In the UK, the Department of Digital, Culture, Media and Sport (DCMS) has today published the Data Protection Bill 2017, to incorporate the General Data Protection Regulation (GDPR) and to implement the Police and Criminal Justice Authorities Directive (PCJAD) (respectively: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; aka the Law Enforcement Directive). The progress of the Bill through Parliament can be tracked here.
In Ireland, when the Department of Justice published the the General Scheme of the Data Protection Bill 2017 (scheme (pdf)), I expressed two concerns, both of which are equally applicable to the UK Bill. First, since the Scheme was unclear on the relationship of the new Bill with existing legislation (the Data Protection Acts 1988 and 2003 (also here and here; administrative consolidation here)), I said that I fervently hoped that the 1988 and 2003 Acts would be repealed, so that the new Bill would provide a single one-stop-shop for the law on data protection. Anything else would be unworkably messy. I am glad to see that this is the approach taken by the UK’s Bill. As Neil Browne pointed out to me, clause 190(1) provides that “Schedule 18 contains minor and consequential amendments”, and clause 2 of Schedule 18 provides that “The Data Protection Act 1998 is repealed”. Excellent.
My second concern with the Irish Scheme was as to whether it properly provided for a private action for compensation (see, eg, here and here). Article 82(1) GDPR provides that any “person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. In my view, the EU Member States should include a provision to give effect to this Article in legislation incorporating the GDPR. The Irish position is, at best, unclear – Head 91 of the Scheme is probably intended to do this, but I am not convinced that it does so successfully (see, eg, here and here). However, such provisions are included in legislation in Austria, in draft Bills in Hungary, the Netherlands, Poland, Romania, Slovakia, Spain, and in a report in Sweden (note: this list is updated as and when another Member State incorporation provides for a claim for compensation). I am glad to see that this is the approach taken by the UK’s Bill. Clause 159 provides for “compensation for contravention of the GDPR”; in particular, clause 159(1) provides that “[i]n Article 82 of the GDPR (right to compensation) ‘damage’ includes financial loss, distress and other adverse effects”.
Update: It’s not clear to me exactly what these “other adverse effects” might be. It may simply have been better to leave well-enough alone, and rely simply on the GDPR language of “material or non-damage”. If the DMCS wished to have some text here, they could simply have used “material or non-damage”. Or they could have repeated as much as possible of the text of Article 82. Indeed, in my view, they probably should have done so. Recital 8 GDPR encourages as much, by permitting the incorporation only of “elements” of the Regulation. It is neither necessary nor desirable to reinvent the wheel; and the dangers of trying to do so are starkly illustrated by the narrow interpretation provided by the Irish High Court in Collins v FBD Insurance plc  IEHC 137 (14 March 2013) (noted here and here) of section 7 of the Data Protection Act, 1988 (also here), which is intended to implement Article 23 of the Data Protection Directive (Directive 95/46/EC) but does so in very different terms. End update
DCMS had conducted a consultation which did not refer to Article 82. On foot of that consultation, and in advance of publishing the Bill, the Department issued a Statement of Intent, outlining its planned reforms. This mentioned the “greater scope for enforcing rights under the GDPR” (p13) but did not refer specifically to Article 82. However, a further [leaked] document (pdf) said that Article 82 was one of the Articles of the GDPR in respect of which Member States have flexibility; and that document (pp8-9) envisaged an express provision relating to compensation claims. Clause 159 of the Bill provides that. In its express reference to Article 82, it is similar to the approach taken in §29(1) of the Austrian Act and Article 32(2) of the Spanish Bill. Moreover, the express reference to “distress” avoids the problem with section 13 of the 1998 Act which the Court of Appeal strove mightily, and successfully, to overcome in Google Inc v Vidal-Hall  QB 1003,  EWCA Civ 311 (27 March 2015) and which the Irish High Court failed to overcome in Collins. Update: A reference to “non-material damage” would have been better, not least because the Court of Appeal in Vidal-Hall made clear that this phrase included “distress”. And the full text of Article 82 instead of clause 159(1) would have been better still. Nevertheless, the reference to Article 82 in clause 159 is very welcome; and though it could have better, it could also have been a lot worse.
This On balance, then, End update this, too, is excellent.
As a companion to the clause 159 claim for compensation for contravention of the GDPR, clause 160 provides for “compensation for contravention of other data protection legislation”. Given that the Bill would repeal the 1998 Act, the other data protection legislation clause 160 has in mind must be the non-GDPR parts of the 2017 Bill, such as Part 3 on law enforcement processing and Part 4 on intelligence services processing. These Parts of the Bill implement the PCJAD; Article 56 of that Directive requires that Member States provide a “right to receive compensation” for material or non-material damage suffered as a result of unlawful processing; and clause 160 gives effect to this. Of the thirteen Member States which have so far published reports or Bills or enacted legislation to provide for the incorporation of the GDPR, only four – Austria, Germany, Ireland, and now the UK – have chosen to include the incorporation of the GDPR and the implementation of the PCJAD in the same piece of legislation. Of those, the Austrian Act does not refer to a claim for compensation for breach of the PCJAD, §63 of the German Act provides such a claim, Head 58 of the Irish Scheme is probably intended to do this (but, as with Article 82 GDPR, I am not convinced that it does so successfully; see, eg, here and here), and clause 160(1) of the UK’s Bill seems to do so in the following terms:
A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor …
Moreover, clause 160(5) goes on to provide that, in that clause, “‘damage’ includes financial loss, distress and other adverse effects, whether or not material”. By way of contrast, clause 159(1) provides only that “‘damage’ includes financial loss, distress and other adverse effects’, without the addition of the four words at the end of clause 160(5) “whether or not material”. I am at a loss to understand why there should be this difference. However, given the text of Article 82 GDPR, and in the light of Vidal-Hall, a court would have no difficulty reading clause 159 to cover both “material” and “non-material”. Nevertheless, it would have been better had clauses 159(1) and 160(5) been in the same terms.
Update: These same terms should have been in the extended terms of clause 160(5) and not the narrower terms of clause 159(1). Indeed, I would go further. Article 56 PCJAD refers also to “material or material damage”; and if clause 159(1) should have used that phrase, so also should clause 160(1). Indeed, I would go further still. If clause 159(1) should simply have replicated Article 82 GDPR as much as possible, so also should clause 160(5) have similarly replicated Article 56 PCJAD have as much as possible. Nevertheless, the fact that clause 160 clearly implements Article 56 PCJAD
This End update is also excellent.