We've previously looked at the Data Protection and Digital Information Bill introduced under the Boris Johnson government. That Bill was paused and then withdrawn by Rishi Sunak’s administration, its replacement being the Data Protection and Digital Information (No.2) Bill, which commenced its journey through Parliament in March.
The “No. 2 Bill” is in many respects identical to its predecessor. While overall the Bill retains much of the structure of the UK GDPR, it proposes a number of changes to the detail.
Some updated definitions
The Bill will update, clarify and consolidate some of the definitions in UK data protection law. Changes include defining when an individual will be considered to be “indirectly” identifiable under the Data Protection Act 2018.
The Bill also amends the “purpose limitation” in UK GDPR to make certain processing of personal data easier for specified compatible purposes, including processing for research, archiving and statistical purposes.
Data processing for the purposes of research, archiving and statistics
Various provisions relating to data processing for historical and scientific research, archiving and statistical purposes will be updated, for example by including “commercial” scientific research within the definitions and by updating the safeguards for such processing that are currently set out in the Data Protection Act 2018.
Recognised legitimate interests
There will be a new lawful basis for processing in the shape of “recognised legitimate interests” (RLI), to which the legitimate interests “balancing test” would not apply. The categories of RLI would consist of specified grounds of processing relating to public interest matters such as national security, the investigation and prevention of crime, safeguarding and democratic engagement.
Data subject rights requests and mandatory complaints procedures
Reforms to certain aspects of laws relating to data subject rights requests include replacing the concept of “manifestly unfounded or excessive” rights requests with “vexatious or excessive” rights requests. The Bill gives examples of requests that might be vexatious, including those intended to cause distress, requests “not made in good faith” or which are “an abuse of process”.
The Bill also provides that the “clock” for compliance with an Article 15 data subject access request will pause where clarification is reasonably required by the controller in order to identify the information or processing activity to which the request relates.
Provisions will also oblige controllers to implement and comply with various complaints-handling procedures. The Bill gives the Information Commission a discretion to refuse to act on a complaint until the data controller’s complaints procedures have been completed. This is subject to a maximum 45-day period for completion of those procedures. The Commission may refuse to act on a complaint that is vexatious or excessive.
Automated processing and profiling
The Bill broadens the circumstances where a decision can be based on solely automated processing where that has legal effect or similarly significant effect for a data subject. References to “profiling” which are currently potentially treated as a type of automated processing are removed, although whether decisions are reached by means of profiling will be a factor when considering whether there is meaningful human involvement in the taking of a decision.
There will still be conditions that must be met where such processing is based entirely or partly on special categories of personal data, and in all cases, safeguards would apply such as measures which enable data subjects to contest decisions and obtain human intervention. Since the Bill was published, there have been calls for tighter regulation of artificial intelligence, so it remains to be seen whether these provisions will be further amended.
Risk management measures
The Bill will also change the wording of UK GDPR Articles 24, 25 and 28 to read “appropriate measures, including technical and organisational measures” in place of the current requirements to implement “appropriate technical and organisational measures”. The explanatory notes suggest that these changes “will give data controllers more flexibility in terms of the measures they put in place to demonstrate and manage risk”. It's however not stated what other measures might be taken that would not fall within the existing definition.
Representatives, Data Protection Officers and Senior Responsible Individuals
The Bill will:
- Remove the obligation to appoint a UK representative which can apply to controllers and processors that are not established in the UK.
- Replace the obligation to appoint a Data Protection Officer (DPO) with an obligation to appoint a Senior Responsible Individual (SRI). The obligation to appoint an SRI applies to controllers or processors that are public bodies and also to other controllers/processors that carry out “processing of personal data which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals”. The duties of the SRI are similar to, but less prescriptive than, those of a DPO. One area that will need to be considered is whether organisations that will be subject to both the EU and UK regimes can appoint the same individual as both their DPO and their SRI. The Bill currently provides that the SRI must be part of the organisation’s “senior management” (as further defined in the Bill). The EU regime provides that a DPO may fulfil other tasks and duties, but the controller or processor must ensure that these do not result in a conflict of interest.
Record of Processing of Personal Data
The Bill will replace the obligation on many data controllers and processors to maintain a Record of Processing Activity with a requirement to maintain a Record of Processing of Personal Data. The obligation will only apply to controllers and processors that carry out processing “which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals”.
Assessments of high risk processing
Data Protection Impact Assessments would be replaced by “assessments of high risk processing”, with the regime being lighter touch in various respects, for example there is no express requirement to consult the SRI or the ICO, although there might still be other reasons for such consultation.
Transfers of personal data to third countries
The Bill will replace the current regime for international transfers of personal data. Broadly, there will still be three legal bases for transferring personal data to third countries:
- Transfers to jurisdictions considered by the Secretary of State to offer standards of protection that are “not materially lower” than under UK data protection law
- Where specified safeguards are in place and the controller or processor, acting reasonably and proportionately, considers that the “data protection test” is met in relation to the transfer or that type of transfer
- Where a derogation applies
The “safeguards” mirror the existing UK GDPR “appropriate safeguards” such as approved contractual clauses, binding corporate rules etc. Broadly speaking, the “data protection test” will require controllers or processors to consider whether the standard of protection after the transfer would be materially lower than under the UK data protection regime.
A new Information Commission
The Information Commissioner will be replaced by an Information Commission, which will be required to have regard to a “statement of strategic priorities” issued by the Secretary of State when carrying out its functions. The Commission will also be given some new enforcement powers, including the power to issue fines for breach of the Privacy and Electronic Communications Regulations in line with the fines under UK GDPR (up to 4% global turnover/or £17.5m, whichever is greater).
Digital verification services (DVS)
The Bill is intended to establish a framework to enable people to prove who they are or something about themselves in a secure way – the UK’s first legislative framework to regulate private organisations providing digital identity services. The Bill provides for a “trust framework” setting out rules for providing DVS and a register of accredited providers, information gateway, fee framework, a trust mark etc. The Bill enables public authorities to disclose certain information relating to individuals to accredited providers once an individual has made a request, subject to certain conditions.
Customer and business data sharing / publishing
The Bill includes a framework of data sharing measures intended to promote the provision of innovative services to customers and businesses, such as automatic switching and account management.
The Bill would also enable public authorities listed in Schedule 4 to the Digital Economy Act 2017 to share information between themselves for the purpose of improving the delivery of public services to businesses.
Privacy and Electronic Communications Regulations (PECR)
The PECR enforcement regime will be brought into line with UK GDPR, including GDPR level maximum fines. PECR will also be amended so that express cookie consents will no longer be needed for certain “low risk” purposes such as ensuring security, preventing or detecting fraud or technical faults. The Bill also extends the “soft opt-in” in respect of direct marketing email sent for solely charitable, political or other “non-commercial” objectives.
There are also measures intended to support cookie preferences to be set within a browser and to then require websites and other information technology to respect those preferences. Regulations will set out further detail. A duty will also be placed on communications providers who have reasonable grounds for suspecting that a breach of PECR might be occurring to report suspicious activity to the Information Commission.
Validation of electronic transfers via electronic trust services
Trust services consist of services concerning website authentication, electronic seals and signatures, timestamps and electronic delivery services.
The Bill amends the existing regime to provide a framework for regulations to allow the recognition of EU member state conformity assessment reports, as well as to allow the removal or amendment of UK recognition of EU standards in this area. Other measures include recognising trust service products provided by entities established outside the UK, subject to conditions, and enabling data sharing/cooperation between the Commissioner and overseas trust services regulators.
Information standards for health and adult social care
The Bill includes provision to clarify that information standards for health and adult social care in England (under the Health and Social Care Act 2012) include standards relating to certain information technology and IT services. It also makes further provision in relation to such standards and clarifies which public bodies information standards may apply to. The Secretary of State is also given compliance powers in relation to relevant IT providers, as well as for accreditation of IT and IT services.
The Bill contains a number of other provisions relating to matters such as processing for law enforcement and intelligence services purposes, and to provide for the modernisation of the registers of births and deaths.
The No 2 Bill will be further reviewed by Parliament over the coming months and may be further amended; the Information Commissioner has proposed a number of further changes to the drafting. It's likely to be some time next year when it is in final form, and the majority of its provisions will be brought into effect through later statutory instruments. It remains to be seen whether the possibility of a UK general election in 2024 might further impact its implementation.
When the Bill is finalised, data controllers and processors will need to decide whether it is appropriate to adjust their approach. Due to their data processing activity, some organisations will be subject to both the EU and UK regimes and will be mindful of wanting to meet the more prescriptive regime (which in most cases will be the EU GDPR).
Another question is whether any of the proposed changes might impact the EU’s adequacy decisions concerning data transfers from the EU to the UK. The Information Commissioner has said in his response to the Bill that “our engagement with stakeholders has made it clear that our relationship with the EU remains of central importance, and the certainty a positive adequacy decision from the EU provides is a top priority”. In the Information Commissioner’s view “the proposed changes in the bill strike a positive balance and should not present a risk to the UK’s adequacy status”. Ultimately that will be a question to be considered by the EU Commission and, if a challenge is made to the UK’s adequacy status, the Court of Justice of the European Union.