Written by Lorna Cropper, Digital Data Protection Lawyer, Anne-Marie Mcloughlin, Solicitor, Fieldfisher
With the second reading of the UK Government’s Data Protection and Digital Information (No 2) Bill (the “Bill“) scheduled for Monday 17 April 2023, we thought it an opportune time to highlight the proposed changes to the UK General Data Protection Regulation (UK GDPR) that the Bill suggests.
The Bill, which largely retains the content of the Data Protection and Digital Information Bill, introduced in July 2022 (and now withdrawn) does include a sprinkling of additions.
Sponsored by the Department for Science, Innovation and Technology, the Bill has been introduced to a fanfare about how the recommended data reforms will “unlock £4.7 billion in savings”; remove “pointless paperwork”; be “easier to understand, easier to comply with” whilst ensuring that the “new regime maintains data adequacy with the EU”. It is this need to maintain data adequacy, which gives the UK little room to dramatically change the existing UK GDPR and dictates the parameters of any proposed change. For the UK to maintain adequacy it needs to be remembered that the standard of data protection needs to be “essentially equivalent”.
Let us look at the proposed changes that may be able to reduce the paperwork of organisations and save them costs of data protection compliance in the UK besides implement the Government’s objectives that were outlined in its National Data Strategy.
Changes proposed in the Bill
Whilst these amendments to the existing regime (UK Data Protection Act 2018 and UK GDPR) are not exactly radical, they arguably do provide more certainty for businesses and reduce the administrative burden whilst maintaining high levels of data protection in keeping with the Government’s objective.
- The term ‘identifiable living individual’: The Bill adds greater clarity with respect to when information being processed counts as information relating to an identifiable living individual with two cases provided by way of example. The first is “where the living individual is identifiable by the controller or processor by reasonable means at the time of processing”. The second is where the controller or processor knows or ought reasonably to know that a third party, who obtains the data through processing, such as, via data sharing, could identify a living individual by reasonable means.
- A regime for scientific research and innovation: The Bill amends the definition of scientific research, widening and clarifying the scope to include processing for the purposes of “any research that can reasonably be described as scientific, whether publicly or privately funded” and explains that scientific research purposes can include processing for commercial or non-commercial activity. The Bill states:
“such references include processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific but only include processing for the purpose of a study in the area of public health that can reasonably be described as scientific where the study is conducted in the public interest”.
It is interesting to note that the above explanation is an extract from recital 159, GDPR. The UK Government is confident that these changes will facilitate the deliverance of more scientific research, with commercial organisations benefitting from the same freedoms as academics to carry out innovative scientific research.
- Processing for the purposes of legitimate interest: The Bill itself introduces examples of processing “that is necessary for the purposes of a legitimate interest”. The non-exhaustive list of activities that may be necessary for the purposes of legitimate interests under Article 6 UK GDPR, include direct marketing (as per recital 47, GDPR); intra group transmission of data for administrative purposes; and ensuring the security of network and IT systems. For these activities, controllers still need to conduct a balancing test to ensure that their interests do not override the rights and interests of an individual.
- The concept of “recognised legitimate interests”: This is a distinct concept that eliminates the need for data controllers to carry out a balancing test for a recognised legitimate interest. Those proposed include public interests; national security, public security and defence; emergencies; and crime, with respect to the detection, investigation or prevention, or apprehending or prosecuting offenders.
- Data subject rights: The “manifestly unfounded or excessive” threshold that must be met for an organisation to demand a fee or refuse to comply with a data subject request under UK GDPR, is replaced with a “vexatious or excessive” threshold, bringing it in line with the Freedom of Information regime. Examples of “vexatious” are given as requests that “(a) are intended to cause distress, (b) are not made in good faith, or (c) are an abuse of process”.
- Automated decision-making: The Bill proposes a replacement to the existing Article 22 to the UK GDPR entitled automated individual decision-making. “Automated processing” is classed as a decision where there is “no meaningful human involvement in the taking of the decision” and in determining whether a decision is made with “meaningful human involvement”, consideration needs to be given to the extent to which the decision is reached by profiling.
The new Article 22 introduces restrictions on automated decisions that produce a legal or similarly significant effect for the data subject (a “significant decision”) that is based entirely or partly on 1, special category data; or 2, the proposed Article 6(1)(ea), i.e. processing that is necessary for the purposes of a recognised legitimate interest.Restriction 1, does provide the familiar exemptions per UK GDPR Article 22(2) of explicit consent, contractual necessity or a legal obligation but this is where special category data is involved and not all personal data. The Bill does specify certain safeguards controllers need to put into place where a significant decision is a, based entirely or partly on personal data; and b, based solely on automated processing.Nonetheless, this proposed clause is more permissive than the existing Article 22.
- UK Representative: There will no longer be a requirement for non-UK based controllers and processors to appoint a UK representative due to the proposed removal of Article 27 of the UK GDPR.
- Senior Responsible Individual (formerly known as a Data Protection Officer): The traditional role of a data protection officer is abolished in favour of a senior responsible individual (“SRI“). The appointment of an SRI is only required where an organisation is a public body or conducting high risk processing. This may well remove the requirement for many businesses to have a specific individual although given that DPOs have become an integral part of many companies’ data protection strategy, this may well just be a change in title for some, if that.
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”): The Bill amends PECR to insert a number of new exemptions to the consent requirement for accessing or storing information on a user device. These are for purposes that present a low risk to people’s privacy, such as, for the purpose of the appearance or functionality of the service when it displays on a user’s device, for example, font settings! Other exemptions include the installation of security updates and identifying an individual’s geolocation in an emergency. All but geolocation are subject to the usual transparency and opt-out requirements.
The Bill will bring the Information Commission’s enforcement powers for breaches of PECR in line with the UK GDPR, i.e. £17.5 million (or 4% of the undertaking’s total annual worldwide turnover) for a penalty notice given for PECR infringements that attract the higher penalty, else £8.7 million (or 2% of an undertaking’s total annual worldwide turnover).
- Records of processing of personal data: The amendments suggested to Article 30, UK GDPR provides that only controllers or processors that process data that “is likely to result in a high risk to the rights and freedoms of individuals” will be required to maintain such records.
- The Regulator: The Information Commissioner’s Office is to be replaced by the Information Commission, supported by a statutory board, with a chair and chief executive. Throughout the data protection reform period, there has been a lot of discussion as to how independent the Information Commission will be under the new legislative regime, with a significant amount of criticism from civil society groups voiced. The Information Commission will be subject to greater Parliamentary analysis and the Secretary of State has the ability to put forth a statement of strategic priorities, which the Information Commission has a duty to consider when carrying out its functions although not in relation to a particular person, case or investigation. In a recent podcast, post the introduction of the Bill, the present Information Commissioner has endeavoured to allay the public’s concern about the independence of the regulator.
What is the impact of the Bill?
It has to be recalled that the Bill is only a proposal and it may be amended throughout its Parliamentary journey until it receives Royal Assent. However, given the insignificant changes between the now withdrawn Bill and the active Bill, it does look like it could be enacted in something like this form and it is quite foreseeable that the Bill will receive Royal Assent before the end of this calendar year.
If enacted in its current form, the impact the Bill will bring is arguably a ripple. Given the remarkably high standards of data protection required by the EU that need to be maintained wherever EU data is transferred to, the UK Government, needing to preserve its adequacy status, only has so much room to manoeuvre. For that reason, the proposed Bill does not overhaul the data protection landscape we have matured with over the last five years since the GDPR became applicable.
Whilst the proposed regime may make the existing UK data protection law somewhat less prescriptive, companies operating across Europe and beyond may well want to maintain one GDPR standard rather than tailoring their UK compliance to a perhaps less rigorous regime.
Read More AI & Data
