City of London at sunset showing UK data protection bill and digital information

The UK Data Protection and Digital Information Bill

The UK Data Protection and Digital Information (No. 2) Bill (the “Bill”) was introduced by the UK Government for review and consideration by the UK Parliament on March 8, 2023. At the time of writing, the Bill is with the UK Parliament in draft form with several stages of review still to be completed, meaning the Bill remains subject to change.  If passed, the Bill would govern the processing of personal data in the UK and in doing so replace the current data protection regime in the UK.  It would also introduce other concepts and frameworks which are based on the processing of personal data, e.g. digital verification, as discussed further below.  With anticipation as to whether the Bill will significantly change the regime in the UK being high, below is a summary of certain of the changes we may see to the UK regime if the Bill is to be passed into law.

Background

Following Brexit, the UK incorporated the General Data Protection Regulation (the “GDPR”) into UK law in a form which was consistent with UK law, commonly referred to as the “UK GDPR”.  The UK GDPR is almost  identical to the GDPR in its application and is supplemented by the Data Protection Act 2018 (the “Act”) and the Privacy and Electronic Communications Regulations 2003 (the “PECR”).  The Bill, if passed, will amend the UK GDPR, the Act and the PECR to create a new regime in the UK for processing personal data.  According to the UK Secretary of State for Science, Innovation and Technology, Michelle Donelan, the new regime will be “will be easier to understand, easier to comply with” and will “release British businesses from unnecessary red tape”. The UK Information Commissioner, John Edwards, welcomes the Bill and “supports its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights”.[2]

The Bill is now in its second draft with the first being published in July 2022.  However, whilst the latest draft of the Bill appears to be progressing further in terms of legislative process than the first draft, it is still draft legislation which remains subject to further amendments.

Scope of the Bill

As with the UK GDPR, the Bill would apply to:

  • organisations processing personal data in the context of the activities of an establishment in the UK, such as organisations located in the UK but not limited to such; and
  • organisations located outside the UK processing personal data of data subjects located in the UK pursuant to: a) offering such data subjects goods or services; or b) monitoring the behaviour of such data subjects.

Therefore, the Bill would continue to have extra-territorial effect.

Enforcement powers of the Information Commissioner’s Office (“ICO”) would be largely the same under the Bill as the UK GDPR, for example the ICO could issue warnings or reprimands, order processing be brought into compliance, or impose fines of £17.5 million or 4% of the total annual global turnover.  In addition, the Bill would introduce an additional power for the ICO to require an individual to attend an interview with the ICO where such individual is a controller or processor, or is or was in employment for or managing a controller or processor, and the ICO considers such controller or processor to be in violation of the Bill.

Amendments to the UK GDPR and the Act

The Bill contains a number of proposed amendments to the UK GDPR, the Act and the PECR, certain of which are summarised below.

Legitimate Interests

The Bill retains the list of lawful bases for processing that is set out in the UK GDPR, including legitimate interests, but introduces a new lawful basis of processing personal data for “recognised legitimate interests”. Unlike when relying on the existing legitimate interests lawful basis under Article 6(1)(f) of the UK GDPR, where organisations have to conduct and record a balancing test (referred to as a “legitimate interests assessment” (“LIA”)) before they can rely on such basis, the new recognised legitimate interests basis does not require a LIA: organisations relying on this basis simply have to be able to demonstrate that the processing is necessary for the relevant purpose.  The recognised legitimate interests are detailed in Annex 1 of Schedule 1 of the Bill and include, for example, emergencies, safeguarding vulnerable individuals, and national security, public security, and defence.

The Bill also includes examples of what may constitute a legitimate interest under the existing Article 6(1)(f) lawful basis.  This is a non-exhaustive list of examples and the examples do not constitute “recognised legitimate interests”, meaning a full LIA would still need be conducted before the basis could be relied upon. These examples include: processing that is necessary for the purposes of direct marketing; intra-group transmission of personal data where necessary for internal administrative purposes; and processing necessary for the purposes of ensuring the security of network and information systems.

Automated Decision-Making

The Bill seeks to redefine automated decision-making as decisions that are a result of automated processing without “meaningful human involvement”; the UK GDPR refers only to “human involvement”.

The Bill states that when considering whether there is meaningful human involvement in the taking of a decision, consideration must be given to, amongst other things, the extent to which the decision is reached by means of profiling.  This explanation is not entirely clear as the reference to profiling could be interpreted as either an indicator of automated decision-making or an indicator of no automated decision-making.  As the Bill is in draft form, this may be confirmed in due course.

Scientific Research

The Bill offers clarification as to the meaning of “scientific research” or “scientific research purposes”.  It confirms that such references are “to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”.  The explicit acknowledgment that scientific research can be for commercial purposes is not included in the existing regime and will be welcomed by research businesses.

UK Representative

The Bill proposes to remove the obligation on controllers and processors not established in the UK to appoint a UK representative.  This an example of administrative “red tape” being removed under the Bill.

Record Keeping

The Bill proposes to limit the obligation to maintain records of processing activities to those organisations performing high risk processing activities, a further example of administrative “red tape” being removed under the Bill

Data Protection Officer

The Bill proposes to remove the role of DPO and replace it with “Senior Responsible Individual”.  A Senior Responsible Individual is only required when an organisation processing personal data is a public body or is conducting high risk processing, and such individual must be part of the organisation’s senior management.  The tasks of the Senior Responsible Individual are listed in Part 1 of the Bill and whilst these appear to be more than those required of a DPO under the UK GDPR, the tasks in the Bill are in fact likely a reflection of the tasks commonly performed by the majority of those appointed to the DPO role under the UK GDPR.  Tasks include, for example, monitoring compliance with legislation, organising training for employees, dealing with complaints and personal data breaches, and co-operating with the ICO.

Cookies

Part 4 of the Bill focuses, in part, on privacy and electronic communications and specifically, the PECR.  The Bill proposes to permit organisations to use cookies without consent (on an opt-out basis) in a limited set of circumstances, namely if the purpose of the processing is: (i) to collect statistical information in order to bring improvements; (ii) to enable the way the website appears or functions when displayed on the terminal equipment to adapt to the preferences of the user, or to enhance the appearance or functionality; (iii) for the installation of necessary security updates to a device; and (iv) to locate an individual in an emergency.

PECR Enforcement

The Bill proposes to increase the maximum level of fine the ICO can impose for violations of the PECR from £500,000 to £17.5 million or 4% of the total annual global turnover.  This would bring the maximum level of fine for the PECR in line with the existing levels under UK GDPR and the Act, which would be maintained in the Bill.

The ICO

Part 5 of the Bill seeks to reform and restructure the ICO.  The Bill proposes a change to the name of the UK Regulator to the “Information Commission” and of its membership which would consist of between 3 and 14 executive and non-executive members, including a chief executive.  The Secretary of State will have discretion to recommend members and merit on the basis of fair and open competition must be taken into account when selecting members.  What constitutes “merit” in this instance is not yet known.

New Concepts Under the Bill

In addition to amending the existing law, the Bill also includes certain new concepts, some of which are described below.

Digital Identity

Part 2 of the Bill introduces provisions to regulate the use of “digital verification services”, defined as verification services provided to any extent by means of the internet and requested by an individual to ascertain or verify a fact about that individual and to confirm to another person that the fact about the individual has been ascertained or verified from information provided.   The provisions include the “DVS trust framework” and the “DVS register”, both of which the Secretary of State would be responsible for developing, according to the Bill.  At this stage, it appears individuals would apply to use the digital verification services which would include creating a re-suable digital identity which could then be shared in whole or in part with organisations requiring such information.

Smart Data

Part 3 of the Bill proposes powers for the Secretary of State and the HM Treasury to introduce smart data schemes in consumer markets.  At a general level, a scheme would allow a customer to require a “data holder”, i.e. a business or trader or its owner, provide certain customer data to the customer or a third party.  An existing example of such a scheme is open banking.  The Bill would give the Secretary of State and the HM Treasury powers to create more schemes like this which are intended to create a wider open data economy which the UK government believes should, in turn, benefit consumers and businesses.  At this stage, it is not clear how the Secretary of State and the HM Treasury would apply these provisions, including for example which industry or industries they would focus on.

International Data Transfers

Generally, the principles and obligations regarding international transfers of personal data under the Bill are the same as those under the existing regime.  UK data cannot be transferred to a third country unless the recipient is located in an adequate third country, the transfer is subject appropriate safeguards, or the transfer is made in reliance of a derogation.

With regards adequacy decisions, however, the Bill proposes a different approach by assessing adequacy in the form of the “data protection test”.  The data protection test seeks to establish that the standard of protection provided for data subjects with regard to general processing of personal data in the third country is not materially lower than the standard of the protection provided for data subjects in the UK.  This differs from the current regime which requires that a third country ensures an adequate level of protection of personal data in order to be deemed adequate.  In applying the new proposed data protection test, the Secretary of State would consider, amongst other things, the respect for the rule of law and human rights in the third country, and the existence and powers of an authority responsible for enforcing the protection of personal data in the third country.

With regards appropriate safeguards, such as standard contractual clauses, the Bill confirms that any mechanism lawfully entered into before this draft of the Bill takes effect would continue to be valid.  Therefore, the UK International Data Transfer Agreement and the UK International Data Transfer Addendum should continue to be used as mechanisms for transferring UK data.

Next Steps

As noted above, at the time of writing, the Bill is still with the UK Parliament in draft form and subject to change.  The timeline for implementation of this version of the Bill, or any other amended version of the Bill, is therefore not known.  However, there does appear to be some traction with the consideration of the Bill and if this continues, we could see the Bill implemented within the next year.  To ensure preparedness for the compliance with the Bill, those organisations subject to the UK GDPR should continue to monitor the Bill’s progress and any further amendments proposed to the existing regime.