On July 18, 2022, the U.K. government introduced the Draft Data Protection and Digital Information Bill (hereafter referred to as the “Bill”) to the House of Commons. Publication of the Bill was the natural next step following on from the consultation in September 2021 on the reform of UK data protection law, the final response to this public consultation by the UK Government and the Bill’s announcement in Queen’s speech.
According to the U.K. government, the new legal framework will lessen the burdens on organisations while providing a high level of data protection for individuals. This article aims to provide a summary of the significant reforms as well as an initial view of the impact these changes may have on organisations if these changes are finally adopted.
Summary of key changes
- Definition of personal data
The Bill attempts to narrow down the scope of personal data as set out in the UK GDPR by clarifying the concept of “identifiability.” In accordance with the Bill, an individual should be considered as being “identifiable” when the controller, processor or others who obtain the information as a result of the processing (and not everyone else who might have the data at his disposal), are likely to be able to identify the data subject.
- Processing personal data for research purposes
In order to foster research, the Bill gives the green light to organisations to obtain broad consent from data subjects when the processing concerns scientific research purposes. At the same time, the Bill highlights that scientific research has a broad meaning encompassing research funded by private bodies and organisations.
- Recognised legitimate interests
In Schedule 1, the Bill has laid down a list of “recognised” legitimate interests that make the performance of the balancing test between the interests and rights of the data subjects against the legitimate interests of the business unnecessary. However, this does not discharge organisations from applying a necessity test in justifying the necessity of the processing in line with one of the recognised legitimate interests. Current examples of these recognised legitimate interests are national security, public security, defence, emergencies. In addition, the Bill entitles the Secretary of State to establish new categories.
- Purpose limitation principle
Pursuant to the purpose limitation principle as set out in the UK GDPR, personal data should be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. The Bill makes clear that controllers should assess the compatibility against their organisations’ purpose for obtaining personal data, and not against any purpose for which the data was originally obtained by third parties. Furthermore, Schedule 2 of the Bill provides for examples of purposes satisfying the compatibility test, such as compliance with a legal obligation or safeguarding vulnerable individuals.
- Automated decision-making
Under the UK GDPR, data subjects have a right not to be subject to decisions based solely on automated decision-making. The Bill removes this general prohibition and sets out conditions for decisions involving special category data. The Bill also introduces a number of safeguards that need to be in place during automated decision making. For example, enabling the data subject to make representations about such decision, obtaining human intervention about automated decisions as well as enabling data subjects to contest the decisions.
- Reform of the accountability framework
The most notable change in terms of accountability seems to be the removal of the obligation for some organisations to appoint a DPO. However, public bodies and organisations carrying out processing activities likely to result in a “high risk” to individuals, must designate a “Senior Responsible Individual.” Pursuant to the Bill, the individual should be part of the Senior Management Team of the Organisation and not only reporting to Senior Management as is the case currently.
This requirement for the Senior Responsible Individual being part of the senior management team raises questions around the possibility of designating an external consultant as a Senior Individual and appears at odds with the current UK GDPR requirement of avoiding conflicts of interest for the DPO.
If these changes pass, a publication of a guidance document may be required to help organisations understand what actions may be required.
Regarding the rest the modifications in the accountability framework, the Bill simplifies compliance for organisations not established in the UK by removing the obligation to appoint a UK representative. In terms of record-keeping, although the Bill maintains the obligation for controllers and processors to keep records of their processing activities, the requirements are less prescriptive than at present.
Furthermore, the Bill requires controllers to carry out an assessment of high-risk processing (hereafter “assessment”) replacing the obligation for the performance of DPIAs. Although, the Bill provides for a mandatory content of this assessment, the requirements are still less prescriptive in comparison to the current ones. The Bill also removes the consultation requirement under the UK GDPR for controllers to consult the ICO prior to any processing that is likely to result in high risks to the rights and freedoms of individuals. Thus, the consultation becomes optional for organisations.
- Vexatious or excessive access requests
In accordance with the provisions of the Bill, the “manifestly unfounded or excessive” threshold for refusing the satisfaction of data subject access requests (“DSARs”) under the UK GDPR is replaced with a “vexatious or excessive” threshold. To help organisations assess the meaning of “manifestly unfounded or excessive,” the Bill introduces various criteria to be taken into consideration, these include, the resources of the controller, requests likely to cause distress or not made in good faith and those that are an abuse of process.
- International data transfers
Overall, the regime for transferring personal data to third countries and international organisations remains the same as provided for under UK GDPR. However, the Bill introduces a new “data protection test.” This test should determine whether an organisation can transfer personal data to a third country and an international organisation providing that the level of data protection in the destination country is “not materially lower” than that under the UK GDPR.
The Bill establishes a list of exceptions to the opt-in cookie consent requirements. The exceptions concern the collection of information for statistical purposes, the adoption of the users’ preferences, the installation of software updates for security purposes, and the establishment of location in the context of emergency communications.
- Electronic marketing communications
The Bill expands the opt-out opportunity (namely the opportunity of organisations to send electronic marketing communications to individuals without their prior consent) to non-commercial organisations. This can occur on condition that non-commercial organisations have obtained the contact details of individuals by expressing their interest in for example, the political party or in case of a charitable organisation, offering their support to the objective of the charity accordingly.
The UK Government had already previously expressed its intention to reform the data protection framework in the UK by reducing compliance barriers for businesses, fostering innovation and research and taking a more risk-based approach in the international data transfers regime. The Bill, to some extent seems to achieve its goals. For example, the changes in the accountability framework should help organisations and especially SMEs to lessen their compliance obligations by implementing compliance tools tailored to their needs. Similarly, the provisions related to research on broad consent or the reforms regarding automated decision making.
However, there are still many aspects of the Bill that require further clarity. In particular, around international data transfers where the transfer of personal data to a third country can take place only if the level of data protection is not “materially lower” than this of UK. This data protection test is quite ambiguous, and we await to see the reaction of Europe to its introduction as well as any impact this may have on the UK adequacy status.
Lastly, another area that needs to be further clarified is this of the removal of the DPO and the appointment of the Senior Responsible Individual. Since the Senior Individual must be part of the Senior Management, further clarifications are required regarding any actions that may need to be taken by organisations having designated external DPO advisors.
Currently, the Bill is at the stage of second reading in House of Commons, and it is quite possible that there may be a number of amendments before the Bill becomes law. Also, considering the prevailing circumstances and the current unsteady political environment, it remains to be seen whether a new Prime Minister desires to take a different approach or proceeds with the passage of the Bill.
Trilateral’s Data Governance and Cyber Risk Team consists of specialists with extensive expertise and experience in data protection regime. Trilateral Research will keep an eye on developments and provide further updates. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs.