NEWS – “without comment”
Posted by: Ian (D. Withers)
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill
March 30, 2023
William RM Long, Francesca Blythe, Subhalakshmi Kumar and Fjolla Lushta
Sidley Austin LLP
On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.
Scope: To fall within scope of the UK GDPR, “personal data” i.e., information relating to an identified or identifiable natural person, must be processed. The new Bill seeks to clarify the scope of the definition of personal data by making clear it applies where (i) the living individual is identifiable by the controller or processor by “reasonable means at the time of the processing”; or (ii) the controller or processor “knows or ought to know” that a third party “will or is likely to be able to identify the person as a result of its data processing.” If that third party is not likely to be able to identify the individual from their data processing, the information will be considered sufficiently anonymized, and in turn will be out of scope of the UK GDPR.
Legitimate Interests: The Bill maintains the previous list of “recognised” legitimate interests for which no balancing test is required, which includes processing data for national security and crime prevention purposes. Examples of where there may be a legitimate interest (but for which a balancing test should still be carried out) have been moved from the recitals to the main text of the UK GDPR i.e., for direct marketing, intra-group transfers and cybersecurity. The Explanatory Notes confirm that any legitimate commercial activity can be a legitimate interest provided the processing is necessary and the balancing test is undertaken.
ROPA: The New Bill promises to reduce “unnecessary paperwork” by further narrowing the requirement to maintain records of processing (“ROPAs”) to instances where the processing activities are “likely to result in high risk to the rights and freedoms of data subjects.” From an accountability perspective (including for purposes of identifying data flows), companies may want to continue maintaining a broader ROPA. The ICO will be required to publish a list of examples of such high risk processing.
International Transfers: The UK Government has made much of its desire to promote further unrestricted transfers between a variety of countries including the U.S. and Singapore, among others. It is no surprise that the new Bill maintains the test that international transfers of personal data may be approved where the country in question has a data protection standard “not materially lower” than that of the UK GDPR. This moves away from the “adequacy” concept in the EU GDPR, and gives weight to the idea that different countries can maintain data protection standards in different but equally effective ways.
Automated Decision-Making: In the previous iteration of the Bill, a decision based solely on automated decision-making was defined as one which involved no human intervention. The new Bill states that when determining whether there is no human intervention a company must “consider, amongst other things, the extent to which the decision is reached by means of profiling.”
DPOs and DPRs: The new Bill removes the requirement for organizations to appoint a Data Protection Officer (“DPO”) – although, in limited circumstances e.g., where a company is engaged in high risk processing, a “senior responsible individual” must be designated to take charge of data protection risks within the organisations or to delegate that task to suitably skilled individuals. Importantly, Article 27 of the UK GDPR which states that controllers or processors subject to the UK GDPR but not based in the UK must appoint a Data Protection Representative (“DPR”), is to be removed in its entirety. This will potentially be helpful for some international organizations who find themselves having to appoint both an EU DPR and an additional UK DPR.
Scientific Research: The concept of “scientific research purposes” has been re-defined under the new Bill to include any “processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity” – i.e., to expressly include within scope, commercial activities. The new Bill also aligns its provisions with existing guidance from the ICO that public health is only “scientific research” if it is in the “public interest.” Sponsors of scientific research will not be required to provide notice to data subjects (e.g., clinical trial participants) where the personal data has been collected directly from the data subject and providing such notice would be “impossible or require disproportionate effort.”
Data Subject Rights: As per the previous iteration of the Bill, the new Bill maintains the new threshold for refusing data subject requests where the request is “vexatious or excessive” and would remove the “manifestly unfounded or excessive” threshold which currently exists under the EU GDPR. The new threshold potentially expands the circumstances in which a request can be refused, as the Government hopes that requests which are not actually aimed at furthering privacy rights may now be rejected as “vexatious.” It is unclear, however, if the ICO will interpret the new test in this broader way, and whether request numbers will fall as a result.
Cookies: The new Bill maintains a list of activities it considers low risk and for which consent is not required. Such activities include where cookies collect information to make service improvements or to reflect user preferences. The Bill also seeks to align the fines for nuisance calls and texts under the Privacy and Electronic Communications Regulation (“PECR”) with those under the UK GDPR i.e., the greater of 4% of a company’s global turnover or £17.5 million.
ICO Governance: None of the proposed changes to the ICO’s governance framework have changed under this version of the Bill, with the provisions still suggesting that the ICO move away from being led by a single Information Commissioner, to establishing a board chaired by a chief executive. However, it is unclear whether the ICO’s previous concerns regarding the independence and impartiality of such a board have been addressed.
The new Bill is in the early stages of the legislative process and has only gone through its first reading in Parliament. Although not yet announced, it is expected that the second reading in the House of Commons will commence in the next few months. In the meantime, businesses should try to understand if any of the new changes will apply to them and whether this can streamline their data processing in any material way. Businesses will also need to monitor the regulations that will flow from the Bill as these will likely provide practical guidance. Businesses who are already complying with the EU GDPR should take comfort in knowing that compliance with the current UK data protection regime will likely suffice for compliance under the new Bill. While there are changes to the law, the new proposals do not appear more onerous than the GDPR.