NEWS – “without comment”
04 Nov 2024
Data protection reform: here we go again!
The Data (Use and Access) Bill was published and had its first reading in the House of Lords on 23 October 2024. This is take three of data protection reform following two failed attempts by the Conservatives. Given the detail about data protection reform in the King’s Speech we were expecting the Labour reforms to be quite limited and to drop many of the previous Conservative reform proposals. However, the announced reforms go further than expected and retain many of the previously tabled reforms.
What can we expect from the new Bill?
Ignoring for our purposes the changes relating to use of data for the public benefit (most of which are public sector focussed) some of the key aspects of the Bill for private sector organisations to be aware of are:
Reform of the Information Commissioner’s Office, which will become an independent body corporate, known as the Information Commission, with a Chief Executive.
The Bill provides a set of conditions where a new processing purpose is automatically deemed “compatible” with the original purpose for which the data was collected.
Permitting the use of automated decision making in a broader range of circumstances by restricting the scope of Article 22 of the UK GDPR (the right for data subjects not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her) to automated decisions made using special category data.
A new requirement for controllers to put in place a process which allows data subjects to make complaints to them directly, before making a complaint to the ICO. There will also be specified timescales in which controllers must respond to direct complaints.
A more ‘risk-based’ approach to international transfers of personal data, both for the Government to adopt when deciding if a third country is adequate and for organisations when they are carrying out a transfer risk assessment before making an international transfer to an organisation in a non-adequate third country.
Changes relating to SARs which put ICO guidance relating to clarification requests “stopping the clock” and searches needing only to be “reasonable and proportionate” on a statutory footing.
There are also some specific changes to PECR (the Privacy and Electronic Communications Regulations, which include provisions relating to direct marketing and cookies and other tracking technologies):
Increasing fines to UK GDPR levels (currently the maximum fine is £500,000).
Permitting the use of first-party cookies (and similar technology) for website analytics purposes without users’ consent.
Removing the requirement for providers of public electronic communications services to notify personal data breaches within 24 (rather than 72) hours.
An interesting reform not seen previously is a power for the Secretary of State to make changes to the types of data classed as special category data (although the existing types cannot be changed) meaning those types of personal data will be subject to additional data protection obligations.
Finally, a new concept of “recognised legitimate interests” is proposed which means certain activities are deemed legitimate by default and so there is no need to carry out a LIA (legitimate interest assessment). Whilst this sounds helpful for private sector organisations, these default legitimate interests (which include emergencies, crime and safeguarding vulnerable individuals) do not cover commercial interests and are more likely to be utilised by public sector organisations.
What isn’t included?
There are elements of the previous reform proposals which haven’t been reintroduced, including:
The proposed removal of the requirement for UK representatives.
Changes to the definition of “personal data”.
The role of the Data Protection Officer will continue so there will not be a new role of Senior Responsible Individual.
There will not be a new concept of “vexatious” (replacing “manifestly unfounded”) data subject access requests, although it was questionable how much difference this would make in practice.
No changes relating to ROPAs (Records of Processing Activities).
No changes to when a DPIA (data protection impact assessment) has to be done and those which demonstrate a high risk to data subjects (which cannot be mitigated) must still be referred to the ICO for prior consultation.
Is reform actually going to happen this time?
It seems very likely, yes, and progress of the new Bill should be relatively quick as a lot of work has already been done under the banner of the previous Bill.
What about the impact on EU adequacy?
This is hard to gauge as it’s partly political but whenever this question is asked in the context of reform we are assured there is open dialogue with the EU about UK adequacy so no issues are anticipated (fingers crossed!).
Does your organisation need to do anything yet?
For now it’s worth just keeping an eye on reform discussions so you are ready to act when and if needed. That said, if your organisation is compliant with current law then it’s unlikely that anything more than minor changes will be required. If your organisation is also subject to the EU GDPR you will likely want to limit changes to avoid dual compliance regimes. However with possible fines significantly increasing it is worth reviewing your organisation’s PECR compliance now.
Want to read more about data protection reform?
If you want more detail you can find relevant official documents published about the Bill here:
https://bills.parliament.uk/bills/3825/publications
Authors
Louise Thompson – louise.thompson@trethowans.com
Sarah Wheadon. – sarah.wheadon@trethowans.com
Source:
https://www.trethowans.com/insights/data-protection-reform-here-we-go-again/
Posted by: Ian (D. Withers)
www.WAPI.org