Data Protection Law

You would be forgiven for thinking that data protection regulation only started in 2018 with the introduction of the EU’s General Data Protection Regulation (GDPR).

In fact data protection laws have a long history in both the UK and world-wide.

The fundamental basis of data protection law is Article 8 of the European Convention of Human Rights and Fundamental Freedoms (ECHR), the right to respect for privacy and family life. Data Protection laws have implemented this general protection so that individuals have the power to control their own identity and their interactions with businesses and organisations.

Data Protection Law | A Brief History

The Council of Europe introduced the first European treaty on data protection when it introduced the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).

The convention was the first international agreement to protect “the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data.”

The treaty provided protections in relation to he collection and processing of personal data. It also provided individuals with a right to access their data and also a right to erasure and rectification. The treaty was signed by the UK on the 14 May 1981, and was implemented domestically via the Data Protection Act 1984.

The 1984 Data Protection Act created the Data Protection Registrar, where organisations processing personal data had to register on the Register of Data Controllers, which is currently called the Register of Fee Payers. The Data Protection Register changed its name after the introduction of the European Directive 95/46/EC (which was later enacted as the Data Protection Act 1998) to the Data Protection Commissioner and then finally to the Information Commissioner’s Office (ICO).

Why did we need the GDPR?

As the last major update to data protection law came in 1995, when very few people had access to the internet, it was drafted effectively during an entirely different technological age. Since the digital revolution the way in which data is collected, stored and used has fundamentally changed, so a new updated framework was required.

The GDPR aims to unify all previously existing data protection laws into one corpus of rules. Although not marking a fundamental shift, the rules aim to be more focused on today’s needs and with a more rigorous compliance and enforcement regime.

The GDPR and the Data Protection Act 2018

The GDPR applies broadly to most organisations and business however there are three key exemptions.

The first key exemption is that the GDPR does not apply to personal data processed in the course of a purely personal or household activity, that has no connection to a professional or commercial activity. Naturally in a personal relationship, or in your day to day dealings with third parties, personal data will be exchanged, and s stored, such as in personal emails/messages or photographs, such data is outside the scope of the GDPR. If such personal data were to be included within the scope of the GDPR it would be a huge encroachment into the individual right to a privacy, guaranteed by Article 8 of the European Convention on Human rights.

The GDPR is also does not apply to the processing of “law enforcement” data, this is instead covered by Part 3 of the Data Protection ACt 2018.

Finally the GDPR does not apply to National Security data, such as that held by MI5 and the Secret Intelligence Service (MI6). This covered by Part 2, Chapter 3 of the Data Protection Act 2018 which contains exemptions for national security and defence.

There are other exemptions, such as the manual processing of unstructured data used in longstanding historical research or certain data related to judicial appointments.

What’s new in the GDPR?

The GDPR introduced new legally binding duties that were not previously present under the former data protection regime.

Under the GDPR organisations are now required, depending on the circumstances, to conduct a “data protection impact assessment” (DIPA) – many organisations had already been implementing these prior to the GDPR, but the GDPR made it mandatory for certain “high risk” data processing.

Along with DIPA’s the GDPR also introduced requirements on organisations to publish certain documentation, to appoint a Data Protection Officer (DPO), and to notify breaches to the ICO and affected individuals.

The GDPR also significantly increased the penalties that can be imposed, fines of 20 million Euros, or 4 per cent of global annual turnover, are now available to the ICO.

Another major innovation of the GDPR is the extra-territorial applicability of the rules – which attempt to regulate organisations outside of the EU.