27 Jul 2022 by Sadie Burgess
The Data Protection and Digital Information Bill (‘Bill’), introduced into parliament on 18 July 2022, is the product of a major consultation the government held last year on reforming the UK GDPR and other privacy legislation that has its origins in EU law.
Minister for Media, Data and Digital Infrastructure Matt Warman said the data protection reform bill will help "transform the UK's independent data laws."
The government launched its consultation ‘Data: a new direction’ on 10 September 2021 to inform its development of proposals to reform the UK’s data protection laws as part of the UK’s National Data Strategy. This consultation ran for 10 weeks, closing on 19 November 2021, receiving just under 3,000 responses, from a range of respondents including the ICO, DMA and organisations which represent a cross-section of the UK economy, as well as from organisations overseas.
The response is broken into 5 key chapters
It outlines plans to reduce burdens on business by enabling organisations to create flexible and proportionate compliance regimes. It includes proposals for improved data sharing practices to support delivery of public services. And it commits to maintaining the robust standards of data protection crucial to protecting the public.
Overall, these reforms do not overhaul the existing UK data protection compliance regime. Instead, the proposals are incremental and largely modify obligations that organisations will be familiar with under the existing regime. As expected, these reforms are largely business-focused, with an overall aim of reducing compliance burdens faced by businesses of all sizes and facilitating the use (and re-use) of data for research.
The swift introduction of the Bill in parliament’s final week before the summer recess shows how politically important it is for this government.
The 192-page bill is broken up into six parts:
· data protection;
· digital verification services;
· customer data and business data;
· other provisions about digital information;
· regulation and oversight; and
· final provisions.
The detail of the Bill largely confirms the Department for Digital, Culture, Media & Sport’s stated intention for there to be evolution rather than revolution from UK data reforms. The overall framework remains very much based on the GDPR.
Accountability: An overhaul of the accountability framework and replacement with a privacy management programme – although, in practice, organisations that are already compliant with UK GDPR accountability requirements will not be required to make further significant changes, which presents some flexibility for businesses.
Cookies Consent: In time, the UK will move away from cookie consent to an opt-out model, along with further exemptions for non-invasive cookies.
SARs: Introduction of exemption from SARs and ability to refuse a SAR if “vexatious or excessive”
Legitimate Interests: A list of processing purposes that can be undertaken on the basis of legitimate interests without undertaking the “balancing test” will be introduced.
International Transfers: More flexibility in process for UK adequacy decisions of third parties and scope to introduce additional international transfer mechanisms.
ICO governance reforms
“Those seeking a substantial streamlining of requirements and the removal of obstacles to innovation and business may feel the Bill does not go far enough; on the other hand, the proposals could be viewed as diverging sufficiently from the EU GDPR to threaten the UK’s adequacy status”
Jonathan Kirsop, Partner, Head of Information Law
The comprehensiveness of the programme will be based on the level of processing activities and volume and sensitivity of personal data handled and will be less of a “box-ticking” exercise.
As part of this:
Data Protection Officers (DPOs) will no longer be required, but the role will be replaced by a senior responsible individual.
The requirements to maintain Article 30 registers and to undertake data protection impact assessments (DPIAs) will be removed, with more flexible requirements relating to risk management and data inventories. Personal data inventories setting out what and where personal data is held, why it has been collected and how sensitive it is will still be required and organisations will still need to demonstrate that they have identified and managed risks (just not in a prescribed form).
Prior consultation for high-risk processing will be now voluntary. However, such consultation is incentivised as it will be taken into account as a mitigating factor during any future investigation or enforcement action.
The threshold for refusing to respond to a data subject access request (SAR) has been lowered from “manifestly unfounded or excessive” to “vexatious or excessive.” This is the formulation used to resist freedom of information requests and will therefore import that case law.
The requirement to obtain consent for cookies will be relaxed in relation to a broader class of purposes (but not for cross-site tracking). These could include audience measurement or fault detection on a site. Provisions will also be included so an opt out regime can be applied across all uses once browser-based and similar solutions are mature enough, although this is stated to be “in the future”.
“Soft opt-in” marketing consent will be extended to non-commercial entities, such as charities and political parties.
Restrictions on nuisance calls will be tightened. A further regulatory obligation for communications providers, requiring them to report on suspicious levels of traffic on their network, and a new right for the ICO to take enforcement action on the basis of calls generated, as opposed to calls connected.
The enforcement regime under the Privacy and Electronic Communications Regulations 2003 (PECR) will be increased to bring it in line with the GDPR. Currently fines under PECR are capped at £500,000.
More sharing of personal data to support public service delivery. Greater powers will be considered but any data sharing regulations would be subject to further public consultation and parliamentary scrutiny.
Non-public bodies delivering public tasks. It will be clarified which lawful processing grounds are available for non-public bodies to rely on when they are requested by a public body to help deliver a public task.
Processing in the substantial public interest. Special categories of personal data can be processed in the substantial public interest in the specific circumstances set out in Schedule of the Data Protection Act 2018. The government is considering further whether to add certain additional circumstances.
Aligning law enforcement and intelligence services processing with the UK GDPR and Data Protection Act 2018 provisions applicable to other controllers and processors. The government will look to create greater alignment, including allowing such bodies to produce codes of conduct for ICO approval.
A key concern for many organisations in relation to the UK's data reform is the impact this will have on the EU Commission's UK adequacy decision. As previously mentioned, the proposed changes are not generally controversial or particularly radical. The UK government has been closely engaged with its EU colleagues to find the right balance. Undoubtedly, the EU Commission will wait to see the specifics of the draft legislation. However, on this basis, obvious immediate threats to UK adequacy seem unlikely.
Warman, equally addressed this concern in his comments. "The EU does not require countries to have the same rules to grant adequacy," he said, "so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area." He said the Bill will allow the UK to "strike partnerships with some of the world's fastest growing economies" and "ensure that the mechanisms to transfer personal data internationally are secure and flexible to help British businesses grow."