Take two: What's new in the latest UK Data Protection and Digital Information Bill?
After a rather stop start journey, a new Data Protection and Digital Information (No. 2) Bill (the "Bill") was introduced to Parliament on 8 March 2023 by the Department for Science, Innovation and Technology ("DSIT"). If enacted, the Bill will make changes to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. The previous Data Protection and Digital Information Bill (the "Previous Bill") has been withdrawn.
The reforms in the Bill are intended to make data protection legislation simpler for businesses to understand and implement. The Government reports that British businesses are set to save £4.7 billion from the proposed reforms.
Although the Government states that the Bill is "a new system of data protection", it still retains the fundamental obligations, structure and principles of the UK GDPR and will even still retain the "UK GDPR" name. Businesses that are already compliant with the UK GDPR will not be required to make any changes as a result of the Bill. Instead, it makes certain clarifications and specific carve outs to the existing regime and attempts to tackle some of the issues that can arise, based on five years of experience of the GDPR in practice.
The Bill make targeted changes to the Previous Bill (summarised here) that aid clarification and provide a degree more flexibility. We have summarised the key changes compared to the last version of the Bill below.
What we knew & what's changed
Position Under Previous Bill
What's Changed under the Bill?
A new definition of "scientific research" was introduced under the Previous Bill, which would include anything that "could reasonably be described as scientific".
The Bill now goes one step further, proposing that "scientific research" covers "processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity" (emphasis added).
The explicit acknowledgment that scientific research can be for commercial purposes will be welcomed by research businesses.
While there are benefits to the loosening of barriers around sharing scientific research data, the new definition for scientific research is still open-ended. There are still questions as to see how this broader definition will apply to privately-funded technological development in practice.
The Bill additionally clarifies that research into public health only constitutes "scientific research" if it is in the public interest. This largely reflects existing ICO guidance on this topic, so is not surprising.
The Previous Bill proposed that businesses could rely on legitimate interests without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are "recognised". These "recognised" legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.
The Bill maintains the general position proposed under the Previous Bill, but also includes examples of when legitimate interests could be suitable. These examples are not part of the "recognised" list of legitimate interests and a balancing test will still be required but they are intended to guide businesses to understand when legitimate interests might be appropriate. These examples track the recitals of the UK GDPR and include:
The Previous Bill maintained the existing position that records of processing are required, except for small organisations that do not carry out high risk processing. The Previous Bill did streamline the contents of such records.
Under the Bill, any controller or processor would be exempt from the duty to keep records of processing unless they are carrying out high risk processing activities. This reflects the reality of how organisations run their privacy programs, by focusing their resources on the highest risk activities.
The Previous Bill provided for non-commercial organisations to rely on soft opt-in for direct marketing purposes, if they have obtained contact details from an individual expressing interest.
The Bill introduces new obligations on providers of electronic communications networks. Specifically, these providers would be required to notify the ICO of "any reasonable grounds" they have for suspecting that a person is contravening or has contravened the direct marketing rules. Any failure to do so could result in penalties for non-compliance.
What constitutes "reasonable grounds" for suspicion will be detailed in ICO guidance, but for the time being the explanatory notes that accompany the Bill confirm that providers will not be expected to intercept or examine the content of communications in order to comply.
Whilst this provision itself will only apply to electronic communication service providers, it is likely to increase the ICO's awareness of non-compliant direct marketing communications, which in turn could result in more enforcement action being taken in relation to direct marketing breaches.
Automated Decision Making & AI
The Previous Bill clarified that its proposed restrictions on automated decision-making under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without "meaningful human involvement".
In a new provision, the Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision. It is unclear whether the intention is that the presence of profiling could indicate that there has been minimal (as opposed to meaningful) human involvement. Alternatively, it seems this provision may be intended to clarify when profiling should itself be considered an automated decision that is subject to the Article 22 restrictions.
The Previous Bill introduced a new approach to the test for adequacy and when carrying out a transfer impact assessment. The threshold for this new "data protection test" was whether a jurisdiction offered protection that was "materially lower" than under the UK GDPR.
The Previous Bill did not affect the UK's transfer safeguards, namely the International Data Transfer Agreement and the UK Addendum.
The Bill does not propose significant changes to the international transfers regime. In fact, the Bill makes clear that alternative transfer mechanisms lawfully entered into before this Bill would take effect will continue to be valid. The "data protection test" to apply is the same as in the Previous Bill.
With many companies having already gone through the process of updating their contractual provisions around international transfers, this consistency should provide reassurance that further remediation requirements are unlikely.
Cookies & PECR
The Previous Bill proposed an increase in potential fines for breaches of PECR to the same amounts as the UK GDPR. It also proposed that consent would not be required for online trackers placed: (i) for the purposes of collecting statistical information in order to bring improvements; (ii) for the installation of necessary security updates to a device; and (iii) to locate an individual in an emergency.
The Bill does not include any changes to the Previous Bill's proposals on cookies. However, DSIT have committed to continue to engage with businesses over these provisions. We will have to wait and see what this looks like as the Bill progresses through Parliament.
The Previous Bill proposed a restructuring the regulator, to move away from a single Information Commissioner and instead the establish an independent board and chief executive. The Previous Bill also saw new statutory frameworks for the ICO's objectives as well as the appointment of experts when publishing guidance.
There are no operative changes under the Bill as far as the ICO reforms are concerned, but the proposals still leave questions about whether the appointment process will be sufficiently independent from the government, which could threaten the UK's adequacy status as far as the EU is concerned.
When announcing the Bill, Michelle Donelan, Secretary of State for DSIT stated: "I can promise you here today, Conference, that [data protection legislation] will be simpler and clearer for businesses to navigate". The intention is obviously to reduce the administrative burden and arguably the Bill would achieve this. However, this doesn't take away the requirement for organisations to be able to understand how they process personal data and safeguard their internal and external personal data flows.
The main question is still whether the divergence from EU law will have an impact on the UK's adequacy status. The word from DSIT is that it will in fact do the opposite and will instead instil wider international confidence in how the UK handles personal data, but only time will tell as more opinions on the Bill emerge.