The UK’s new Data Protection and Digital Information Bill
Will the Data Protection and Digital Information Bill achieve its stated aim of encouraging innovation and easing the burden of compliance for businesses, while upholding high data protection standards?
The key takeaway
The UK Government’s first major shakeup to the UK’s data protection regime since Brexit is now making its way through Parliament. Its aim? To amend the existing UK GDPR and Data Protection Act 2018 to create a more business-friendly framework.
The Data Protection and Digital Information Bill (Bill 143 2022-23) (DPDIB) was introduced to Parliament on 18 July 2022, following the Department for Digital, Culture, Media and Sport’s (DCMS) response to its consultation on reforming the UK GDPR framework.
The DPDIB aims to reduce the regulatory burden on data controllers by introducing the following changes:
- Overhaul to Data Subject Access Requests (DSARs) – allowing organisations to refuse “vexatious or excessive” DSAR requests or charge a fee for a response. This departs from the current EU GDPR-based requirement to respond to all requests (with the exception of those that are “manifestly unfounded”).
- A new accountability regime – replacing the role of Data Protection Officers with Senior Responsible Individuals (SRIs), who must be members of the organisation’s senior management. The SRI will be expected to carry out assessments based on high-risk processing, allowing for a more flexible privacy management programme tailored to the organisation’s processing activities, as well as the nature of the data handled. Furthermore, overseas organisations subject to the UK GDPR’s extraterritorial provisions will no longer require representatives in the UK.
- Extension of cookies – making cookie consent requirements less strict under defined circumstances. The Secretary of State will also have the power to implement browser level consent to cookies across all websites visited by a user.
- “Personal data”: A key proposal of the Bill is to introduce a subjective element to the definition of “personal data” under UK data protection law, which is currently aligned with the EU GDPR. The DPDIB seeks to restrict the assessment of identifiability to the controller or processor and third parties which are likely to receive the information, as opposed to the anyone in the world. This new definition helps provide certainty for organisations and could reduce the scope of information falling under personal data. Essentially, the DPDIB introduces a new test for limiting the scope of personal data to: (a) where information is identifiable by the controller or processor by reasonable means at the time of the processing; or (b) where the controller or processor should know that another person will likely obtain the information as a result of the processing and the individual will likely be identifiable by that person by reasonable means at the time of the processing.
- International transfers: Further, the DPDIB seeks to create a more flexible and risk-based approach to international data transfers in the future by introducing a “new data protection test”, which departs from the current “adequacy” test under the EU GDPR. Organisations will be required to consider whether the standard of data protection in a third country is “not materially lower” than that under the UK GDPR. These changes could lead to onward transfer of EU personal data from the UK to the US.
- Legitimate interests: Additionally, to provide further clarity for organisations and reduce barriers for “responsible innovation”, in addition to the existing balancing test for legitimate interests for processing personal data, the DPDIB includes a (currently) narrow list of recognised legitimate interests for which the balancing test need not be performed. It remains to be seen if other recognised legitimate interests will be added in due course as general commercial purposes are not included in the list.
Why is this important?
The Bill’s speedy introduction to Parliament confirms its high political importance. Through the DPDIB, the Government is recalibrating its approach to data protection, with significant impact on all organisations dealing with personal data. While many of the changes are welcomed, as they simplify certain processes involving data, reducing the unnecessary burden on organisations, the DPDIB also raises several major concerns. Namely, that a risk-based assessment for international data transfers, as proposed by the Bill, will pose a threat to the UK’s “adequacy” status, as it seems to conflict with the approach taken by EU regulators. It is essential that the benefits of the proposed autonomous framework for international data transfers, aimed at simplifying the process of data transfers and allowing for flexibility, are carefully balanced with this “adequacy” risk.
Although the government’s impact assessment reiterates that “the government’s view is that reform of UK legislation on personal data is compatible with the EU maintaining free flow of personal data from Europe”, it remains to be seen whether the proposed amendments diverge too far from the standards required under the EU GDPR.
Any practical tips?
Although it is at the early stages (with the second reading having taken place on 5 September 2020), organisations should follow the passage of the Bill through Parliament, including any amendments following debates in Parliament. The timing of the implementation will also be important in preparing for a reformed regulatory landscape under the UK’s new Prime Minister.