The Data Protection Bill was given a first reading in the House of Lords on 13 September 2017. This formality signals the start of the Bill's passage through the Lords. A second reading including general debate on all aspects of the Bill is scheduled for 10 October 2017.
The Bill will replace the Data Protection Act 1998 (DPA) to provide a comprehensive legal framework for data protection in the UK supplemented by the General Data Protection Regulation ((EU) 2016/679) (GDPR) until the UK leaves the EU. When the UK leaves the EU, the GDPR will be incorporated into UK domestic law under the European Union (Withdrawal) Bill currently before Parliament. Strong data protection laws enable UK businesses to operate across international borders and unrestricted data flows are essential to the UK post-Brexit. For more information see Legal update, Government publishes Data Protection Bill statement of intent.
The DCMS announced that the Bill will:
· Replace the DPA.
· Set new standards for protecting general data in accordance with the GDPR, giving individuals more control over use of their data and new rights to transfer or erase personal data.
· Preserve existing exemptions which worked well in the DPA. These include exemptions for journalists, research organisations, financial services firms in relation to money laundering and processing of sensitive and criminal conviction data without consent to allow employers to fulfil employment law obligations.
· Provide a bespoke framework tailored to the needs of the UK's criminal justice agencies and national security organisations.
The ICO will be given more power to defend consumer interests and issue higher fines of up to £18 million or 4% of global turnover in case of the most serious data breaches.
Sources: Data Protection Bill, 13 September 2017 and DCMS Press Release: Data laws to be made fit for digital age, 14 September 2017.