Change is here: New UK Data Protection and Digital Information Bill
The UK government published its long awaited Data Protection and Digital Information Bill (“DPDI”) on Monday 18th July 2022. The DPDI Bill is the centrepiece of government plans to reform GDPR and other EU based privacy legislation in the post Brexit era.
The Bill proposes to reform UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. It also seeks to introduce other regulatory frameworks including digital identity providers, electronic registers of births and deaths and data-sharing across the health and adult social care system.
It is important to note at this stage the Bill is at first reading stage in the House of Commons where the text will be subject to change as it progresses through Parliament and may be impacted by the new agenda of an incoming Prime Minister.
However, in the meantime, some notable areas of reform can be highlighted.
Amended Definition of Personal Data
The Bill proposes to redefine and limit the definition of “personal data”.
Within Clause 1 of the Bill, a section is proposed that would limit the scope of personal data to:
- where the information is identifiable by the controller or processor by reasonable means at the time of the processing; or
- where the controller or processor ought to know that another person will likely obtain the information as a result of the processing and the individual will likely be identifiable by that person by reasonable means at the time of the processing.
This proposed change reflects a more ‘subjective’ approach to the question of identifiability for controllers and processors and others who are likely to receive the information. In essence this could help organisations rely on anonymization more readily where the test will now appear to be identifiability “at the time of processing” rather than potential future identifiability.
Legitimate interests is the most flexible of the lawful basis available under Article 6 UK GDPR. However, before it can be relied upon organisations are required to carry out a balancing exercise known as a Legitimate Interests Assessment (LIA).
The new Bill appears to dilute the requirement for a balancing exercise to be conducted and purports to offer greater clarity for controllers by proposing a list of “recognised legitimate interests”. These are processing activities which are deemed to automatically satisfy the legitimate interests balancing test e.g. the detection, investigation and prevention of crime.
The requirement to appoint a DPO has been replaced with the requirement to designate a “Senior Responsible Individual” who is “part of the organisation’s senior management”. The day to day tasks of the SRI appear to be largely similar to those of the DPO.
The requirement to carry out Data Protection Impact Assessments (DPIA) is to be replaced by a requirement to undertake ‘Assessments of High Risk Processing’. Whilst both DPIA and AHRP appear to be substantially similar assessments, the criteria for triggering a mandatory DPIA are to be removed.
Subject Access Requests
The new Bill will permit Controllers to refuse data subject access requests (“SARs”) determined as “vexatious or excessive” entirely or charge a fee for such requests. This is to clarify the previously vague concepts of “manifestly unfounded or excessive”. In this context, “vexatious” is to be understood as requests which are “intended to cause distress, not made in good faith or amount to an abuse of process” which aligns with the approach taken by the Freedom of Information (“FOI”) regime.
It is for the organisation to determine if the “vexatious” threshold is met, however, the Bill helpfully provides examples of requests that meet this threshold.
Article 27 Representatives
The Bill removes the requirement for organisations who are based outside the UK but who are subject to UK GDPR to appoint a UK based representative.
The Bill removes the consent requirement for cookies used purely for web analytics (provided these are not shared with third parties).
International Data Transfers
The Bill will introduce amendments in relation to both international transfers and the UK’s approach to adequacy assessments.
In relation to third countries, there is a proposed move away from the ‘adequacy test’ towards a new more flexible ‘data protection test’ where the standard is no longer that the third country is required to have “essentially equivalent” levels of data protection but rather that is standards are “not materially lower”.
This divergence with the EU’s approach to international transfers could threaten the UK adequacy’s decision.
Whilst the aim of the Bill is to streamline requirements and remove some of regulatory burdens; in reality organisations will now be forced to grapple with yet another piece of legislation. The Bill does not repeal the current regime meaning UK GDPR, the Data Protection Act 2018 (“DPA 2018”) and Privacy and Electronic Communication Regulations (“PECR”) will remain in place subject to the various amendments proposed by the Bill.
We will be keeping a close eye on the Bill’s progress through Parliament and will provide further updates as the final text becomes clear.
*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.