Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


The Data Protection Bill vs The Data Protection Act

The Data Protection Bill vs The Data Protection Act
Wednesday 15th November 2017

The EU General Data Protection Regulation (GDPR) creates a new framework for data protection across the EU, and commentary on the changes under the GDPR is extensive (you may, for example, find it useful to read our article from last year summarising the key differences between the current rules and the GDPR).

The UK’s new Data Protection Bill (“the Bill”), which is currently working its way through Parliament, supplements the GDPR in UK law, creates a few new criminal offences, and (where it is allowed to) provides exemptions to the new EU regime. The Data Protection Act 1998 (DPA) similarly provided exemptions when it implemented the EU’s 1995 Data Protection Directive into domestic law in 1998, and many business have relied on such exemptions since that time.

Whilst talk of increased sanctions and harder-to-obtain consent has dominated the headlines, one of the important questions for many businesses will be: can we still rely on those exemptions? The good news is that, for the most part, the answer to that question is “yes”.

In relation to consent, more emphasis will need to be put on identifying the relevant legal bases a business may have for using personal data, rather than merely relying on consent. Privacy Impact Assessments will need to be undertaken and privacy notices sent to data subjects. Where consent is required it must be obtained unambiguously and (in the relation to special categories of data) explicitly. It must also be freely given, specific and informed consent. Businesses will need to take a more granular approach to different uses they make of personal data and ensure that they have the appropriate legal basis for each different use.

The Bill recreates a number of important exemptions from the DPA for public bodies, including in relation to data processing for national security purposes, the prevention and detection of crime and the assessment and imposition of taxes. A new exemption is also introduced for the maintenance of effective immigration controls.

The existing exemptions for regulatory and supervisory bodies, which apply to data processing for purposes in the public interest (such as, for example, protecting the public from financial malpractice, protecting charities and securing the health, safety and welfare of workers) also have equivalent provisions in the Bill (and are extended to reflect new provisions under the GDPR).

The ‘freedom of expression’ exemption for journalism, literature and art is extended in the Bill to include academic purposes, and the protection for research, historical and statistical purposes is also carried through into the Bill with largely identical conditions to those in the DPA. Further new exemptions are introduced in respect of data processed for archiving purposes which are in the public interest, and to restrict data subjects’ rights of access to data where other enactments prohibit disclosure of such information (in relation to, for example, child adoption and human fertilisation).

In respect of the processing of sensitive (or “special category”) personal data, which is generally forbidden under the GDPR unless certain conditions are fulfilled, the Bill provides some specificity to the GDPR’s broadly worded conditions. One such condition involves processing for reasons of “substantial public interest” (a phrase which is not used in the current legislative framework). The Bill expands on this by providing a number of circumstances where the condition is fulfilled, notably including the processing of such data for the purpose of identifying and eliminating doping in sports.

There are new criminal offences in the Bill which are not present in the DPA. The offence of knowingly or recklessly obtaining or disclosing personal data without the controller’s consent exists in the current framework, but the Bill also makes it an offence to retain, sell, or offer to sell such data once it has been obtained without consent. Other new offences include decrypting encrypted personal data (or processing such data once it has been decrypted) without the controller’s consent, and altering or destroying personal data to prevent a data subject’s right of access.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.