The Data Protection and Digital Information Bill is currently in the Committee stage of the House of Lords. It will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). It is expected to be passed in May and will probably come into force after a short transitional period.
The current Bill is not substantially different to the previous version whose passage through Parliament was paused in September 2022 so ministers could engage in “a co-design process with business leaders and data experts” and move away from the “one-size-fits-all’ approach of the European Union’s GDPR.”
The Same
Many of the proposals in the new Bill are the same as contained in the previous Bill. These include:
- Amended Definition of Personal Data: This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.
- Vexatious Data Subject Requests: The terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, will be replaced with “vexatious” or “excessive” requests. Explanation and examples of such requests will also be included.
- Data Subject Complaints: Data Controllers will be required to acknowledge receipt of Data Subject complaints within 30 days and respond substantively “without undue delay”. The ICO will be entitled not to accept a complaint if a Data Subject has not made a complaint to the controller first.
- Data Protection Officer: The obligation for some controllers and processors to appoint a Data Protection Officer (DPO) will be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals will be required to designate a senior manager as a “Senior Responsible Individual”.
- Data Protection Impact Assessments: These will be replaced by leaner and less prescriptive “Assessments of High-Risk Processing.”
- International Transfers: There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR. (For more detail see also our forthcoming International Transfers webinar).
- The Information Commission: The Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive.
- PECR: Cookies will be allowed to be used without consent for the purposes of web analytics and to install automatic software updates. Furthermore, non-commercial organisations (e.g. charities and political parties) will be able to rely on the “soft opt-in” for direct marketing purposes, if they have obtained contact details from an individual expressing interest. Finally, there will be an increase to the fines from the current maximum of £500,000 to UK GDPR levels i.e. up to £17.5m of 4% of global annual turnover (whichever is higher).
The Changes
The main changes are summarised below:
- Scientific Research: The definition of scientific research is amended so that it now includes research for the purposes of commercial activity. This expands the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement.
- Legitimate Interests: The Previous Bill proposed that businesses could rely on legitimate interests (Article 6 lawful basis) without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These “recognised” legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement. The new Bill, whilst keeping the above changes, introduces a non-exhaustive list of cases where organisations may rely on the “legitimate interests” legal basis, including for the purposes of direct marketing, transferring data within the organisation for administrative purposes and for the purposes of ensuring the security of network and information systems; although a balancing exercise still needs to be conducted in these cases.
- Automated Decision Making: The Previous Bill clarified that its proposed restrictions on automated decision-making under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without “meaningful human involvement”. The new Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision.
- Records of Processing Activities (ROPA): The Previous Bill streamlined the required content of ROPAs. The new Bill exempts all controllers and processors from the duty to maintain a ROPA unless they are carrying out high risk processing activities.
- Subject Access: Clause 12 of the Bill introduced at the House of Commons Report Stage amends Article 12 of UK GDPR (and the DPA 2018) so that Data Controllers are only obliged to undertake a reasonable and proportionate search for information request under the right of access.
Adequacy
Although the Government states that the new Bill is “a new system of data protection”, it still retains the UK GDPR’s structure and fundamental obligations. Organisations that are already compliant with the UK GDPR will not be required to make any major changes to their systems and processes.
The EU conducts a review of adequacy with the UK every four years; the next adequacy decision is due on 27th June 2025. Some commentators have suggested that the changes may jeopardise the UK’s adequate status and so impact the free flow of data between the UK and EU. Defend Digital Me, a civil liberties organisation, has claimed that the Bill would, among other things, weaken data subjects’ rights, water down accountability requirements, and reduce the independence of the ICO.
Other Parts of the Bill
The Bill would also:
- establish a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents.
- increase fines for nuisance calls and texts under PECR.
- update the PECR to cut down on ‘user consent’ pop-ups and banners.
- allow for the sharing of customer data, through smart data schemes, to provide services such as personalised market comparisons and account management.
- reform the way births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.
- facilitate the flow and use of personal data for law enforcement and national security purposes.
- create a clearer legal basis for political parties and elected representatives to process personal data for the purposes of democratic engagement.
Reading the Parliamentary debates on the Bill, it seems that the Labour party have no great desire to table substantial amendments to be the Bill. Consequently, it is expected that the Bill will be passed in a form similar to the one now published.
Learn more about the updated bill with our Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms workshop. Dive into the issues discussed in this blog and secure your spot now.