On 18 July 2022 the Data Protection and Digital Information Bill (the Bill) was introduced for discussion into parliament, in one of the UK's first drives towards data protection reform after Brexit.
The Bill introduces a number of the proposals put forward by the Department for Digital, Culture, Media and Sport in June earlier this year, in response to its Data Reform consultation.
The Bill covers a number of data protection issues, ranging from the definition of personal data, to international data transfers, data subject access requests, cookies and legitimate interest assessments. Further, the Bill seeks to reform the current UK regulator, the Information Commissioner's Office (ICO), in favour of a new Information Commission, as well as removing certain accountability requirements for organisations, such as the requirement for a Data Protection Officer, a UK representative and Data Protection Impact Assessments.
Certain of these changes will be more controversial than others, however, the wide range of reforms may raise eyebrows in Europe, as currently the UK data protection regime mirrors that of the European Union.
The essential equivalence between the UK and the EU regimes has been critical to business continuity following Brexit. In particular, the European Union's finding of 'adequacy' in favour of the United Kingdom in June 2021 allowed for the lawful transfer of personal data from Europe to the United Kingdom with minimal business disruption. This could change if the European Union were to decide to revoke the UK's adequacy decision in light of the changes proposed by the Bill. By the UK government's estimate, the loss of the European Union's adequacy finding would have an estimated business value of between £190 million and £460 million in one-off costs and an annual cost of between £210 million and £410 million in lost export revenue.
The question for the time being is whether by taking several small steps away from the EU data protection regime, the UK is taking one giant leap away from EU adequacy.
Despite the broad range of proposals in the Bill, these changes seek to amend rather than replace the UK GDPR and the Data Protection Act 2018. Businesses should welcome a number of these proposals, which move the needle of the current data protection regime towards a more business-friendly and pragmatic approach.
The Bill is still in its early stages, and much of the future of the Bill will depend on priorities of the next UK Prime Minister. However, businesses should prepare for a reformed regulatory landscape, as the United Kingdom makes its first move to take back control of its post-Brexit data protection regime.
Read on for our analysis of the key changes.
The current definition of 'personal data' under UK data protection law is aligned with the EU GDPR and applies to any information relating to an identified or identifiable natural person.
The Bill seeks to amend this definition, introducing a subjective element from the perspective of the controller, processor or recipient(s) as to whether information is personal data or anonymous. Personal data would be limited to information which:
Whilst this definition increases certainty for controllers and processors as to whether information is personal data, it could reduce the circumstances in which information is protected as personal data if the Bill is passed.
For example, the current definition arguably covers personal data if it is identifiable by a single person, and may include personal data which becomes identifiable later down the line once processing has taken place—this information would not be within the definition of personal data as set out in the Bill.
International Data Transfers
The Bill encourages a risk-based assessment of the impact of international data transfers, which would see organisations assess the data protection risks involved in those transfers and take decisions regarding appropriate mitigation measures. This is arguably at odds with the decisions of certain EU regulators, such as the Austrian DSB, which have opposed a risk-based approach.
Further, the Bill proposes that the UK's future adequacy decisions (allowing transfers of UK personal data to third countries determined by the United Kingdom to be 'adequate') may be made under a different test than the EU GDPR. The Bill would implement a new 'data protection test' for the Secretary of State to consider, requiring a 'not materially lower' standard of protection in the recipient country, in place of the EU GDPR requirement for an adequate level of protection (interpreted as essential parity).
The United Kingdom would likely seek to grant adequacy status to the United States under such test, a move which will prove controversial when it comes to the UK's own adequacy status with the European Union. Onward transfers of European personal data from the United Kingdom to the United States was hinted as a major roadblock to the EU's initial finding of adequacy for the United Kingdom, and any change to UK-U.S. data transfers would be likely to call the UK's European adequacy into question once more.
Data Subject Access Requests
One of the more wide-reaching changes for controllers and consumers comes in the Bill's bid to overhaul the Data Subject Access Request (DSAR) regime. The current regime, based on the EU GDPR, requires that controllers respond to DSARs in all cases except where the requests are "manifestly unfounded". The Bill seeks to allow organisations to refuse to respond to DSARs which are "vexatious or excessive," or to charge a fee for doing so.
Controllers will welcome this change, which means that they would no longer have to respond to DSARs intended to cause distress, made in bad faith, or which constitute an "abuse of process" as "vexatious."
In particular, the Bill proposes to extend the types of cookies which can be placed on users' devices without consent. The current regime only allows this for 'strictly necessary' cookies relating to the functioning of a website. However, the Bill seeks to allow organisations to place cookies on users' devices in order to gather statistical information and improve their services, without the users' consent.
Further, organisations will potentially face higher fines for breaches of the Privacy and Electronic Communications Regulations, as the Bill proposes maximum penalties for infringements in line with the UK GDPR, rather than the current maximum fine of £500,000.
The Bill seeks to do away with the legitimate interest balancing assessment required where controllers rely on legitimate interests as a lawful basis for processing personal data. Instead, the UK government intends to 'whitelist' certain legitimate interests, such as processing necessary in the public interest, national security, public security and defence, emergencies, safeguarding vulnerable individuals and democratic engagement.
To understand the full impact on data controllers, it will be necessary to wait until the full list is published: it remains to be seen whether the balancing test will continue to be required for most commercial processing activities.
The Bill moves away from UK GDPR requirements for mandatory Data Protection Officers (DPOs), in favour of a 'senior responsible individual' to be responsible for data protection risks or who will delegate that task to suitably skilled individuals.
Further, the requirement for a UK representative where companies operate outside of the United Kingdom but are still subject to the UK GDPR's extraterritorial provisions is to be removed.
In another bid to reduce the burden on businesses, the Bill also removes the requirement for Data Protection Impact Assessments, replacing this with the requirement for an assessment of high-risk processing, to reflect a more flexible, risk-based approach.
The Bill seeks to reform the ICO, recreating the regulator as a body corporate with the new title of the 'Information Commission.'
The Information Commission will have new duties, including to promote innovation and competition and to have regard to the need to safeguard public and national security. The Information Commission will also be subject to new reporting requirements.
Research Data and Data Reuse
The Bill also looks to clarify language in the UK GDPR in order to help researchers use personal data, allowing for the reuse of personal data for the purpose of longer-term research studies.
The Bill proposes new definitions for "scientific research," "historical research" and "statistical purposes" in addition to allowing consent to be given to an area of scientific research where it is not possible to identify fully the purposes for which the personal data is to be processed.
Business Data and Open Data
In addition to reforming the UK data protection regime, the Bill also seeks to encourage data sharing amongst businesses and to introduce powers to enable "smart data schemes" in UK markets, intended to facilitate the secure sharing of data with authorised third parties at the request of the consumer.