Data Protection and Digital Information Bill
The UK Government introduced the Data Protection and Digital Information Bill (DPDI) to Parliament on 18 July 2022. This follows on from a consultation by the Department of Culture, Media and Sport (DCMS) initiated in September 2021 named Data: ‘A New Direction’. Data law reform has been a planned action by the UK since the withdrawal from the European Union and the new Bill is promoted by Ministers as ‘reducing burden whilst maintaining high standards’.
The requirement to appoint a Data Protection Officer (DPO) will be replaced with the designation of a Senior Responsible Individual (SRI). In contrast to the current position under UK GDPR, the SRI must be an individual with a position of Senior Management within an organisation. Additionally, the SRI will not be required to have any previous knowledge of Data Protection Law, a point which may be viewed as weakening the current standards.
Article 30 UK GDPR currently requires organisations to create and maintain a record of all processing activities that they undertake. Under the new proposals, this will be replaced with a requirement to maintain an appropriate record of processing.
Prior consultation with the Information Commissioner’s Office (ICO) will no longer be mandatory where an organisation has carried out an impact assessment and identified a high-risk that it is unable to mitigate. Instead, prior consultation will become optional, with incentives being built into any investigative process following a breach.
If passed, the ICO will become the “Information Commission”, which will retain the majority of powers and responsibilities of the ICO, but also gain enhanced powers of enforcement.
Increased Ability to Use Personal Data
A new assessment will be introduced that enables organisations to meet the threshold more easily for anonymisation of Personal Data. The practical benefit of such a change will be organisations increasing their use of data without fear of a UK GDPR breach. This clarification on what fully anonymised data means will result in organisations only needing to consider identifiability at the time of processing rather than in the future, and within a reasonable degree of parties involved or that may reasonably access the data.
Data Subject Access Request Reform
DPDI also seeks to reform Subject Access Requests to clarify when organisations are able to refuse or charge a fee when they receive a request, with the introduction of a term (‘vexatious or excessive’ request) that UK organisations subject to Freedom of Information (FOIA) requests know very well, as this term has been deeply interpreted by the ICO within the FOIA context. The ‘vexatious or excessive’ requirement will replace the current wording in Article 12 (5) of the UK GDPR of ‘manifestly unfounded’ and will also include examples of relevant circumstances where refusals can be made, which will help organisations to apply this exemption in a compliant way.
The Legitimate Interest legal ground to use personal data legally requires the undertaking of a balancing test to ensure that the legitimate interest of the organisation relying on this legal basis is not overridden by the interests, rights and freedoms of the individuals concerned. These balancing tests must be documented since the ICO may require them in the context of an audit or investigation. The DPDI propose removing this requirement, and instead set a list of recognised legitimate interests that will apply directly if the requirements for each legitimate interest ground are met.
The circumstances in which consent is not required for cookie placement will be broadened to include web analytics, functionality enhancements and for automatic updates. Users will still need to have the ability to opt-out and this will need to be clearly explained to them. The Government’s intention is to move to a general opt-out system in the future – once the technology supports this.
Simplifying the Sharing of Data
The new legislation will simplify and facilitate the sharing of data under Smart Data Schemes. The Secretary of State will have the power to regulate organisations that hold customer data to share this with third parties.
Digital Identity Verification
Alongside the establishment of Smart Data Schemes, the DPDI will enhance the framework surrounding Digital Identity Verifications. The proposals will increase confidence that data can be shared to organisations or individuals, secure in the knowledge that identification checks have been completed by a trusted provider.
Does the Bill risk the UK Adequacy Status?
The UK Government has concluded that the proposed changes are not divergent enough to risk the UK losing its adequacy status with the EU. However, there is some concern that this is a possibility at the next review. In its own impact assessment, the Government has admitted that losing the adequacy status with the EU would outweigh the benefits of any reform the DPDI may introduce. It is for this reason that many people believe the proposals will have been drafted within the parameters of maintaining the free flow of data between the UK and EU.
However, it is important to be aware that any divergence raises the prospect of an EU review of the adequacy status. Therefore, the proposals are certainly not without risk and that is only likely to increase if further proposals are introduced in the future.
As with all legislation, it is highly likely that amendments will be made upon passage through Parliament and as such many of the above proposals will change. It is also possible that the new Prime Minister may have differing views or priorities for Data Reform.
Many commentators describe the proposals as evolutionary rather than revolutionary. There is disagreement over whether the changes streamline UK GDPR enough, or conversely whether the reforms push the boundaries too far. UK organisations that are also subject to the EU GDPR may find some of these changes useful to some extent (e.g. if conducting research exercises in the UK, subject to UK legislation only), but not in other cases (e.g. if they wish to harmonise their policies as to how to respond a DSAR, they may need to include different sections for data processed under UK law). Whilst it may seem that the new Bill does not please any side, it may be that this indicates that a balance has been struck. It will be important to track the Bill closely over the coming months, and to analyse the changes that are eventually implemented.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.