26 September 2022
September - The UK's Data Protection and Digital Information Bill – 5 of 6 Insights
The GDPR is regularly cited in some quarters as an example of unnecessarily bureaucratic EU law. Whether or not you agree with that assessment, it has been targeted for 'reform' since before the conclusion of Brexit by successive Conservative governments.
In the dying days of Boris Johnson's tenure as Prime Minister, the government slightly unexpectedly published its Data Protection and Digital Information Bill which many thought would be held back until a new Tory leader was in place.
In the run up to her election as Conservative Party leader, new Prime Minister Liz Truss, pledged that all EU retained law would be reviewed and amended or repealed by the end of 2023. How then should we interpret the fact that the second reading of the Bill was postponed to allow "ministers to further consider this legislation", and what does it mean for the future of data exports?
The government formally announced its plans to depart from the EU GDPR in August 2021. Agreeing new third country adequacy regimes for data exports, initially with the USA, Australia, Republic of Korea, Singapore, Dubai International Finance Centre and Columbia, was a central tenant of its ambitions. The government also published a mission statement on the UK's approach to international data transfers, and a UK Adequacy Manual, as well as plans for a Data Transfers Expert Council to support the facilitation of international data flows. These plans were set out in more detail in the accompanying consultation, Data, a new Direction. Proposals around data transfers included:
To some extent, these plans were uncontroversial – the EU had itself updated its Standard Contractual Clauses, so the UK's plans to overhaul its own, now out of date SCCs was not surprising (and has already taken place). More of an issue, however, was the possibility of organisations being allowed to create or identify their own alternative transfer mechanisms and, while the EU is also looking at finding a data transfer solution to facilitate US data transfers, there were concerns the UK might be less rigorous in its approach.
Respondents to the consultation voiced an overriding view that the government must do nothing to prejudice the EU-UK adequacy agreement which allows for the free flow of personal data from the EEA to the UK following Brexit. While half the respondents agreed with a risk-based approach to adequacy, and some thought a flexible approach to adequacy decisions was desirable, there were doubts expressed about proposals to allow the Secretary of State a high level of discretion on new data transfer mechanisms and adequacy agreements. In addition, voices from European Union, including the European Data Protection Supervisor, warned that the EU adequacy agreement would be at risk if the UK did anything to lower its data protection standards.
The Data Protection and Digital Information Bill was introduced to Parliament in July 2022. Schedule 5 of the Bill deals with amendments to Chapter 5 of the UK GDPR. Schedule 6 covers transfers to third countries for law enforcement processing and is outside the scope of this article.
When are international transfers permitted?
Under the Bill, transfers of personal data outside the UK will be allowed where:
The data protection test
The data protection test allowing the Secretary of State to make regulations approving transfers will be met if the standard for general processing of personal data in a country or international organisation "is not materially lower than the standard of protection under the UK GDPR and relevant parts of the 2018 Act". In deciding whether or not the test is met, the Secretary of State must consider, among other things:
Monitoring obligations and restriction
The Secretary of State is required to monitor developments in the relevant country or organisation to ensure that anything which might affect decisions to make export regulations is taken into account and such decisions are amended or revoked accordingly where the data protection test is no longer met.
They also have the power to restrict transfers of categories of personal data to a third country or international organisation where there is no positive regulation allowing it and where the restriction is in the public interest under a new Article 49A.
Finally, the Secretary of State is required to publish a list of third countries and international organisations which benefit from transfer regulations, as well as a list of those that were but are no longer approved.
Transfers must be made only where appropriate safeguards are in place. This requires:
The ICO may also authorise safeguards are provided for by clauses between the controller or processor, and the controller, processor or the recipient of the personal data in the third country or international organisation, or under provisions to be inserted into administrative agreements between a public body and other person(s) which include enforceable and effective data subject rights. by contractual clauses.
Article 49 derogations
Aside from the insertion of a new Article 49(A) mentioned above, the main change to Article 49 is a new Article 49(4)(A) which allows the Secretary of State to make regulations to specify situations in which a transfer is or is not (as the case may be) necessary for reasons of public interest.
While many of the initial proposals on data transfers, notably the risk-based approach, and powers for the Secretary of State have made it into the Bill, the government decided not to legislate to exempt reverse transfers from data transfer rules. Nor did it include a more flexible approach to data transfer derogations (under current Article 49).
Nonetheless, the considerable discretion afforded to the Secretary of State, together with the government's stated ambition of widening the data adequacy net has rung alarm bells. The European Data Protection Supervisor reportedly expressed concerns about the UK's plans for potential adequacy arrangements between the UK and the USA, although appeared less worried about any impact of the Bill on data protection standards in the UK itself. The European Commission can suspend or revise the EU-UK adequacy arrangement if it feels there is sufficient threat to EU data so the UK will have to tread a careful line if it is to extend its adequacy agreements beyond the countries which benefit from equivalent EU decisions.
As ministers now appear to be re-considering the DPDI Bill, we wait to see whether there will be changes to the overall approach and, more specifically, to the data transfer regime. At the time of writing, the government's plans are opaque. It may be that the pause is just to allow a quick review by the new Secretary of State. On the other hand, is also possible that the Bill has been paused because the new incumbent, Michelle Donelan (and possibly also the Prime Minister) believe the Bill does not sufficiently reform current law. This puts the position in the UK back to one that is more uncertain. The EU will be watching developments closely, as will we.
Victoria Hordern examines whether the UK's proposed reforms to the use of personal data for research purposes make material changes, and whether they are helpful to researchers.
26 September 2022
Jo Joyce looks at legitimate interests and purpose limitation provisions in the Data Protection and Digital Information Bill.
26 September 2022
by Jo Joyce
Debbie Heywood looks at the proposed changes to the UK's rules on exporting personal data to third countries under the Data Protection and Digital Information Bill.
26 September 2022
Megan Lukins looks at the proposed changes to PECR under the UK's Data Protection and Digital Information Bill.
26 September 2022
by Megan Lukins