The Government has tabled The Data Protection and Digital Information (No.2) Bill with a view to amending the UK’s existing data protection regime. If passed, the bill would make changes to UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.
The bill was introduced in March and is a follow-up to a similar Data Bill announced last summer, which never progressed to a second reading – its progress was halted due to the need to consult further with business and data experts, according to the government. A summary of the key changes proposed by that 2022 Data Bill can be found here.
The Government has said the proposed amendments in the 2023 Data Bill are “common-sense-led” and will simplify and ease data obligations on organisations and could free up £4.7bn for British businesses over the next 10 years.
Although the 2023 Data Bill proposes some new changes – most of which appear to be aimed at reducing data protection requirements – on the whole it is broadly similar to the previous 2022 Data Bill. The main salient changes for businesses to be aware of that stem from the 2023 Data Bill are:
- Legitimate interest
Under the current rules, organisations do not need consent for data processing if they can satisfy a three-stage “legitimate interest” balancing test. The 2022 Data Bill proposed that this test be automatically satisfied in certain cases – emergencies, criminal investigations etc. The 2023 Data Bill seems to broaden the scope of when legitimate interest could be relied on. It cites direct-marketing, internal administrative purposes, and maintaining the security of network systems as examples. However, as these are not classed as “recognised” legitimate interests, it seems likely that the “balancing” test will still have to be applied by businesses.
- Records of processing
Currently, record-keeping of data processing is required for all organisations with more than 250 employees. The bill proposes eliminating the need for record keeping altogether except where the data processing could constitute a “high risk” to individuals’ rights and freedoms. When assessing “risk”, organisations should take into account nature, scope, purpose and context of the processing in question.
- Scientific research exemptions
The definition of scientific research has been clarified so that research for commercial purposes can now be included provided it can “reasonably be described” as scientific in nature. As various data subject rights do not apply to processing for these purposes, this is intended to make it easier to use data for research purposes.
- Automated decision making
The 2022 Data Bill proposed the removal of the main restriction on this in UK GDPR, whilst providing extra rights to individuals such as to contest automated decisions. The 2023 Data Bill addresses the use of profiling technology, so that the use of this in a decision process is expressly treated as relevant in assessing whether an automated decision has been made, and therefore whether an individual can challenge it.
- Marketing
Finally, the bill proposes new fines for nuisance calls and texts. Fines would be increased up to 4% of turnover or £17.5m (whichever is greater) compared to the current limit of £500,000.
Beverley Whittaker