 |
| Jane Lambert |
As everyone knows, the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) repealed and replaced the Data Protection Directive (Directive 94/46/EC) with effect from 25 May 2018.
Even though it repealed the Directive which was implemented into English and Welsh, Scottish and Northern Irish law by the Data Protection Act 1998, the GDPR did not automatically repeal the 1998 Act although the doctrine of the primacy of EU law recognized by the House of Lords in R (Factortame Ltd) v Secretary of State for Transport (No 2) [1991] [1990] UKHL 13, [1991] 1 Lloyd's Rep 10, [1991] 1 AC 603, [1991] 1 All ER 70, [1990] 3 WLR 818, [1991] AC 603, (1991) 3 Admin LR 333, [1990] 3 CMLR 375 would have had that practical effect.
For the avoidance of any doubt, Parliament passed the Data Protection Act 2018 which received royal assent on 23 May 2018, which was two days before the General Data Protection Regulation ("GDPR") was due to take effect. The introductory text describes the newAct as:
Because the Act received royal assent only days before the GDPR was due to come into effect, the following provisions came into effect immediately:
For the avoidance of any doubt, Parliament passed the Data Protection Act 2018 which received royal assent on 23 May 2018, which was two days before the General Data Protection Regulation ("GDPR") was due to take effect. The introductory text describes the newAct as:
"An Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes."It consists of 215 sections and 20 schedules. It is intended to supplement the GDPR and implement the Data Protection Law Enforcement Directive (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA).
Because the Act received royal assent only days before the GDPR was due to come into effect, the following provisions came into effect immediately:
- s.1 The Overview setting out the purposes for which the legislation was enacted;
- s.3 Terms relating to the processing of personal data: definitions and interpretation;
- s.182 Regulations and consultation: power to make delegated legislation;
- s.204 Meaning of 'health professional' and 'social professional'
- s.204 General interpretation;
- s.205 Index of defined expressions;
- s.209 Application to the Crown;
- s.210 Application to Parliament;
- s.213 (2) Transitional provision: power of secretary of state to make provisional legislation;
- s.214 Extent
- s.215 Short Title.
The very next day, Margot James MP, Minister for State at the Department for Digital, Culture, Media and Sport, signed The Data Protection Act 2018 (Commencement No. 1 and Transitional and Saving Provisions) Regulations 2018 SI 2018 No 625. Reg 2 (1) of those Regulations brought the following provisions of the Data Protection Act 2018 into effect from 25 May 2018:
- s.2 Protection of Personal Data;
- Part 2 General Processing: s.4 to s.28 and Scheds. 1, 2, 3. 4. 5 and 6 except para 62 of Sched. 6;
- Part 3 Law Enforcement Processing: s.29 to s.81 and Scheds. 7 and 8;
- Part 4 Intelligence Services Processing: s.82 to s.113 and Scheds, 9, 10 and 11 except s.93, s.102, s.103, s.104, s.105 and s.108;
- Part 5 Information Commissioner: s.114 to s.141 and Scheds. 12, 13 and 14 other than s.124, s.125, s.126 and s.127 in so far as they relate to a code prepared under s.124, s.177, s.178 and Sched. 17 and s.179 which come into force on 23 July 2018 by virtue of s.212 (3) and s.123, s.125, s.126, s.127, s.188, s.189, s.190, s.191, s.192, s.193, s.194 and s.195 which also come into force on 23 July 2018 by virtue of reg 3;
- Part 6 Enforcement: s.142 to s.181 and Scheds. 15, 16 and 17 except for the provisions mentioned about which will come into force on 23 July 2018; and Part 7 Supplementary and Final Provisions: s.182 to s.215 and Scheds. 18, 19 and 20 except for paras 76, 201, 211 and 227 of Sched. 19 and s.123, s.125, s.126, s.127, s.188, s.189, s.190, s.191, s.192, s.193, s.194 and s.195.
It will be seen that most of the Act is already in force and the few provisions that are not will come into force on 23 July 2018.
The provisions that repeal most of the 1998 Act are s.211 (1) (a) and para 44 of Sched. 19 of the Data Protection Act 2018. S.111 (1) (a) provides:
Anyone wishing to discuss this article, GDPR or data protection generally may call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.
"In Schedule 19—Para 44 of Sched. 19 adds:
(a) Part 1 contains minor and consequential amendments of primary legislation ..."
"The Data Protection Act 1998 is repealed, with the exception of section 62 and paragraphs 13, 15, 16, 18 and 19 of Schedule 15 (which amend other enactments)."There are of course transitional and provisional measures that I shall address when occasion demands.
Anyone wishing to discuss this article, GDPR or data protection generally may call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.
No comments:
Post a Comment