Earlier this year [July], the EU adopted a decision that will see the free flow of personal data between the EU and the US – a move that will undoubtedly be welcomed by trans-Atlantic businesses. The adequacy decision for the EU-US Data Privacy Framework will allow the free transfer of personal data between EU and US companies participating in the framework on the basis of binding safeguards. 

Under the EU GDPR, the European Commission (EC) has the ability to determine whether jurisdictions outside of the EU offer an adequate level of protection for EU citizens’ personal data. The effect of such an adequacy decision is that personal data can freely flow between the EU and the non-EU jurisdiction without additional safeguards needing to be put in place. Those additional safeguards included, for example, the use of EU approved Standard Contractual Clauses (SCCs) in contracts between the data exporting and importing parties, and the carrying out appropriate data protection impact assessments. In relation to EU-US data flows, this decision is highly valuable, with the White House stating that there are more data flows between the EU and the US than anywhere else in the world. 

This is not the first time the EU and the US have attempted to put a framework in place for the free flow of data. The two previous decisions of the EC, the Safe Harbor, put in place in 2000, and the Privacy Shield put in place in 2016, were declared invalid by the European Court of Justice (ECJ) in 2015 and 2020 respectively, following challenges from privacy activist Max Schrems. These decisions were invalidated in part because of programmes allowing US authorities to access personal data transferred from the EU for national security purposes. This meant US domestic law limited the protection of EU citizens’ personal data in a way that did not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by EU law. 

The EC has stated that “new binding safeguards have been introduced to address the points raised” by the ECJ in 2020, including limiting US authorities’ access to data to the extent that it is “necessary and proportionate to protect national security”. The Data Protection Review Court has also been established, allowing EU citizens an independent redress mechanism which will investigate and resolve complaints relating to access to their data by US authorities. 

Joe Jones, director at the International Association of Privacy Professionals said that there had been “significant reforms” to the US’s surveillance safeguarding, and that the Data Privacy Framework was not just a “reheating” of the two previous attempts. However, he also said “the question is: is it good enough?” Perhaps predictably, Max Schrems is unenthused about the proposed agreement. noyb, the not-for-profit organisation led by Schrems, states that data agreements with the US will not work unless the necessary changes in US surveillance law are made, which is yet to happen. Schrems is quoted as saying that simply calling something ‘new’, ‘robust’ or ‘effective’ will not be enough for the Court of Justice, and noyb have already prepared various challenges to be filed with the ECJ. 

But what does this mean for the UK? The adequacy decision does not apply to UK-US personal data flows. In June 2023, the UK and US announced that a commitment in principle had been reached in relation to a proposed data bridge allowing for the free flow of data between the UK and US organisations that have been certified under the scheme. The data bridge would act as an extension to the EU-US Data Privacy Framework, purportedly providing businesses with an annual saving of £94.2 million. However, if the EU-US Data Privacy Framework is subject to challenge and ultimately declared invalid, this may affect the UK-US data bridge. There are also further concerns that the scope of the data bridge could bring the EU’s UK adequacy decision into question. 

For now, the new adequacy decision will facilitate EU-US data flows. It will be interesting to see how the challenges from privacy campaigners develop and what effect this will have on efforts to facilitate the transfer of data between the UK and US.  

UK businesses trading in the US may wish to consider the following steps in preparing for the introduction of the UK-US data bridge:

Latest News

Interpretation of contracts and implied terms - Pannone Corporate

Contracts form the cornerstone of business relationships. Having clarity as to the terms parties are bound by in a contract is paramount to business effi...

Read more...
What next for net zero? - Pannone Corporate

In the final piece in our series commenting on Manchester’s aims to achieve net zero by 2038, we look to the future and offer our predictions as to som...

Read more...
Ten in 10 – David Walton - Pannone Corporate

As part of our 10th anniversary celebrations, we wanted to speak to people across the firm – from those who were here at the beginning of our journey, ...

Read more...

View all posts

On 8 March, a new Data Protection and Digital Information Bill (No. 2) (the Bill) received its first reading in the House of Commons. This Bill replaces the Data Protection and Digital Information Bill (the DPDI Bill), which was introduced in July 2022 before being paused in September 2022. In its press release, the Government said:

Although the Bill has been introduced as separate bill, its proposals for data reform are broadly the same as those contained in the DPDI Bill.

Grace Astbury summarises the key provisions of the Bill and the implications for the UK data protection regime below.

Provision The Proposed Changes
Personal data Under current data protection legislation, personal data is defined as any information relating to an identifiable person. An identifiable individual is someone who can be identified directly or indirectly from the data. The Bill proposes to move towards a more subjective definition of personal data. Information being processed will only relate to an identifiable individual where:

 

(i)              the individual is identifiable by reasonable means of the controller or processor at the time of processing; or

(ii)             where the information is likely to be obtained by a third party, the living individual will be or is likely to be identified by that third party by reasonable means at the time of processing.

 

What does this mean? This updated definition seems to acknowledge the difficulties of truly anonymising personal data. It should provide businesses with more clarity on whether data they process are subject to data protection regulations.

 

Data subjects’ rights Currently, controllers may refuse or charge a reasonable fee for a request for personal data that is “manifestly unfounded or excessive”. The ICO says that this could include instances where the requester is attempting to harass the organisation, with the intent of causing disruption, or where the request is malicious. This threshold is being shifted to “vexatious or excessive” in an effort to capture a wider number of requests. This will now include requests intended to cause distress, requests not made in good faith and requests that are an abuse of process.

 

What does this mean? Businesses will hopefully be able to refuse a greater number of illegitimate data requests. That being said, it is unlikely that businesses will see a significant change to the number of requests received.

 

Record keeping Businesses (whether controllers or processors) will only need to keep records of processing where such processing activity is likely to result in a high risk to the rights and freedoms of individuals, regardless of the size of the business (including the number of employees). When assessing high risk processing, controllers must take into account the nature, scope, context and purposes of the processing.

 

DPIAs will no longer be mandatory, instead replaced with obligations on businesses to assess and mitigate risk by undertaking an “assessment of high-risk processing”.

 

What does this mean? Business will only be required to keep records of processing, where they carry out high risk processing activities.

 

DPOs The requirement for businesses to appoint a DPO has been removed. Instead, public authorities and businesses undertaking processing which presents a “high risk” to rights and freedoms of individuals must appoint a “Senior Responsible Individual” (SRI). The SRI must be part of the business’ senior management but may delegate functions of the role to other skilled individuals.

 

What does this mean? Businesses will no longer be required to appoint a DPO. If they carry out high risk processing, they will need to appoint a “senior responsible individual”.

 

International data transfers

 

The Bill’s explanatory notes clarify that that it is intended to facilitate international trade by providing a clearer and more stable framework for international data transfers.

 

Controllers will be permitted to take a more risk-based approach in assessing the impact of international data transfers using a “data protection test”. Transfers will meet the test where the controller acting reasonably or proportionally considers that following the transfer, the standard of data protection would not be “materially lower” than the UK’s data protection legislation. This is a shift from the EU GDPR standard of “essentially equivalent protection”.

 

The Government also intends to make new adequacy decisions for the UK using the same approach. One of the current priorities is an adequacy decision with the US. Businesses are likely to be keen for the simplification of international data transfers. However, the Government has already admitted that if the changes concerning data transfers lead to the removal of the EU-UK adequacy decision, this could do more harm than good.

 

What does this mean? This does not make much of a change for businesses as the Bill makes it clear that mechanisms entered into before the Bill will continue to be valid.

 

ICO framework

 

The Information Commissioner’s Office (ICO) will be replaced by the “Information Commission” and given a new statutory framework including the implementation of a principal objective and general duties relating to its role under data protection legalisation. The Secretary of State will have more oversight over the ICO through powers to designate a statement of strategic priorities and approve codes of practice.

 

What does this mean? No real practical changes for business owners, but this is part of a wider set of changes aimed at keeping the ICO sufficiently independent.

 

PECR Businesses will no longer have to seek consent for all types of cookies and other tracking technologies. The Bill will bring in exemptions for non-intrusive analytics cookies such as those used to ensure website functionality. The long-term aim is to move to an “opt out” consent model which relies should remove the need for pop up cookie banners but relies on browsers having opt out functionality.

 

The ICO will also be permitted to increase fines under PECR, in line with those currently levied under UK GDPR – up to £17.5m or 4% of a business’ total annual worldwide turnover.

 

What does this mean? The rules about website cookies will be relaxed so consent will not always be necessary. On the other hand, the fines are increasing, so it would be worth keeping an eye on the new rules.

 

Legitimate interests Businesses frequently rely on legitimate interests as their lawful basis for processing personal data.

 

The Bill provides some examples of processing which may be considered necessary for the purposes of legitimate interests such as:

(1)   Processing necessary for the purposes of direct marketing

(2)   Intra-group data sharing for administrative purposes, and

(3)   Processing necessary for the purposes of ensuring network and information system security.

 

Controllers will still be required to undertake an exercise of balancing their legitimate interests against the individual’s interests, rights and freedoms. Businesses may push the government to include other examples of processing necessary for the purposes for legitimate interests to provide greater certainty.

 

What does this mean? The examples provided will hopefully make it easier for businesses to determine whether their data processing has a legitimate interest.

 

Recognised legitimate interests As outlined above, controllers are required to carry out a balancing exercise, weighing their legitimate interests against the rights of the individual.

 

However, the Bill proposes the introduction of a new lawful basis: ‘recognised legitimate interests’. Controllers processing personal data on the basis of a recognised legitimate interest will not be required to carry out the balancing exercise, provided the processing falls within the activities outlined in Annex 1 to the Bill. The activities include processing for detecting, investigating or preventing crime. The explanatory notes to the Bill clarify that ‘crime’ would also cover economic crimes such as fraud, money-laundering or terrorist financing, amongst other things. This may be of relevance to businesses who carry out checks into their customers or suppliers.

 

Other recognised legitimate interests include processing for national and public security and defence, emergencies, safeguarding vulnerable individuals and democratic engagement. The Secretary of State may also add additional activities to the list.

 

What does this mean? If businesses can argue that their data processing falls in one of the recognised legitimate interests set out above, they won’t have to carry out and record the balancing test – they can just rely on the recognised legitimate interest.

 

 

The proposed changes seem to be more of an evolution of the UK GDPR rather than a complete departure, alleviating some but not all of the compliance burdens under the UK data protection regime. Businesses will be afforded some greater flexibility in meeting the legal requirements for their data processing activities. Should the Bill be passed in its current form, businesses should carefully consider whether their current practices and procedures meet the requirements under the Bill. However, at this stage businesses should not take any immediate steps to modify their practices. It is likely that in most cases, where a business is GDPR-compliant, they will also be compliant under the new regime proposed by the Bill.

Michelle Donelan, Science, Innovation and Technology Secretary stated that “no longer will our businesses have to tangle themselves around the barrier-based European GDPR”. However, whilst the changes move the UK’s data protection regime away for the EU GDPR, the Bill cannot make changes to obligations under the EU GDPR. Therefore, businesses processing the personal data of individuals based in the EEA will still be required to comply with the EU GDPR. Businesses who process the personal data of both UK and EEA based individuals may have little desire to have separate data practices for their EU and UK operations.

On 17 April 2023, the second reading of the Bill took place, which gave MPs a chance to debate the main principles. The Bill passes this stage but in the course of the debate, concerns were raised in relation to the ICO’s independence, the UK’s adequacy status with the EU and the overall complexity of the Bill. The Opposition welcomed the Bill’s overarching principles but suggested that it did not go far enough. The Bill will now proceed to Committee stage to be scrutinised line by line. The first sitting of the Public Bill Committee is expected to be on 10 May, with the Committee being scheduled to report by 13 June. It remains to be seen what amendments could be on the horizon.

In the coming months, businesses will need to watch out for confirmation of the timing for implementation of the Bill and whether there is general cross-party support for the proposals. Further, the European Commission is yet to release its view on the proposals for reform under the Bill, raising the question – is the UK on a collision course with its adequacy decision with the EU?

Latest News

Interpretation of contracts and implied terms - Pannone Corporate

Contracts form the cornerstone of business relationships. Having clarity as to the terms parties are bound by in a contract is paramount to business effi...

Read more...
What next for net zero? - Pannone Corporate

In the final piece in our series commenting on Manchester’s aims to achieve net zero by 2038, we look to the future and offer our predictions as to som...

Read more...
Ten in 10 – David Walton - Pannone Corporate

As part of our 10th anniversary celebrations, we wanted to speak to people across the firm – from those who were here at the beginning of our journey, ...

Read more...

View all posts