Category Archives: Data Protection Act 2018

The most boring blogpost on this blog?

Although GDPR, and the Data Protection Act 2018 (DPA18), took effect from 25 May 2018, it has been notable that the Information Commissioner’s Office (ICO) has continued to exercise its enforcement powers under the prior law. There is no problem with this, and it is only to be expected, given that regulatory investigations can take some time. The DPA18 contains transitional provisions which mean that certain sections of the Data Protection Act 1998 continue to have effect, despite its general repeal. This is the reason, for instance, why the ICO could serve its recent enforcement notice on Hudson Bay Finance Ltd using the powers in section 40 of the 1998 – paragraph 33 of Schedule 20 to the DPA18 provides that section 40 of the 1998 Act continues to apply if the ICO is satisfied that the controller contravened the old data protection principles before the rest of the 1998 Act was repealed.

However, what is noticeable in the Hudson Bay Finance Ltd enforcement notice is that it says that it was prompted by a request for assessment by the complainant, apparently made on 21 September 2018, purportedly made under section 42 of the 1998 Act. I say “purportedly” because the transitional provisions in Schedule 20 of DPA18 require the ICO to consider a request for assessment made before 25 May 2018, but in all other respects, section 42 is repealed. Accordingly, as a matter of law, a data subject can (after 25 May 2018) no longer exercise their right to request an assessment under section 42 of the 1998 Act.

This is all rather academic, because it appears to me that the ICO has discretion – even if it does not have an obligation – to consider a complaint by a data subject relating to compliance with the 1998 Act. And ICO clearly (as described above) has the power still to take enforcement action for contraventions of the 1998 Act. But no one ever told me I can’t use my blog to make arid academic points.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, Information Commissioner