Data Protection and Digital Information Bill – evolution or revolution?
On 8 March 2023, the UK government re-introduced the Data Protection and Digital Information (No.2) Bill (the “Bill”).
It’s good news for most organisations – it does not mean a complete rebuild of your organisation’s existing data protection programme, but there will be changes and the sooner you assess your current processes and start to understand where gaps are likely to appear under the new legislative regime, the sooner you will benefit from reduce administrative burden and operational costs.
The Bill aims to simplify the current data protection regime, promote research and innovation and reform the Information Commissioner’s Office (ICO). It represents a small step away from the EU GDPR, rather than a giant leap which is not surprising given that a key priority for the UK government was to ensure compatibility with the EU to avoid jeopardising the EU’s adequacy decision, which enables the free flow of personal data between the EU and the UK, that is scheduled for review in 2024.
“No-regret” actions that your organisation should take now:
While there is no immediate action for UK businesses to take, you can begin to assess some of your current processes and start to understand where gaps are likely to appear under the new legislative regime. Some key areas to consider include:
- Data Protection Impact Assessments - in order to understand whether future record keeping requirements will be necessary;
- Data mapping – in order to assess compliance and ensure areas such as data transfer safeguards and valid consent are tracking to the new Bill;
- Consent and preference management – in order to understand where consent is needed and how it can be collected under any new rules.
Initial key takeaways from the Bill are:
Reduced record keeping
- Records of processing will only be required for organisations that carry out processing activities likely to result in “high risk to the rights and freedoms of data subjects”.
New rules for consent
- There will be new conditions for when organisations can process personal data without needing consent. There will be a reduction in the number of consent pop-ups online and a list of activities which could be considered a legitimate interest of a controller has been introduced and includes direct marketing, intra-group transmission of personal data and ensuring the security of network and information systems.
Clarity on safeguards for automated decision-making
- New rules for implementing the appropriate safeguards for individuals about whom solely automated decisions are made. Organisations will be required to make data subjects aware when such decisions are made, give them the opportunity to challenge the decision, and allow them to seek human review.
Continued international transfers
- The Bill has been developed to ensure that the free flow of personal data from the UK remains in place. Organisations will be able to rely upon their existing international data transfer mechanisms, such as Standard Contractual Clauses (SCCs) and adequacy decisions, to export personal data so long as the mechanisms are already compliant with current UK data laws.
Broader research exemption
- The Bill includes a revised definition of “scientific research” that would allow commercial organisations to benefit from the same exemptions as academic researchers when carrying out innovative scientific research, encouraging such research to take place in the commercial sector.
Increased fines
- Increased fines for nuisance calls and texts will be introduced which will range up to 4% of global turnover or £17.5 million, whichever is greater.
For more detailed information on the legislative changes please read the devil is in the detail section below.
What’s next?
The Bill is now awaiting a second reading, which is expected to happen shortly. Until then, nothing is fixed in stone and further amendments to the Bill are still possible. Lobbying is likely to ramp up now the UK government appears to have settled on its approach and much remains to be determined in the next few months. The main question remains whether the divergence from EU law will have an impact on the UK’s adequacy status – only time will tell!
How can we help you?
We will continue to monitor the Bill as it progresses through parliament; however, if you would like to discuss the impact of the changes on your organisation, please do get in touch: carrie.stephenson@braveconsultancy.co.uk
The devil is in the detail.
The Bill proposes wholesale changes to the UK’s privacy framework including some of the definitions, which include:
| Theme | Proposed change |
| Definition of “personal data” | An amended definition limits the process for determining if information relates to an individual who is “identifiable” in two ways. Firstly, it is limited to identification by the controller, processor or any third party who will likely receive the information, rather than the world at large. Secondly, identification need only be by “reasonable means”. |
| Data Protection Officers (DPO) | There is no longer a need to appoint a DPO but if you carry out high risk processing you must designate a “senior responsible individual” who must be part of the business’s senior management who will be accountable for data protection compliance. |
| Records of processing | Under the Bill, any controller or processor would be exempt from the duty to keep records of processing unless they are carrying out high risk processing activities, regardless of size of organisation. |
| Data Protection Impact Assessments (DPIAs) | There is no longer a need to conduct DPIAs but you will need to implement an “assessment of high risk processing”. |
| UK representative | Data controllers that are not established in the UK no longer need to appoint a data protection representative within the UK. |
| Data Subject Access Requests (DSAR) | The “manifestly unfounded and excessive” test would be replaced by a “vexatious and excessive” test which will allow greater autonomy in refusing requests when the system is clear being abused. |
| Expanding use of cookies without consent | Currently, only “strictly necessary” cookies may be used without consent. The bill expands the categories of cookies that do not need consent to be dropped, including cookies collecting data for purposes such as statistical analysis and improvement of service or website use; however, users would still need to be given comprehensive information, and an opportunity to opt out. |
| Legitimate interests | In its operative provisions, the Bill includes examples of the types of processing that may be considered necessary for the purposes of a legitimate interest. These include:
· direct marketing; · intra-group transmission of personal data for internal administration purposes; and · ensuring the security of network and information systems. However, these are only examples and, unlike the new concept of “recognised legitimate interests” (below), a controller will still be required to ensure its interests are not outweighed by the data subject’s rights and interests.
The Bill introduces a limited number of “recognised legitimate interests”. This means that, provided a business can demonstrate that processing is “necessary” for one of the recognised legitimate interests, that business will no longer be required to balance its legitimate interest against the data subject’s interests, rights and freedoms.
Currently, the list of recognised legitimate interests is limited to areas including processing necessary in the public interest; national security, public security and defence; emergencies; safeguarding vulnerable individuals; and democratic engagement. |
| Changes to international transfers | Introduces a new approach to the test for adequacy and when carrying out a transfer impact assessment. The threshold for this new “data protection test” was whether a jurisdiction offered protection that was “materially lower” than under the UK GDPR.
A risk-based approach to the international transfer of personal data is introduced, meaning that organisations would be able to assess the data protection risks involved in using mechanisms such as the ICO’s International Data Transfer Agreement (IDTA) or the UK Addendum for those transfers, and then decide on appropriate mitigation measures. |
| Automated decision-making | The Bill reframes the provisions on automated decision-making to be a requirement for safeguards to be in place, rather than a prohibition with exceptions. The Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision. It is unclear whether the intention is that the presence of profiling could indicate that there has been minimal (as opposed to meaningful) human involvement. Alternatively, it seems this provision may be intended to clarify when profiling should itself be considered an automated decision that is subject to the Article 22 restrictions. |
| Scientific research | The exceptions which apply for processing for the purposes of “scientific research” go one step further and have been amended to make clear that they cover “any research that can reasonably be described as scientific, whether publicly or privately funded, and whether carried out as a commercial or non-commercial activity”. |
| ICO restructure and new identity | The ICO’s name will change to the Information Commission. The Information Commission will act as an independent body corporate, with new reporting obligations to the government. The Secretary of State will have greater oversight over the Information Commission, which means the government has the potential to influence guidance and codes of conduct.
|
| Changes to The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) | Non-commercial organisations will be able to rely on soft opt-in for direct marketing purposes, if they have obtained contact details from an individual expressing interest.
The Bill introduces new obligations on providers of electronic communications networks. Specifically, these providers would be required to notify the ICO of “any reasonable grounds” they have for suspecting that a person is contravening or has contravened the direct marketing rules. Any failure to do so could result in penalties for non-compliance.
The Bill increases the maximum amount of fines to be brought in line with the UK GDPR and Data Protection Act 2018. |
AUTHOR.
CARRIE STEPHENSON
