The General Data Protection Regulation (GDPR) will automatically come into force across the EU on 25 May 2018. As the deadline fast approaches, Member States are busy progressing their draft implementing legislation. Article 23 of the GDPR provides Member States with discretion over how certain provisions will apply. These proposed derogations to the GDPR have been a focus point for many commentators on the draft national legislation.

Article 23

Under Article 23, Member States can introduce exemptions from the GDPR’s transparency obligations and individual rights, but only where the measure respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society. The measure must safeguard one of the following:

  • national security;
  • defence;
  • public security;
  • the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or breaches of ethics in regulated professions;
  • other important public interests, in particular economic or financial interests (e.g. budgetary and taxation matters, public health and security);
  • the protection of judicial independence and proceedings;
  • monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests or crime/ethics prevention;
  • the protection of the individual, or the rights and freedoms of others; or
  • the enforcement of civil law matters.

Chapter IX of the GDPR provides Member States with further exemptions, derogations, conditions or rules in relation to specific processing activities.

UK Call for Views on the GDPR

Earlier this year, the UK’s Department for Digital Culture, Media and Sport (DCMS) opened a public “call for views” as part of its implementation process. All stakeholders with an interest in data protection were encouraged to share views on any and all derogations in the UK Data Protection Bill.

Following the end of the call for views, the DCMS published its Statement of Intent and outlined its approach to the Data Protection Bill. The document (available here) emphasises the UK Government’s desire to continue its “gold standard” of data protection law. It states that the GDPR will be implemented in a way that, as far as possible, preserves the concepts of the UK’s Data Protection Act 1998 and ensures a smooth transition post Brexit, while complying with the GDPR and other applicable directives.

The DCMS has also provided a detailed summary of the proposed GDPR derogations in the Data Protection Bill (available here). The summary usefully sets out the derogations in the GDPR, the relevant GDPR article, and the reason for the UK deviating from the default position, where applicable.

It is reported that the Bill will be published in early September 2017.