protection policy, and the prospect of new legislation that will crack down on aggravating breaches such as these will be welcomed by many.
Written by Harry Smithson, 8th August 2017