December 3, 2022

The Data Protection and Digital Information Bill: Data Privacy Reform in the UK Government

The introduction of Bill 143 to the House of Commons on July 18, 2022, follows the UK Government’s consultation in September 2021. The consultation detailed the UK Government’s proposed reforms to the UK’s data protection regime following Brexit and is a big step towards achieving the planned reform of the UK's data protection framework, with many significant proposed changes for companies to be aware of. To get started, here are some key provisions to consider about this new data protection legislation.

The introduction of Bill 143 to the House of Commons on July 18, 2022, follows the UK Government’s consultation in September 2021, entitled "Data: a new direction." The consultation detailed the UK Government’s proposed reforms to the UK’s data protection regime following Brexit and is a big step towards achieving the planned reform of the UK's data protection framework, with many significant proposed changes for companies to be aware of. To get started, here are some key provisions to consider about this new data protection legislation.

Introduction

The purpose of this proposed legislation is to update UK data protection laws post-Brexit (UK GDPR) when the UK Government departed from the EU GDPR. It wants to reduce burdens for organizations while still maintaining high standards. The government thinks the current rules are too complex and discourage proactive action from companies, so they need to be simplified. This legislation includes more than just the General Data Protection Regulation (GDPR) and its complementary Data Protection Act 2018 (DPA 2018); it also includes the PECR, which provides privacy rights relating to electronic communications.

Definitions

Bill 143 will amend the definition of an identifiable living individual by changing the requirement that information related to a person be considered personal data.

Specifically, Bill 143 states that information being processed will count as information relating to an identifiable living individual where:

  • the living individual is identifiable by the controller or processor by reasonable means at the time of processing; or
  • where the controller or processor knows, or ought reasonably to know that:
    undefinedundefined

The identification of individuals will depend on the controller/processor or any other person who may receive information. As such, Bill 143 also aims to expand when an identifiable living individual is either directly or indirectly identifiable. This depends on whether or not additional information is needed for identification.

Bill 143 amends the definition of research and statistical purposes by adding that processing for scientific research will now be defined as 'any research that can reasonably be described as scientific,' which includes 'processing for the purposes of technological development or demonstration, fundamental research, or applied research. Consenting to a person's data being processed for scientific research must also be ethical. Bill 143 also extends consent to include a person who cannot identify for what purpose their personal data will be used in cases of scientific research.

International data transfers

Bill 143 introduces some big changes to the UK's approach to data transfers. Clause 21 of Bill 143 inserts Schedules 5 (general processing), 6 (law enforcement), and 7 (consequential provisions). These amendments amend Chapter 5 of the UK GDPR and Chapter 5 of Part 3 of the Data Protection Act 2018.

Furthermore, Bill 143 moves away from the 'adequacy test' to a new 'data protection test.' Third-country data protection levels will not be materially lower than "essentially equivalent."Factors that will be considered in a data protection test include:

  • respect for rule of law and human rights in the country or international organization;
  • existence of a competent enforcement authority;
  • arrangements for redress for data subjects, whether judicial or non-judicial;
  • rules about the transfer of personal data from the country or organization to others;
  • any relevant international obligations to which the country or international organizations is subject, specifically noting the Council of Europe's Convention 108; and
  • the constitution, traditions, and culture of the country or organization.

Bill 143 gives the Secretary of State the power to make rules about data protection that companies can use to ensure they meet quality standards.

As a side note, the Information Commissioner’s Office (ICO) has recently updated its guide to Binding Corporate Rules (BCR), including UK-specific guidelines and an approach that aims to make the approval process easier. They only ask for supporting documents once during the UK approval process.

Legitimate interests

Bill 143 says that classifying "legitimate interests" will be replaced by a list of legitimate interests that have already been decided.

  • democratic engagement;
  • national security;
  • public security and defense;
  • processing necessary to the public interest
  • safeguarding vulnerable individuals;
  • detecting, apprehending, or investigating crime; and
  • emergencies.

Data subject rights

Clauses 7–10 of Bill 143 pertain to amendments that affect data subject rights. Information provision obligations are being clarified, though not changed, to ensure clarity that the disproportionate effort or impossibility exemption under Article 14(5)(b) of the UK GDPR applies to all processing where the data was not collected directly from the data subject.

Data subject access requests

Bill 143 includes some noteworthy changes to the current approach to data subject access requests, but it does not require controllers to respond to all requesters. Controllers are now free to refuse requests that are 'manifestly unfounded or excessive.' Rather than requiring controllers to respond to all requesters, Bill 143 describes requests as being 'vexatious or excessive,' and they don't have to be met with a response. 'Vexatious' requests are described in Bill 143 as those that are:

  • intended to cause distress;
  • not made in good faith; or
  • an abuse of process.

Furthermore, any factors to be considered in determining whether a request is vexatious or excessive are clarified, including the nature of the request and its relation to the data subject and controller. Factors such as the resources available to the controller are also considered.

From DPIAs to AHRPs

Removing the Data Protection Impact Assessments (DPIA) requirement is one of the most notable new changes. Bill 143 does away with the scenarios where a DPIA is necessary (per Article 35(3) of the UK GDPR), as well as the requirement to seek the advice of a DPO when carrying out a DPIA. DPIAs are to be replaced by an assessment of high-risk processing ('AHRP').

From ROPAs to appropriate records

Clause 15 would replace Article 30 of the UK GDPR and Section 61 of the 2018 Act. This change would eliminate the requirement for controllers or processors to keep records of processing activities ('ROPAs') related to personal data. Under Article 30A of the UK GDPR, companies must maintain records that include appropriate information about their processing data. Such records must include at least:

  • where the personal data is;
  • purposes for processing;
  • who the controller shared, or intends to share, it with;
  • how long the controller intends to retain it;
  • whether and if so which special categories of personal data are included; and
  • whether the personal data include that which relates to criminal convictions and offences or related security measures.

Every processor should have records containing the controller's name and contact information and where the personal data is stored. Both controller and process records must include information about how personal information is handled, though there are some exceptions to this rule.

Digital verification services

Verification services are defined in Bill 143 as the following:

  • ascertaining or verifying a fact about the individual from information provided otherwise than by the individual; and
  • confirming to another person that the fact about the individual has been ascertained or verified from information so provided.

Digit verification services (DVS), per Bill 143, are the services provided to any extent through the internet.

Firstly, the Secretary of State would be required to draw up a DVS trust framework, which would set out the rules for providing DVS. The Secretary of State would also have to establish a register for DVS providers and might issue 'trust marks' for the duration of their provision.

Automated decision-making

Bill 143 deals with automated decision-making by defining the processing of a decision that doesn't need human intervention. It also says that data subjects only have the right to get a human involved in important decisions of this kind (not ones that have legal effects on them or affect them in a meaningful way), and it keeps all the other rules about automated decisions.

Cookies and tracking technologies

Bill 143 also suggests changes to the regulation of cookies and tracking technologies. Notably, under Bill 143, the types of cookies that don't require a user's permission to be placed on their device will no longer be limited to 'strictly necessary' cookies. Instead, this category will include cookies for gathering statistical information and improving services.

Additionally, Bill 144 empowers the Secretary of State to formulate regulations that automatically enable data technology to consent to or object to cookies' placement. This is intended to reduce the increased pressure of accepting/rejecting cookies across multiple websites.

Direct marketing

Bill 143 defines direct marketing as "any communication (by any means) of advertising or promotion material directed to particular individuals." This new definition is added to the PECR.

Furthermore, Bill 143 proposes that fines under the PECR for nuisance calls/texts will be increased up to the penalties under GDPR of 4% of global turnover or £17.5 million, whichever is greater, similar to the EU GDPR fines.

From DPOs to senior responsible individuals

Instead of a Data Protection Officer, Bill 143 stipulates that an organization should appoint a 'senior responsible individual' who is part of the organization's senior management. This individual is charged with data protection matters within their organization, including dealing with both data breaches and complaints related to data processing. While the mandatory tasks are expanded in some areas (to include certain notification requirements), they are unchanged regarding law enforcement.

UK representatives

Article 27 of the UK GDPR says that controllers and processors need to name representatives in the UK, as with the EU GDPR. Clause 13 of Bill 143 wants to get rid of this rule.

Business data/open data

Bill 143 seeks to encourage the use of 'smart data schemes.' These would let companies securely share data with third-party providers authorized by the customer.

Changes to the ICO

The bill also aims to change the Information Commissioner's name to the Information Commission. It seeks to modify the letter and the practical aspects of the regulatory body's governance structure, duties, and enforcement powers. For one thing, it renames "the principal objective" and adds:

  • to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers, and others, and matters of general public interest; and
  • to promote public trust and confidence in the processing of personal data.

As the UK's data protection watchdog, the ICO acts to promote competition and innovation by ensuring that there is strong protection of personal data. In his opening speech at last year's Data Protection professionals annual conference, the Commissioner admitted that "the reforms and the bill provide good balance improvements." To show its commitment, he also released the ICO's strategic plan for 2020-2025, which outlines how it will achieve its goals in this crucial period for data protection in the UK.

Why is the UK’s EU data adequacy agreement important?

The more the UK diverges from GDPR, the more likely its adequacy agreement with the EU could be undermined. The process ensures that any third-party country that wants to share data with companies and organizations in the EU has a level of data protection that is "essentially equivalent" to GDPR.

When the UK and EU reached an adequacy agreement in 2021, the EU included a "sunset clause," which allows Brussels to terminate the agreement after four years. The European Commission is also monitoring data laws in the UK. It can withdraw the adequacy decision at any time if Britain "deviates from the level of protection currently in place."

Conclusion

In summary, many of the changes proposed by Bill 143 appear to be in line with the Explanatory Notes that say it aims to reduce the burden on businesses. A DPIA has been completed by the Department of Culture, Media and Sport (DCMS). Following this positive assessment, members of Parliament will then take Bill 143 up at its Second Reading, but after the appointment of Liz Truss as the UK’s new Prime Minister, the speech has now been postponed. There is no indication of when the second reading will take place.

Schedule a call to learn more