The UK Government has published its long-awaited ‘Data Protection and Digital Information Bill’. The Bill will reform areas of UK data protection and electronic privacy law, and will also introduce new regulatory frameworks, most notably in the field of digital identity verification. By amending the UK GDPR, the Data Protection Act 2018 (“DPA 2018”) and the Privacy and Electronic Communications Regulations 2003 (“PECR”), the Bill realises the Government’s ambition to recalibrate its approach to data protection and privacy following the UK’s withdrawal from the EU.
In this post, we provide a high-level overview of key areas of reform. In subsequent posts, we will do a deeper dive on specific areas as the Bill makes its way through the legislative process. At this stage, it is important to note that the Bill is receiving its first reading in the House of Commons, and the text will change – to a greater or lesser extent – before the Bill passes into law.
The Bill expands upon certain key definitions. These expanded definitions draw on a combination of existing GDPR recitals (‘promoting’ these into the operative provisions of the legislation) and established ICO guidance / case law. The overall aim appears to be to provide additional clarity, on the face of the law, about how important certain terms should be interpreted. For example:
- Section 1 expands on and qualifies the definition of ‘personal data’ depending on whether additional information is or is not used to identify an individual. This provision looks to reflect ICO guidance around the standard for anonymisation and reflects a ‘subjective’ approach to the question of identifiability.
- Section 2 creates a statutory definition of scientific research and statistical purposes, by drawing on the existing recitals.
Legal Basis and Principles
More novel is the creation of a new concept of ‘recognised legitimate interests’ – i.e. processing activities that are deemed to automatically satisfy the legitimate interests balancing test, providing greater certainty to controllers looking to rely on this legal basis (s. 5; Schedule 1).
A number of these mirror the exemptions set out in Schedule 2 of the Data Protection Act 2018, e.g. ‘the detection, investigation and prevention of crime’. As Schedule 2 DPA 2018 currently exempts controllers from most of the principles other than lawfulness / lawful basis, this can be seen in part as a logical extension of existing data protection exemptions for activities seen as being squarely in the public interest.
Similarly, the Bill creates specified new exemptions from the ‘purpose limitation’ principle, including for example, the disclosure of personal data to a public authority that is relying on the ‘public task’ legal basis (s. 6; Schedule 2).
Obligations of Controllers / Processors
The role of the Data Protection Officer is to be replaced by a new role, with the title ‘Senior Responsible Individual’ (s. 14).
The threshold for appointment of a Senior Responsible Individual is slightly different to the existing threshold for appointment of a DPO with the new requirement applying to public bodies and organisations undertaking high risk processing. The designated individual must be a senior member of management, rather than simply reporting to senior management. However, the day-to-day tasks of the SRI look to be largely similar to those of the DPO, such as monitoring compliance of the organisation, advising the organisation on data protection issues, taking steps to ensure compliance and acting as contact point for the Commissioner.
Under the proposed new regime, the requirement to carry out Data Protection Impact Assessments is replaced by a requirement to undertake ‘Assessments of High Risk Processing’ (s. 17). It is worth noting that the general criteria for triggering a requirement to carry out a DPIA that are currently set out in Article 35(3) of the UK GDPR are to be removed. In their absence, we expect the ICO’s specific list of criteria (created under Article 35(5) UK GDPR) to be the relevant reference point.
Despite the name change, the substantive nature of what should be considered as part of these assessments looks largely the same as under current law.
It is also worthy of note that there is a proposed removal of the current obligation under Article 27 for organisations which operate outside of the UK but are caught by the UK GDPR’s extra-territoriality provisions to appoint a representative.
Data Subject Rights
Key changes in this area include the following:
- Controllers will be able to refuse data subject access requests that are ‘vexatious or excessive’ (s. 7). In this context, ‘vexatious’ is to be understood as requests which are ‘intended to cause distress, ‘not made in good faith’ or amount to ‘an abuse of process’.
- When collecting information directly from a data subject, a controller is excused from the requirement to provide fair processing information under Article 13 UK GDPR where data is collected for “scientific research or statistical processing”. Where data is collected indirectly (Article 14 UK GDPR), we now have criteria on the face of the law to help determine when the ‘disproportionate effort’ exemption applies, and the implication that this should be limited primarily to scientific research is, for Article 14 purposes, removed (s. 9).
The Information Commissioner
Reform to the ICO (which will henceforth be an Information Commission, rather than a Commissioner) is relatively wide ranging, and covers a number of themes. For example, there are changes which look to bring the work of the ICO under a higher degree of Government supervision:
- the Commission is to be subject to express duties to have regard to promoting innovation and competition, and safeguarding public and national security (s. 27);
- the Secretary of State can set ‘strategic priorities’ for the Commission (s. 28);
- the Commission must assess its own performance on an annual basis using KPIs (s. 33).
However, at the same time, the Commission is granted several new powers designed to support its investigatory and enforcement activities, including powers to:
- require controllers or processors to arrange for the preparation of a report at the controller or processor’s expense (s. 35);
- require persons to attend at a place and answer questions (referred to as an ‘interview notice’) (s. 36).
The Bill will introduce amendments in relation to both international transfers and the UK’s approach to adequacy assessments (Schedule 5).
First, Article 44 of UK GDPR is set to be removed. This is the over-arching requirement that “All provisions in this Chapter [V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. Removing this should, in theory, make data transfers less onerous and give greater flexibility to UK exporters of personal data.
The previous adequacy assessment criteria are to be replaced by a new ‘data protection test’ for which the required standard is now “not materially lower than”, which looks to be a step away from the EU doctrine of ‘essential equivalence’.
The requirement to carry out transfer impact assessments remains but the exporter must now consider whether “acting reasonably and proportionately […] the data protection test is met in relation to the transfer or that type of transfer”.
The Bill seeks to relax cookie consent requirements in tightly defined circumstances and add clarity as to what comes within the “strictly necessary” exemption (s. 79):
- Statistics and preference cookies are to move from a consent / ‘opt-in’ requirement to an ‘opt-out’ standard, subject to strict criteria.
- The amended law will set out certain activities considered to fall within the “strictly necessary” exemption, including for example, to ensure the security of the user’s device is not adversely affected by the service, to prevent or detect fraud, and to authenticate a user.
PECR Enforcement Regime
The Bill also brings the PECR enforcement regime into line with that of the UK GDPR and the DPA, the most notable change here being the increase of potential fines to UK GDPR levels.
Whilst many parts of the Bill look to reflect the Government’s stated ambition to encourage innovation and responsibly ease the burden of compliance for businesses, it should be noted that the Bill does balance a softening of the rules in certain areas with enhanced regulation in others – the new investigatory and enforcement powers for the ICO and the increase in PECR fines being the obvious examples. There are also many examples of changes which are subtle – some of these are simply about reflecting established principles or guidance on the face of the law, others are about tweaking around the edges of existing governance requirements without overhauling them completely.
The Bill runs to 192 pages, and so necessarily this article provides a snapshot the changes introduced by the Bill which are likely to be of most interest to our readers. Additional parts of the Bill address areas including Digital Verification Services, Customer Data and Business Data, and we will look at these in subsequent posts.