UK data protection – a new era?

In September 2021, the UK government gave us the first glimpse into its post-Brexit vision for data protection in its consultation, 'Data: a new direction'. Recognising the huge strategic value of personal data in the modern global economy, the government's proposals, as part of the National Data Strategy, promised to secure "a pro-growth and trusted data regime" to help achieve its ambition to establish the UK as the most attractive global marketplace. 

While committed to maintaining high standards of data protection and public trust in the use of personal data, the stated aim of the proposals was "to give organisations greater flexibility to find the most effective and proportionate way of protecting people's personal data".  Reforms to the Information Commissioner's Office, through risk-based and preventative supervision, improved governance, accountability and transparency, would also ensure those high standards and trust were maintained. 

The key benefits to business would, the government suggested, be in:   

• providing better clarity and certainty for businesses on how to interpret and implement data protection laws, particularly around innovative new technologies
• reducing disproportionate burdens on business to deliver better personal data processing outcomes
• providing a range of reforms to create an autonomous UK international data transfer regime to remove unnecessary obstacles to cross-border personal data flows
• enabling better delivery of public services through improved use of and access to data.

Consultation responses showed broad support for the Data Reform Bill, although concerns were expressed regarding the relaxation of certain obligations, including the re-introduction of a nominal fee for data subject access requests, removal of the need to carry out a legitimate interests balancing test for specified activities where children's data was involved, removal of the requirement to conduct data protection impact assessments, and removal of the requirement to appoint a data protection officer.   

The resulting Bill, its name changing from the Data Reform Bill to the Data Protection and Digital Information Bill (DPDI Bill), was introduced to Parliament on 18 July 2022. 

Some of the key differences between the requirements set out in the DPDI Bill and those in the UK General Data Protection Regulation, and e-Privacy Regulations are highlighted below.

Clarified definitions to ease implementation of data protection laws

The practical application of data protection rules often creates uncertainty for businesses seeking to monetise personal data by harnessing statistics both for internal corporate use and for external re-use. There can be a lack of clarity as to whether removal of certain features of the personal data renders it truly anonymised, or whether it becomes merely pseudonymised and therefore remains subject to the data protection regime.  Clearly the need for businesses to make that distinction is fundamental to formulating their data strategy.      

In terms of how the pivotal definition of "personal data" compares between the UK GDPR and the DPDI Bill, the basic definition is retained.  However some clarification is provided in the new definition in the DPDI Bill.  Essentially this features around the "identifiability" element of personal data, that is whether the data relates to an individual who is or can be identified.  Clarification is provided that in examining the threshold for personal data, the question of identifiability is to be judged from the perspective of persons other than the controller or processor of the processing in question, and data will only be identifiable where that other person will, or is likely to obtain the information as a result of the processing.   

Although this clarification is helpful, it does not entirely remove the often difficult value judgments that businesses face in establishing how likely identifiability is to arise, and in understanding precisely what external factors, knowledge of which may not be available to them, will come into play.

Identifiability is a key consideration for organisations seeking to comply when processing personal data for scientific or historical research purposes. The UK GDPR currently provides exemptions for personal data processed for the purpose of scientific or historical research.  The DPDI Bill provides limited clarification as to what amounts to scientific or historical research.  It merely incorporates into the definition guidance which is broadly similar to the interpretive guidance already found in the recitals to the UK GDPR.  Those organisations which rely on consent as a lawful basis for processing personal data for scientific research may face compliance challenges where the research objective cannot be fully identified and expressed from the outset of the processing. Recitals to the UK GDPR contemplate the possibility of more general consents being acceptable in such cases, provided the research is consistent with recognised ethical standards, and consents to only parts of the research. Disappointingly, there seems to be little additional clarification provided in the DPDI. See here for more on the DPDI Bill and research provisions.

Relaxation of legitimate interests assessment

Processing of personal data where necessary for the legitimate interests of the controller or a third party, is recognised in the UK GDPR as a lawful basis for processing personal data, provided those interests do not override the interests and fundamental rights of the data subject.  Reliance on this processing ground requires a careful balancing test to be undertaken.  The DPDI Bill removes this requirement in respect of situations where it has designated the interest to be a "recognised" one.  Perhaps one of the more eagerly awaited rule relaxations following the consultation, the resulting focus of the DPDI Bill on only public type interests, such as national and public security, defence, crime prevention, and democratic engagement, may be a disappointment in some quarters. Although there is scope for this list of recognised interests to be extended in future, there is no indication as to when that might happen and what it would include.

Purpose limitation

The UK GDPR prohibits further processing of personal data where this would be incompatible with the specified, explicit and legitimate purposes for which it was collected.  While a similar compatibility test to that in the UK GDPR is maintained, additional helpful clarification is provided in the DPDI Bill by way of an extensive list of compatible purpose scenarios, including notably, research, archiving and statistics, and various public interest type situations.  However, scope to use this compatibility provision is limited where the lawful processing basis relied on is consent.  See here for more.

Data subject rights

The existing threshold for refusing data subject requests where "manifestly unfounded or excessive" is changed to "vexatious or excessive".  Certain factors which may be taken into account in determining this threshold, are specified in the DPDI Bill.  This includes requests intended to cause distress, made in bad faith or where there is an abuse of process.  Clarification is provided as to the required timeframe for a controller to respond to a data subject request - where the controller has requested that the data subject confirms their identity, pays fees due, or reasonably provides further information, this serves to 'stop the clock' until such time as these request(s) is/are satisfied.

The UK GDPR provides an exemption to the data subject's right to be provided with specified transparency information, including where the controller does not obtain the information directly from the data subject.  This exemption applies where it would otherwise be impossible to provide such information, or the provision of such information involves disproportionate effort.  This is expanded in the DPDI Bill to include processing of personal data captured directly from the data subject, but only where this is for research, archiving and statistical purposes.   

The DPDI Bill creates a new baseline rule on solely automated decisions/profiling having legal or similarly significant effect on the data subject.  It provides that such processing is only restricted where it involves special category personal data and provided certain conditions are met.  These safeguards are essentially the same as are already provided for in the UK GDPR, although now clarified to include provision of information to data subjects about such decisions, a mechanism for the data subject to make representations, and for the decision to be retaken with human intervention. 

Accountability

Accountability requirements remain under the DPDI Bill, however the requirement for controllers and processors not established in the UK to appoint a UK representative, is removed.  Further, the exemption from the requirement to keep records of processing has been expanded to include any organisation with fewer than 250 persons provided it does not conduct high risk processing.

The DPDI Bill still requires controllers to conduct an assessment of high risk processing, however it does not, as is currently the case in the UK GDPR, specify types of high risk processing (eg large scale processing and special category data) which automatically require such assessment.  Alternatively, it provides, for example, that the risks and proposed mitigations of such risk be covered in the assessment.  The practical implications of this change is not yet clear, and it remains to be seen whether an assessment of the same data processing activity under the proposed new requirements would reach a fundamentally different conclusion than if it were assessed in accordance with existing UK GDPR rules. 

One aspect of accountability where there is a clear difference between the existing and new position is in relation to the obligation on controllers to consult with the Information Commissioner regarding high risk processing - this changes to become optional.

The criteria for a controller or processor to appoint a senior responsible person (SRI) to provide compliance oversight, is expressed in the Bill by a more general reference to "high-risk" processing, or is related to whether they are a public body, as opposed to specific situations or types of processing as is currently the case in the UK GDPR.  The SRI's tasks are broadly similar to those of a Data Protection Officer under GDPR, although notably now more advisory than imposed.  The processor's SRI acts as a point of contact and must still cooperate with the Information Commissioner, as well as monitor its organisation's UK data protection compliance. See here for more on accountability requirements under the DPDI Bill.

International data transfers

The DPDI Bill largely maintains the same mechanism for transfers to third countries or organisations as the UK GDPR.  Accordingly, adequacy decisions, specified safeguards such as Standard Contractual Clauses and Binding Corporate Rules, and specified derogations continue to be highly relevant.  The Secretary of State is given power to approve transfers through separate regulations where the so-called "data protection test" is met. The desirability of facilitating data transfers to and from the UK is one factor that the Secretary of State will be able to take into consideration in approving transfers.  Other options open to the Secretary of State are to approve transfers subject to appropriate safeguards, to provide for additional derogations, and to restrict transfers to and from the UK where such transfers are deemed necessary for important public interest reasons.  See here for more on the impact of the Bill on data transfers.

ePrivacy Regulations

With regard to cookies and similar technologies, the existing baseline position in the UK is that the storage of or access to information in a user's terminal equipment is prohibited unless necessary to provide the requested service.  Additional exceptions are provided for in the DPDI Bill.  These exceptions are cookies/other technologies used to collect statistics about an information society service to improve that service, geolocation of an individual in the event of emergency, installation of the necessary security updates to software, and website appearance or functionality adaptations to reflect user preferences.   

The DPDI Bill also extends the circumstances in which the so called 'soft opt-in' exception can be relied on for sending direct marketing communications by electronic mail to "individual subscribers".  Accordingly soft opt-in can also be relied on in instances where the communication is for the purpose of furthering certain objectives including political and charitable, or other non-commercial objectives.  This is, however, conditional on the contact details having been obtained during the course of the individual expressing an interest in, or offering support to, that objective.

Public information service providers and networks become subject to a new duty to notify the Information Commissioner of any suspicious activity relating to unlawful direct marketing.  Failure to comply with such duty could render the information service provider and networks to a fine of up to £1,000.

Other UK enforcement powers under the UK ePrivacy Regulations become broadly aligned to those available under the UK GDPR, including fines for breach of the cookies and direct marketing requirements.  These increase from a maximum of £500,000 under the existing regime, to a maximum of €20 million or 4% of annual worldwide turnover, whichever greater.

What does this mean for future data protection compliance?

Despite the claims that the DPDI Bill will remove or ease certain aspects of the regulatory data compliance burden for organisations, until the list of recognised legitimate interests is expanded, and the available pathway to introducing additional international data transfer mechanisms is utilised, the changes appear relatively superficial. If anything they may add to the compliance burden by requiring cross-border organisations to comply with two similar but different regimes in the UK and EU.

The second reading of the DPDI Bill, due to take place on 6 September, was postponed prompting speculation that the new administration may want to revisit the reforms.  Whether or not they become more radical, remains to be seen.