A New Direction for UK Data Protection Law: the Data Protection and Digital Information Bill
The Bill's aims are to reduce burdens on businesses, encourage innovation and empower individuals. The Bill amends the GDPR as it forms part of UK domestic laws post-Brexit (the "UK GDPR"). It also makes amendments to the UK Data Protection Act 2018 and the UK Privacy and Electronic Communications Regulations ("PECR").
While the Bill contains certain eye-catching changes to data protection law, overall it takes a relatively measured approach. Its clarifications of key GDPR concepts may be of broader interest, even to those not caught by UK data protection law.
ICO reforms. Some of the changes in the Bill with the greatest potential impact relate to reforms to the Information Commissioner’s Office ("ICO"). A new "Information Commission" would replace the ICO, with a chief executive and other board members replacing the Information Commissioner. The Secretary of State will also be granted powers to approve the Commission’s codes of practice and to make further amendments to UK GDPR without Parliamentary scrutiny. These changes may carry risks for the UK’s own adequacy decisions from the EU, particularly if they compromise the independence of the supervisory authority. On the other hand, the ICO is granted new investigative powers, such as to require documents, which may strengthen its ability to enforce effectively.
Accountability. The Bill would abolish the requirement to appoint a UK representative. Instead of a Data Protection Officer, public bodies or organisations that carry out high risk processing should instead appoint a "senior responsible individual" who is part of the senior management team. The requirements to carry out and keep data protection impact assessments and records of processing activities would also be removed; organisations would be allowed to manage risks and keep records with fewer prescriptive requirements.
Rights. The Bill would allow a data subject access request to be refused if it is "vexatious or excessive". Instead of a right not to be subject to solely automated decisions, they may generally be permissible with safeguards (including measures for human oversight and to contest the decision). The Bill also requires controllers to acknowledge receipt of data subject complaints within 30 days and provide an outcome to complaints. It permits the Information Commission to refuse to deal with a complaint until the controller has dealt with it.
Identifiability, grounds, and compatibility. The Bill clarifies certain fundamental data protection principles. A data subject is only to be considered "identifiable" if they are reasonably likely to be identified by a limited group: namely the controller or processor themselves, plus only those other persons who are likely to obtain the data through the processing. This will affect what data is considered "personal data". The Bill also clarifies that controllers only need to judge compatibility of purpose against their purpose for obtaining the data, not against any purpose for which the data was originally obtained. It also introduces a new ground for processing, namely that it is necessary for a "recognised legitimate interest". These are listed in an Annexa and are public interest-based (such as preventing crime). In contrast to Article 6(1)(f) legitimate interests, they do not require a balancing test.
Research. The Bill facilitates broad consents to processing for scientific research purposes and creates carve outs from transparency requirements for research, archiving or statistics processing. It clarifies "scientific research" has a broad meaning that includes privately funded research.
Cookies and Direct Marketing. The Bill's proposed changes to PECR include allowing businesses to use certain cookies without consent for limited analytics purposes, to enhance functionality or software updates or to facilitate emergency assistance. It would also allow non-commercial organisations to rely on the "soft opt-in" to send direct marketing. Fines for breaches of PECR would be on the same scale as UK GDPR: up to the higher of £17.5m or 4% of global annual turnover, a significant increase on the current maximum of £500,000.
International transfers. The Bill introduces a "data protection test", to be applied by the Secretary of State in making UK adequacy regulations and by those carrying out transfer impact assessments when exporting personal data under the UK GDPR. This outcomes-based test is that the standard of protection in the recipient jurisdiction should not be "materially lower" than the standard in the UK.
Potential impact. There is a risk the Bill may impact the UK's own EU adequacy decisions, although the government and the Information Commissioner have stated that it should not materially impact the UK's standards of protection for personal data. It is likely that businesses subject to both EU and UK GDPR will in any event largely keep their EU GDPR compliance arrangements in place, even for UK GDPR purposes.
What next? The current Prime Minister is due to be replaced by early September, when Parliament comes back from its Summer Recess. It is uncertain whether the Bill will continue in its current form under a new Prime Minister. Key government figures have also stated they plan to review the UK's adherence to the European Convention on Human Rights, which was a key factor in the Commission adequacy decisions in respect of the UK. This means that significant new developments are likely come Autumn.
Article provided by INPLP member: Katie Hewson (Stephenson Harwood LLP, United Kingdom)
Dr. Tobias Höllwarth (Managing Director INPLP)