On 8 March, a new Data Protection and Digital Information Bill (No. 2) (the Bill) received its first reading in the House of Commons. This Bill replaces the Data Protection and Digital Information Bill (the DPDI Bill), which was introduced in July 2022 before being paused in September 2022. In its press release, the Government said:
- the Bill is a “new common-sense-led version of the EU GDPR”
- it will “reduce costs and burdens”
- it will “remove barriers to international trade”, and
- it will “cut the number of online repetitive data collection pop-ups online”.
Although the Bill has been introduced as separate bill, its proposals for data reform are broadly the same as those contained in the DPDI Bill.
Grace Astbury summarises the key provisions of the Bill and the implications for the UK data protection regime below.
|Provision||The Proposed Changes|
|Personal data||Under current data protection legislation, personal data is defined as any information relating to an identifiable person. An identifiable individual is someone who can be identified directly or indirectly from the data. The Bill proposes to move towards a more subjective definition of personal data. Information being processed will only relate to an identifiable individual where:
(i) the individual is identifiable by reasonable means of the controller or processor at the time of processing; or
(ii) where the information is likely to be obtained by a third party, the living individual will be or is likely to be identified by that third party by reasonable means at the time of processing.
What does this mean? This updated definition seems to acknowledge the difficulties of truly anonymising personal data. It should provide businesses with more clarity on whether data they process are subject to data protection regulations.
|Data subjects’ rights||Currently, controllers may refuse or charge a reasonable fee for a request for personal data that is “manifestly unfounded or excessive”. The ICO says that this could include instances where the requester is attempting to harass the organisation, with the intent of causing disruption, or where the request is malicious. This threshold is being shifted to “vexatious or excessive” in an effort to capture a wider number of requests. This will now include requests intended to cause distress, requests not made in good faith and requests that are an abuse of process.
What does this mean? Businesses will hopefully be able to refuse a greater number of illegitimate data requests. That being said, it is unlikely that businesses will see a significant change to the number of requests received.
|Record keeping||Businesses (whether controllers or processors) will only need to keep records of processing where such processing activity is likely to result in a high risk to the rights and freedoms of individuals, regardless of the size of the business (including the number of employees). When assessing high risk processing, controllers must take into account the nature, scope, context and purposes of the processing.
DPIAs will no longer be mandatory, instead replaced with obligations on businesses to assess and mitigate risk by undertaking an “assessment of high-risk processing”.
What does this mean? Business will only be required to keep records of processing, where they carry out high risk processing activities.
|DPOs||The requirement for businesses to appoint a DPO has been removed. Instead, public authorities and businesses undertaking processing which presents a “high risk” to rights and freedoms of individuals must appoint a “Senior Responsible Individual” (SRI). The SRI must be part of the business’ senior management but may delegate functions of the role to other skilled individuals.
What does this mean? Businesses will no longer be required to appoint a DPO. If they carry out high risk processing, they will need to appoint a “senior responsible individual”.
|International data transfers
|The Bill’s explanatory notes clarify that that it is intended to facilitate international trade by providing a clearer and more stable framework for international data transfers.
Controllers will be permitted to take a more risk-based approach in assessing the impact of international data transfers using a “data protection test”. Transfers will meet the test where the controller acting reasonably or proportionally considers that following the transfer, the standard of data protection would not be “materially lower” than the UK’s data protection legislation. This is a shift from the EU GDPR standard of “essentially equivalent protection”.
The Government also intends to make new adequacy decisions for the UK using the same approach. One of the current priorities is an adequacy decision with the US. Businesses are likely to be keen for the simplification of international data transfers. However, the Government has already admitted that if the changes concerning data transfers lead to the removal of the EU-UK adequacy decision, this could do more harm than good.
What does this mean? This does not make much of a change for businesses as the Bill makes it clear that mechanisms entered into before the Bill will continue to be valid.
|The Information Commissioner’s Office (ICO) will be replaced by the “Information Commission” and given a new statutory framework including the implementation of a principal objective and general duties relating to its role under data protection legalisation. The Secretary of State will have more oversight over the ICO through powers to designate a statement of strategic priorities and approve codes of practice.
What does this mean? No real practical changes for business owners, but this is part of a wider set of changes aimed at keeping the ICO sufficiently independent.
|PECR||Businesses will no longer have to seek consent for all types of cookies and other tracking technologies. The Bill will bring in exemptions for non-intrusive analytics cookies such as those used to ensure website functionality. The long-term aim is to move to an “opt out” consent model which relies should remove the need for pop up cookie banners but relies on browsers having opt out functionality.
The ICO will also be permitted to increase fines under PECR, in line with those currently levied under UK GDPR – up to £17.5m or 4% of a business’ total annual worldwide turnover.
What does this mean? The rules about website cookies will be relaxed so consent will not always be necessary. On the other hand, the fines are increasing, so it would be worth keeping an eye on the new rules.
|Legitimate interests||Businesses frequently rely on legitimate interests as their lawful basis for processing personal data.
The Bill provides some examples of processing which may be considered necessary for the purposes of legitimate interests such as:
(1) Processing necessary for the purposes of direct marketing
(2) Intra-group data sharing for administrative purposes, and
(3) Processing necessary for the purposes of ensuring network and information system security.
Controllers will still be required to undertake an exercise of balancing their legitimate interests against the individual’s interests, rights and freedoms. Businesses may push the government to include other examples of processing necessary for the purposes for legitimate interests to provide greater certainty.
What does this mean? The examples provided will hopefully make it easier for businesses to determine whether their data processing has a legitimate interest.
|Recognised legitimate interests||As outlined above, controllers are required to carry out a balancing exercise, weighing their legitimate interests against the rights of the individual.
However, the Bill proposes the introduction of a new lawful basis: ‘recognised legitimate interests’. Controllers processing personal data on the basis of a recognised legitimate interest will not be required to carry out the balancing exercise, provided the processing falls within the activities outlined in Annex 1 to the Bill. The activities include processing for detecting, investigating or preventing crime. The explanatory notes to the Bill clarify that ‘crime’ would also cover economic crimes such as fraud, money-laundering or terrorist financing, amongst other things. This may be of relevance to businesses who carry out checks into their customers or suppliers.
Other recognised legitimate interests include processing for national and public security and defence, emergencies, safeguarding vulnerable individuals and democratic engagement. The Secretary of State may also add additional activities to the list.
What does this mean? If businesses can argue that their data processing falls in one of the recognised legitimate interests set out above, they won’t have to carry out and record the balancing test – they can just rely on the recognised legitimate interest.
The proposed changes seem to be more of an evolution of the UK GDPR rather than a complete departure, alleviating some but not all of the compliance burdens under the UK data protection regime. Businesses will be afforded some greater flexibility in meeting the legal requirements for their data processing activities. Should the Bill be passed in its current form, businesses should carefully consider whether their current practices and procedures meet the requirements under the Bill. However, at this stage businesses should not take any immediate steps to modify their practices. It is likely that in most cases, where a business is GDPR-compliant, they will also be compliant under the new regime proposed by the Bill.
Michelle Donelan, Science, Innovation and Technology Secretary stated that “no longer will our businesses have to tangle themselves around the barrier-based European GDPR”. However, whilst the changes move the UK’s data protection regime away for the EU GDPR, the Bill cannot make changes to obligations under the EU GDPR. Therefore, businesses processing the personal data of individuals based in the EEA will still be required to comply with the EU GDPR. Businesses who process the personal data of both UK and EEA based individuals may have little desire to have separate data practices for their EU and UK operations.
On 17 April 2023, the second reading of the Bill took place, which gave MPs a chance to debate the main principles. The Bill passes this stage but in the course of the debate, concerns were raised in relation to the ICO’s independence, the UK’s adequacy status with the EU and the overall complexity of the Bill. The Opposition welcomed the Bill’s overarching principles but suggested that it did not go far enough. The Bill will now proceed to Committee stage to be scrutinised line by line. The first sitting of the Public Bill Committee is expected to be on 10 May, with the Committee being scheduled to report by 13 June. It remains to be seen what amendments could be on the horizon.
In the coming months, businesses will need to watch out for confirmation of the timing for implementation of the Bill and whether there is general cross-party support for the proposals. Further, the European Commission is yet to release its view on the proposals for reform under the Bill, raising the question – is the UK on a collision course with its adequacy decision with the EU?