In March 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the bill). If enacted, the bill will introduce significant changes to the UK’s data protection laws, with the aim of introducing a simple, clear, and business-friendly framework, while maintaining high data protection standards.
Background
When the UK exited the EU, it retained the bloc’s existing data protection legislation and renamed it the UK General Data Protection Regulation (UK GDPR). However, overhauling the law has been firmly on the government’s agenda since September 2021, when a public consultation titled, “Data: a new direction,” was launched, seeking views on potential areas for reform.
The government published a response to this consultation in June 2022, outlining a data protection regime focused on reducing compliance burdens faced by businesses, and increasing certainty over the circumstances in which the law applies. The bill is the government’s second attempt at making these changes; a previous version originally published in July 2022 was withdrawn for further consultation.
What Is Changing?
The bill proposes to amend the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the Data Protection Act 2018, but it would not replace them. Some of the key proposals include:
- Greater clarity on the use of legitimate interest as a legal basis. The bill includes a limited list of “recognized legitimate interests” for which organizations may forgo the need to conduct a balancing of interests with the data subject’s rights. The proposed list is limited and includes processing for purposes such as safeguarding national security, dealing with emergencies, and investigating crime. As it currently stands, the list therefore has limited value to businesses, but it may be expanded on in the future by the UK Secretary of State.
- Reduced restrictions on automated decision-making. The bill removes the right of individuals not to be subject to decisions based solely on automated decision-making where such decisions are based only on processing personal data (decisions taken on the basis of special category data remain restricted). However, where organizations rely on automated decision-making, and the decisions taken are either “significant” or produce legal effects for individuals, safeguards must be implemented. The safeguards must include providing information about the decision taken, allowing individuals to challenge any decision taken, and providing a means of obtaining human intervention.
- Lighter “accountability framework.” The bill amends a number of the UK GDPR’s existing accountability requirements in a move to an outcomes-focused regulatory approach, which aims to reduce compliance burdens for small and medium-sized organizations carrying out low-risk processing. The requirement to appoint a Data Protection Officer would be removed, with controllers and processors that engage in high-risk processing instead required to designate a “Senior Responsible Individual” (SRI) who should be part of the organization’s senior management. Similarly, controllers would only be required to maintain records of processing activities in relation to “high risk” processing activities. The requirement for organizations based outside of the UK to appoint a UK representative would be abolished.
- Amended exceptions to data subject requests to exercise their rights. The bill empowers controllers to refuse data subject access requests that are “vexatious or excessive” replacing the previous language “manifestly unfounded or excessive.” Examples of vexatious requests include those that are intended to cause distress, are not made in good faith, or are an abuse of process. This will bring the language used in the UK GDPR into line with that used under the Freedom of Information Act 2000; controllers will need to consider any request in light of the facts and circumstances surrounding it.
- Consent not required for certain cookies. The bill introduces new exceptions to the general requirement under PECR for consent to be obtained when reading or placing cookies on an end user’s device. Cookies with an analytical or functional purpose or that enable software updates or provide emergency services will not require consent.
- Sanctions for breaches of PECR. The bill proposes to enhance the ICO’s enforcement powers under PECR, bringing them into line with those under the UK GDPR. This means that for breaches of the UK’s laws around direct marketing and cookies, sanctions of up to £17,500,000 or four percent of total annual worldwide turnover may be imposed.
- Revised definition of personal data. The bill proposes to amend the definition of “personal data” to clarify the situations in which information will be rendered anonymous and therefore outside of the scope of the legislation. Personal data will include information that a) allows the identification of an individual by reasonable means, or b) would allow another organization that is likely to obtain the information to identify an individual by reasonable means. What amounts to “reasonable means” will be assessed by reference to factors including the time and effort involved in identifying individuals, and the available technology.
Next Steps
The bill passed its first formal reading on March 8, 2023, and now awaits its second reading in the House of Commons on April 17, 2023. The bill must be approved in both houses of Parliament before it can pass in law. There is no formal timeline on the progress of the bill. Companies should consider the implications that these changes may have for their compliance procedures, awaiting the final text of the legislation once passed.
For more information, please contact Cédric Burton, Laura De Boel, Nikolaos Theodorakis, or another member of the firm’s privacy and cybersecurity practice.