On March 8, 2023, the Data Protection and Digital Information (No. 2) Bill was introduced to the UK Parliament by the Department for Science, Innovation and Technology (DSIT). If enacted, the Bill will make changes to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations (PECR). The Bill would facilitate certain types of data processing by redefining the parameters of what constitutes “personal data,” removing certain requirements and prohibitions, applying exemptions, and creating greater legal certainty regarding the permissibility of certain forms of personal data processing. However, the fundamental principles of the UK GDPR, DPA 2018, and PECR—including the range of available data subject rights, core controller and processer obligations, and wider constitutional and a regulatory environment for privacy—would be unaffected by the Bill.
Below are some of the key provisions that would affect businesses, such as organizations operating within the United Kingdom and organizations outside the UK that offer products or services to UK residents or monitor their behavior.
Definition of personal data. Under the Bill, an individual would only be considered “identifiable” if (a) he or she is identifiable by the controller or processor “by reasonable means”—being those that the person is reasonably likely to use—“at the time of the processing”; or (b) where the controller or processor “will, or is likely to, obtain the information as a result of the [data] processing.” If the other organization does not have, or is not likely to obtain, such information, the data would be considered anonymous and out of scope of the Bill.
Legal basis. The Bill proposes to introduce a new lawful basis for processing, namely processing that is necessary for the purpose of “recognised legitimate interests.” This would remove the need for organizations to balance their legitimate interests with the data subject’s rights and interests where the purpose for processing the subject’s data is on the list of recognized legitimate interests. These “recognised legitimate interests” would cover purposes for processing such as “[n]ational security, public security and defence”; “[e]mergencies”; “detecting, investigating or preventing crime,” or “apprehending or prosecuting offenders”; “[s]afeguarding vulnerable individuals”; and “democratic engagement.” The Bill includes “examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest.” These examples are not part of the “recognised” list of legitimate interests and so a balancing test may still be required. These examples include “direct marketing,” “intra-group transmission of personal data … where that is necessary for internal administrative purposes,” and ensuring “the security of network and information systems.”
International transfers. The Bill does not propose significant changes to the current international transfers regime. It makes clear that alternative transfer mechanisms lawfully entered into before the Bill would take effect will continue to be valid. However, the Bill would introduce a new approach to the test for adequacy and when carrying out a transfer impact assessment. The threshold for this new “data protection test” is whether a jurisdiction offered protection that is “not materially lower” than under the UK GDPR.
Records of processing activities (ROPAs). Under the current laws, organizations are exempt from record-keeping requirements (i.e., ROPAs) where fewer than 250 people are employed and where there is no high-risk processing. The Bill would exempt organizations from the duty to keep records of processing unless they are carrying out activities that pose “a high risk to the rights and freedoms of individuals.”
Data protection impact assessments (DPIAs). The Bill would replace the obligation to conduct a DPIA with an “[a]ssessment of high risk processing.” The Bill would also remove the list of circumstances in which an organization is required to conduct a DPIA and would make consulting the Information Commissioner’s Office (ICO) optional where an assessment indicates processing would result in high-risk processing (where this is currently mandatory).
Privacy personnel. The UK GDPR currently requires the designation of a data protection officer (DPO) where processing is carried out by a public authority, or where an organization’s core activities consist of (i) systematic monitoring of data subjects on a large scale, or (ii) large-scale processing of special category or crime-related data. The Bill would replace the requirements relating to the designation and roles of the DPO with a senior responsible individual (SRI). SRIs would only be required for public bodies or where there is high-risk processing. The Bill would also remove the requirement for organizations not established in the UK to appoint a UK-based representative.
Data subject rights. The Bill would amend the “manifestly unfounded or excessive” exemption for refusing to respond to (or charging a fee for responding to) the exercise of data subject rights under the UK GDPR. This exemption would be replaced with an exemption where requests are “vexatious or excessive.” The Bill also provides a nonexhaustive list of factors that would be considered when determining whether a request meets this new threshold, including whether a request is intended to cause distress or is not made in good faith, and requests that are an abuse of process.
Cookies. The Bill would widen the situations where cookies and similar tracking technologies can be used without the user’s consent. The current exceptions to consent, where an opt-out could instead be relied upon, would be expanded beyond “strictly necessary” cookies to include (subject to certain conditions) the use of cookies for several purposes, such as to (a) collect information about an “information society service” to make improvements, (b make improvements to the service or website, and (c) make software updates for security of the user’s device. That said, the Bill would maintain the requirement that users must be provided with clear, comprehensive information and a simple means of opting out.
Automated decision-making. The Bill would substitute Article 22 of the UK GDPR with Articles 22B and 22C, which clarify that the UK GDPR’s restrictions on automated decision-making should only apply to decisions that are a result of automated processing without “meaningful human involvement” and requiring organizations that make such decisions to disclose this to individuals, in addition to providing individuals with the ability to challenge decisions by seeking human involvement. The Bill would also provide that the Secretary of State may, by regulation, specify certain decisions as having the required “significant effect for the data subject” and add to, vary, or make specific requirements in relation to the safeguards.
Information Commissioner’s Office reforms. Part 5 of the Bill proposes to replace the Information Commissioner with an Information Commission, a body more closely resembling other statutory regulators such as the Competition and Markets Authority. The Bill would also empower the Secretary of State to designate a “statement of strategic priorities” from time to time which would set out the government’s strategic priorities relating to data protection, and require the Information Commission to have regard to this in exercising its functions. This would increase the power and influence of data protection enforcement.
Next Steps
The new draft Bill will now need to go through the legislative process, with its “second reading” in the House of Commons, which is expected to take place within the next few weeks. The subsequent committee stage will involve a detailed examination of the Bill, and parliamentarians will be able to propose amendments, and evidence may be taken from experts and interest groups.