The updated reform legislation provides welcome guidance and clarifications on aspects such as legitimate interests and accountability, without substantially shifting the approach proposed under the existing reform bill.
On 8 March 2023, the UK government introduced the second draft of its UK data protection reform legislation, the Data Protection and Digital Information (No.2) Bill (the No. 2 Bill). The No. 2 Bill supersedes the original Data Protection and Digital Information Bill (the Original Bill), which the government first introduced last summer, following the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post; for more details on the proposed changes in the first version of the Bill, see this Latham overview and deep dive.)
The No. 2 Bill details how the government proposes to reform the current UK data protection regime, which consists primarily of the UK Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
The government expects the No. 2 Bill to pass into legislation within the current parliamentary session (before Q2 2024) and without material amendments. Once passed, the majority of the substantive provisions will come into force on a date that future regulation will specify. Organisations therefore will have time to consider their compliance strategies. Multinational organisations in particular should consider whether to maintain their current global compliance standards or, rather, take advantage of the potentially more flexible UK regime.
Compared against the Original Bill, the No. 2 Bill contains further targeted amendments and clarifications to the UK data protection regime, but does not contain any substantial shifts in approach. This blog post summarises the key changes from the No. 2 Bill and their practical implications.
Lawful Basis — Legitimate Interests
The Consultation proposed to introduce a new, limited list of “recognised legitimate interests” to address concerns raised by organisations about (a) the time and effort required to complete and record legitimate interests assessments (LIA) and (b) the perception that reliance on legitimate interests is more complex than other lawful bases. Organisations could use these “recognised legitimate interests” to process personal data without applying the balancing test, which is an intrinsic part of the LIA. The Original Bill therefore introduced a new lawful basis to cover scenarios when the “processing is necessary for the purposes of a recognised legitimate interest” and set out in Annex 1 a list of such “recognised legitimate interests”, which include emergencies, crime, and safeguarding, and can be amended by the Secretary of State. These remain unchanged in the No. 2 Bill.
The No. 2 Bill has also introduced three illustrative and non-exhaustive examples of processing that companies may undertake, relying on the existing legitimate interests lawful basis:
- direct marketing;
- intra-group transmissions of personal data for internal administrative purposes; and
- ensuring the security of network and information systems.
Unlike the list of recognised legitimate interests, the balancing test is still required in these circumstances. However, these examples provide welcome guidance and clarification for organisations regarding the UK government’s interpretation of legitimate interests. Provided that appropriate safeguards are in place, organisations will likely be able to rely on legitimate interests as a lawful basis for processing falling within the three examples above.
The Explanatory Notes to the No. 2 Bill clarify that any legitimate (commercial) activity can be a legitimate interest, provided the processing is necessary for the activity and the company carries out the balancing test. However, as noted in our deep dive on the Original Bill, there are ongoing debates in the EU on whether “purely commercial interests” can constitute legitimate interests under EU GDPR. Recent guidance and enforcement in the Netherlands highlights the Dutch authority’s view that purely commercial interests cannot constitute legitimate interests. The European Commission has challenged this view and the European Data Protection Board (EDPB) is expected to publish further guidance in the near future. If the EU and UK regimes deviate on the scope of the legitimate interests, organisations in the UK may rely on this lawful basis for purely commercial interests but may need to find an alternative lawful basis for processing under the EU GDPR.
Accountability — Organisations Exempt From Record-Keeping
Following the Consultation, the UK government proposed replacing the requirement to maintain a record of processing activities with more flexible record keeping, under a privacy management programme. The flexibility would encourage businesses to focus more on the design of their privacy management programme rather than meeting prescriptive tick-box requirements. As such, the Original Bill replaced the requirement to maintain a “record of processing activities” with a need to simply maintain “adequate” records of the processing of personal data, and eliminated certain details that need to be included in these records, e.g. the categories of data subjects and personal data. The No. 2 Bill introduces a risk-based approach: the record-keeping obligation would apply to any controllers and processors (regardless of size) that process personal data which, “taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals”.
Under the EU GDPR the requirement to maintain a record of processing activities does not apply to organisations that employ fewer than 250 individuals unless they carry out processing that is likely to result in a high risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data. The latter two limitations, and in particular the “occasional” qualifier, resulted in very limited exemption for organisations in practice, and these were removed in the Original Bill.
The approach set out in the No. 2 Bill aligns with the UK government’s proposal in the Consultation, and will help small-to-medium B2B businesses that employ more than 250 employees but do not undertake any data processing which could be considered “high risk”. These organisations will benefit from the added flexibility and ability to take a risk-based approach tailored to their business. However, international organisations seeking to maintain consistent global standards of record-keeping aligned to the GDPR may enjoy limited benefits from this flexibility.
Other Changes in the No. 2 Bill
- Automated Decision-Making: As noted in our overview, the Original Bill amends certain provisions in respect of automated decision-making (ADM). Among other amendments, the Original Bill proposes defining a decision based solely on automated processing “if there is no meaningful human involvement in the taking of the decision”. The No. 2 Bill further clarifies this and expressly requires the need to consider the extent to which that decision is reached by profiling when assessing whether there is “meaningful human involvement”, either when the decision was made or when it was reconsidered.
- Scientific Research: The Original Bill clarifies that any references in the UK GDPR to the processing of personal data for the purposes of “scientific research” (e.g. under Article 21 which governs the right to object) are references to processing for the purposes of “any research that can reasonably be described as scientific, whether publicly or privately funded”. The No. 2 Bill goes a step further, stating that such research may be “carried out as a commercial or non-commercial activity”.
- International Transfers: As noted in our blog post on the Consultation, the Original Bill amends the existing rules on international data transfers so that adequacy “regulations” approved by the Secretary of State and transfers made subject to appropriate safeguards will be subject to the risk assessment and proportionality principles covered within a “data protection test”. The No. 2 Bill clarifies that companies that have lawfully entered into transfer mechanisms under the current UK GDPR, can continue to use these mechanisms to transfer personal data to third countries even after the reforms come into effect.
- Direct Marketing: The No. 2 Bill introduces new obligations for providers of public electronic communication services and networks to report suspicious activity relating to unlawful direct marketing to the Information Commissioner’s Office (ICO), with penalties for non-compliance. In practice, this could refer to the detection of spam based on large volumes of data. The Explanatory Memorandum states that the network or service provider will not need to intercept or examine the communication’s content.