On 8 March 2023, the UK Government published its Data Protection and Digital Information (No.2) Bill. This is the second version of the Bill published by the UK Government, the first of which was published in July 2022 and put on hold last September by the then-appointment prime minister, Liz Truss . The new draft Bill aims to reform the UK’s current data protection framework and is part of a wider package of legislative change designed to maximise the benefits of Brexit, with the freedom for UK Parliament to deviate from areas of law previously regulated by the EU.
The original draft Bill introduced amendments to the UK GDPR, the Data Protection Act 2018 (“DPA 2018”) and the Privacy and Electronic Communications Regulations 2003 (“PECR”) with the aim of realising the Government’s stated ambition to encourage innovation and responsibly ease the burden of compliance for businesses, while seeking to retain the UK’s adequacy status under the EU’s General Data Protection Regulation. The original Bill introduced amendments to a number of requirements, including in relation to lawful basis; data subject access requests; accountability obligations; international data transfers; and cookies. Although some key changes were introduced, the majority of the amendments were subtle – simply reflecting established principles or guidance and introducing minor changes around the edges of existing governance requirements, without overhauling them completely (see our previous blog post for an analysis of the original draft Bill). Although the government has introduced a ‘new’ draft Bill to Parliament, the majority of the new Bill remains the same as the previous version, with limited material changes.
We have set out the key changes in the new draft Bill below:
- Scientific Research Definition: The original draft Bill contained proposals creating a statutory definition of scientific research and statistical purposes, by drawing on the existing recitals under the GDPR. Under the new Bill, the proposed definition is maintained but a further clarification has been added – the new definition applies whether the scientific research is “carried out for commercial or non-commercial activity”.
- Recognised legitimate interests – the original draft Bill created a new concept of ‘recognised legitimate interests’ – i.e. processing activities that are deemed to automatically satisfy the legitimate interests balancing test, providing greater certainty to controllers looking to rely on this legal basis. The new draft Bill maintains these recognised legitimate interests and also includes examples of types of processing that “may be processing that is necessary for the purposes of a legitimate interest”, this list is non-exhaustive and includes:
- processing that is necessary for the purposes of direct marketing,
- intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and
- processing that is necessary for the purposes of ensuring the security of network and information systems
The Explanatory Notes of the new Bill also confirm that any legitimate commercial activity can be a legitimate interest, provided the processing is necessary and the balancing test is carried out.
- Records of processing – the original draft Bill required that organisations maintain “adequate” records of the processing of personal data; and simplified the information that must be recorded. It also included an exception to the record of processing requirement if the controller or processor employs less than 250 employees. Under the new draft Bill, this exception has been removed and further amendments have been introduced to narrow the requirement to maintain records of processing – under the new Bill records of processing are now only required for organisations that, taking into account the nature, scope, context and purposes of the processing, carry out processing activities likely to result in high risk to the rights and freedoms of data subjects. The new draft Bill also contains a requirement on the Information Commissioner to publish a document containing examples of types of processing which the Information Commissioner considers are likely to result in a high risk to the rights and freedoms of individuals.
- Automated Decision Making: In the original draft Bill, the government introduced changes to the regulation of automated decision-making, including defining a decision based solely on automated processing as one which involves “no human intervention”. The new Bill expands on this, stating that “when considering whether there is meaningful human involvement in taking a decision, a person must consider, amongst other things, the extent to which the decision is reached by means of profiling”. The new Bill also includes a provision that the Secretary of State may, by regulations, provide that, there is, or is not, meaningful human involvement in the taking of a decision.
- International Data Transfers – Under the original draft Bill, amendments were introduced in relation to both international transfers and the UK’s approach to adequacy assessments. The new draft Bill confirms that transfer mechanisms lawfully entered into before the Bill takes effect will continue to be valid under the new regime, ensuring that businesses can continue to use their existing international data transfer mechanisms to transfer personal data to third countries if they are already compliant with current UK data laws.
The new draft Bill will now need to go through the legislative process, with its ‘second reading’ in the House Commons expected to begin shortly.