Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role.
The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)). While broad in scope, the proposals do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.
This article provides a deep dive into certain key provisions of the Bill. In part 1, we provide an overview of the proposed changes.
Anonymised vs. “personal data”: Confirming the scope
The Bill proposes that information would now relate to “an identifiable living individual” and therefore constitute “personal data” in two main cases:
- when the living individual is identifiable by the controller or processor by reasonable means at the time of processing; or
- where the controller or processor knows or ought to know that (a) another person will, or is likely to, obtain information as a result of the processing; and (b) the living individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing.
Notably, the Bill places significant emphasis on reasonableness and assessment of whether data is personal data at the time of processing, which could prove useful for organisations, particularly when trying to render data anonymous. The EU GDPR sets a high threshold for identifiability and anonymisation, which has been developed through high-profile cases (for more information, see this Latham blog post on the Breyer decision). The Bill’s proposals align with the position the UK government took in its consultation “Data: a new direction” (the Consultation) — namely, that the government “intends to avoid setting an impossibly high standard for anonymisation”. (For more information on the Consultation, see this Latham blog post.)
Automated decision-making and reliance on legitimate interests
“Recognised legitimate interests” under the Bill will be an interesting area of development, particularly if, over time, the UK seeks to adopt a materially different approach to reliance on legitimate interest from the approach broadly adopted in the EU. In the EU, there are also some debates on this ground for processing — recent guidance and enforcement in the Netherlands highlights the Dutch authority’s view that purely commercial interests cannot be legitimate interests. However, the European Commission has challenged this view, and the European Data Protection Board (EDPB) is expected to publish further guidance in this area in the near future.
Security arrangements and the ICO’s role
The Bill alters the reference to “appropriate technical and organisational measures” to “appropriate measures, including technical and organisational measures”. This proposed change could signal more emphasis on non-technical / organisational measures such as contractual restrictions. Depending on the practical interpretation of this proposed change, it may not fully align with, for example, positions taken to date on international data transfers by the EDPB (which indicate that contractual measures alone are insufficient in relation to security for such transfers) or the Information Commissioner’s Office (ICO) opinion regarding the need to bolster contractual restrictions with practical verifications (e.g., in the ad-tech context).
The Bill’s introduction of “the desirability of promoting innovation and […] competition” as an ICO duty in relation to functions under the data protection legislation shows the UK government’s commitment to reducing barriers to responsible innovation (as noted in the Consultation here). Some contributors to the Consultation expressed concerns that introducing this duty could create a conflict of interest for the ICO with respect to its primary role as an independent data protection regulator. However, the UK government indicated that it regards the ICO’s role “as increasingly important for competition, innovation and economic growth” and therefore intends to ensure that the ICO is required to have regard to these areas. Unlike competition and innovation, the government has not explicitly highlighted “growth” as a duty to which the ICO must give regard, and it remains to be seen how (if any) conflicts of interest will be resolved in practice.
In addition, the Bill provides for the abolition of the “office” of the ICO, with all powers and functions to be transferred to a newly formed Information Commission.
Historically, the ICO has been active in enforcing the Privacy and Electronic Communications Regulations 2003 (PECR) — particularly for violations around unsolicited marketing. The maximum penalty under PECR is capped at £500,000. The Bill increases the maximum fines for PECR infringements to GDPR levels (up to the higher of £17.5 million or 4% of the total worldwide annual turnover of the preceding financial year). It remains to be seen whether these increased sanctioning powers change anything in the ICO’s approach and, indeed, whether these higher fines will be leveraged in practice.
The second reading of the Bill is due to take place on 5 September 2022, and its provisions are likely to develop over the coming weeks and months as the Bill progresses through the Parliamentary process. While it is unclear when a future act might be adopted, the legislative priorities of the future UK government — and the new Prime Minister — will be significant factors.