The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions.
The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication of its response to the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post.)
The Bill details the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)).
This article presents an overview of the proposed changes. In part 2, we provide a deeper dive into certain key provisions.
In summary, the proposed changes — while broad in scope — do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.
Definitions and accountability
Key proposed definitional changes and developments in relation to accountability — i.e., measures taken by organisations to demonstrate responsibility and compliance with data protection requirements in connection with their processing activities — can be summarised as follows:
- A more limited definition of “personal data”: The Bill provides that data is “personal data” in potentially more limited circumstances, i.e., when it is identifiable either by a controller or processor at the time of processing or by another person who is likely to obtain information as a result of the processing and who is or is likely to be able to identify an individual as the subject of the personal data by reasonable means at the time of processing. This change could make the standard of anonymisation easier for an organisation, as an individual would need to be identified by a controller/processor or through reasonable means by a third party at the time of processing.
- No requirement for UK representatives: The Bill removes the need to designate a UK representative pursuant to Article 27 UK GDPR. This proposed change is relevant for non-UK entities subject to the UK GDPR’s extraterritorial applicability (e.g., when offering goods or services or monitoring the behaviour of individuals located in the UK, subject to meeting certain criteria).
- Reconsidered restrictions for data subject rights: The Bill introduces an amended ground for refusing a data subject request (for access, deletion, etc.) if such request is “vexatious or excessive”. Further, the Bill allows an organisation to either refuse to act on the request or charge a “reasonable fee” for doing so. This proposal could help curtail the number of data subject requests that are used strategically in the context of litigation or to sidestep disclosure rules.
- New obligation for controllers to respond to a complaint: The Bill introduces an obligation for a controller to acknowledge, within 30 days, any complaint it receives in relation to its processing of personal data. Further, a controller would need to take appropriate steps to respond to the complaint and to inform the complainant of the outcome, all without undue delay. There is some comfort for controllers that the Information Commissioner’s Office (ICO) may refuse to investigate complaints if a data subject has not first availed themselves of this right.
- Simplified record keeping: The Bill simplifies the record-keeping obligation provided under Article 30 UK GDPR. For example, a controller’s obligation to include a description of the categories of data subjects and personal data is removed — though controllers would still need to record information on special categories of personal data and/or data relating to criminal convictions and offences or related security measures.
- From data protection officer (DPO) to senior responsible individual (SRI): The Bill removes the obligation for certain organisations to appoint a DPO, in favour of a new requirement to appoint (in generally similar circumstances) an SRI. An SRI would have a similar function to a DPO, and the Bill details specific responsibilities.
Automated decision-making and reliance on legitimate interests
The Bill provides for several circumstances in which the balancing (though not necessity) test for legitimate interest may be discarded, defined as “recognised legitimate interests”. These recognised legitimate interests are limited to circumstances such as emergencies, crime, and safeguarding. However, the Bill stipulates that the Secretary of State may in the future amend this list, providing a route through which more processing activities may be conducted on a legitimate-interest basis without necessitating a balancing test.
The Bill also amends certain provisions in respect of automated decision-making (ADM), which could expand the lawful scope of ADM. The most significant change removes the general prohibition on ADM (absent the limited grounds of contractual necessity, legal obligation, or explicit consent). In its place, the Bill prohibits ADM only when it involves processing special category personal data (absent contractual necessity, legal obligation, or explicit consent) and otherwise requires a controller to inform the affected data subject of the ADM and give that data subject rights to make representations about, obtain human intervention related to, and contest the ADM.
The Bill alters the reference to “appropriate technical and organisational measures” with “appropriate measures, including technical and organisational measures” and applies this change in various areas of the UK GDPR, with respect to both controllers (e.g., in Article 24 governing responsibilities of the controller) and processors (e.g., in Article 28(1) with respect to guarantees provided by processors).
The Bill seeks to reform the ICO through changes to its organisational structure, powers, and a new requirement to publish an annual report on regulatory action. Interestingly, the Bill introduces “the desirability of promoting innovation and […] competition” as an ICO duty in relation to functions under UK data protection legislation.
Cookie opt-outs and increased fines
The Bill proposes amendments to the Privacy and Electronic Communications Regulations 2003 (PECR), the UK law that governs, amongst others, the rules on cookies and direct marketing. The Bill removes the requirement for opt-in consent for all cookies. The Bill also increases the maximum fines for PECR infringements to GDPR levels (up to £17.5 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher). This proposed change would increase risk for non-compliant marketing practices.
For a deeper dive into the Bill’s provisions, see part 2 of this blog series. The second reading of the Bill is due to take place on 5 September 2022. Latham & Watkins will continue to monitor the Bill’s trajectory through the Parliamentary process and provide relevant updates on this blog.