The Data Protection and Digital Information Bill (bill) contains proposed changes to UK data protection law and is currently in the parliamentary process. Broadly, the proposals aim to liberalise existing UK data protection law by removing unnecessary “red tape”. It will change the position under the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and UK GDPR (retained EU law). The government’s aim is to make the UK a more appealing location for business.
As many businesses will also be using and transferring data which is subject to existing EU rules – they will have to comply with both the UK and EU regimes. It remains to be seen whether the reforms in their current form will achieve the liberalisation envisaged.
A potential area for note is the proposed changes to international transfers. The bill introduces a new “risk-based” approach to designating whether countries have adequate data protection in place and has the potential to be viewed by the EU as a significantly lower standard than the EU’s current approach. There is therefore a potential risk that the UK could lose its adequacy status with the EU by adopting this new liberal approach.
The bill is detailed and wide ranging. We have set out several of the expected key changes below.
Expected key changes
- Narrowing what counts as personal data:
- Personal data: The definition of what amounts to an identifiable living individual will be narrowed, broadly by limiting this to persons identifiable to the relevant controller/processors and others likely to receive the information.
- Simplifying accountability requirements:
- Data protection officers: Removing the need for Data Protection Officers (DPO) which will be replaced with a less stringent data protection lead for governance purposes known as a “Senior Responsible Individual” (SRI) who must be part of the organisation’s senior management. Additionally, the threshold for organisations to have an SRI differs from the previous threshold for a DPO. Organisations will only need an SRI if they are carrying out processing likely to result in “high risk” or are a public body.
- DPIAS: Removing the requirement for Data Protection Impact Assessments. Instead, the senior individual described above will be responsible for compliance.
- Representatives: No requirement for UK representatives if established abroad.
- Record of processing: No requirement for a record of processing activities which will be replaced with a more flexible record-keeping requirement.
- Expanding organisations’ processing rights:
- Cookies: Expanding the categories of cookies that may be used without the data subject’s consent.
- Decision-making: Removing certain restrictions on the use of automated decision-making.
- Information requests: Lowering the threshold for refusing a subject access request, making it easier for controllers to refuse “vexatious or excessive” requests.
- International transfers:
- Adequacy: A new, risk-based approach when considering UK adequacy decisions. The test will allow the UK to be more flexible when designating “adequate” countries.
- Compared to EU test: The test will be met if the standard of data protection is “not materially lower” than that provided under UK law – which may prove to be a lower standard than the sort of equivalence of protection required in the EU.
- Processing for research:
- Clarifying requirements: Facilitating researchers’ access to data by clarifying how data may be processed for research purposes.
- Scientific research definition: Broadening the definition of processing for the purposes of “scientific research”.
- Exemptions for research: A new exemption to the requirement to provide fair processing information if the data processing is for the purposes of research that is in the public interest.
- Opt-in: New soft opt-in for non-commercial organisations.
- Consent: This has the potential to mean that some organisations (like charities, political parties, etc.) will be able to send marketing to individuals without consent if they have an existing prior supporter relationship.
- Reform of the ICO:
- Complaints: A general refocusing on higher level complaints.
- Complaints: Prior to data subjects lodging complaints with the ICO they must first have attempted to resolve the matter with the data controller.
- New goals: A new framework will set out the ICO’s objectives and duties with a focus on “economic growth and innovation” and “competition issues”.
- Fines: Increased fines for infringement of the Privacy and Electronic Communications Regulations 2003 (PECR) (such as the sending of unsolicited marketing or infringing cookie requirements) from the current maximum of £500,000 to 4% of global annual turnover (the same as UK GDPR levels).
- Legitimate interest test:
- Current rules: Under the current rules, organisations seeking to rely on the legitimate interest basis for processing must consider and record whether their processing is necessary to achieve a legitimate interest using a three-stage test.
- New rules: Under the new bill, the government intends that this test will be automatically satisfied in relation to certain activities - recognised legitimate interests. The proposed list of recognised legitimate interests is set out below and could be expanded on in due course:
- National security, public security, and defence
- Crime (detecting, investigating, or preventing crime)
- Safeguarding vulnerable individuals
- Democratic engagement
- Ministerial powers: The bill would also give the Secretary of State for Digital, Culture, Media & Sport powers to amend and extend this list.
It remains to be seen if the bill will make its way through the parliamentary process and achieves recognition under UK law.