What's the issue?
The UK GDPR is substantially the same as the EU GDPR but the government has long targeted it for reform, arguing that the GDPR is unnecessarily complicated and a burden on businesses.
The government introduced the Data Protection and Digital Information Bill (DPDI1) to Parliament in July 2022 after a lengthy consultation process. It covered reforms to the UK GDPR, Data Protection Act 2018 and PECR, but also:
- access to customer and business data
- electronic signatures, seals and other trust services
- disclosure of information to improve public service delivery
- sharing of data for law enforcement
- information standards for health and social care
- biometric data
- the role of the Information Commission.
The second reading of the Bill was postponed during the Truss government so that "Ministers [could] consider this legislation" after which the then DCMS Secretary of State Michelle Donelan hinted it would be changed. You can read more about DPDI1 here.
What's the development?
The newly created Department for Science, Innovation and Technology (DSIT), has published the Data Protection and Digital Information (No.2) Bill (DPDI2). DPDI2 is largely similar to its predecessor with mostly minimal changes and clarifications. Unfortunately, it still operates by amending existing legislation rather than producing a complete piece of draft new legislation which makes it hard to digest – we hope a Keeling schedule will be published soon which would effectively show tracked changes.
Points to note about DPDI2 compared with DPDI1 include:
- Definition of scientific research – DPDI1 included a definition of scientific research lifted largely from the UK GDPR recitals. Under DPDI2, the definition has been further clarified to specify that it applies whether the scientific research is "carried out for commercial or non-commercial purposes" as well as whether publicly or privately funded. There is a non-exhaustive list of types of scientific research which has been moved from the recitals to the body of the legislation. Further clarification is added to the concept of research into public health which is only included as scientific research where it is in the public interest. As before, controllers are not required to notify data subjects that their data is being used for research, archival or statistical purposes where the data has been collected directly from the data subject and to notify them would be impossible or require disproportionate effort.
- Recognised legitimate interests – DPDI1 provided that in cases of "recognised" legitimate interests, there would be no requirement to carry out a balancing exercise against the rights and freedoms of individuals. The types of interests which were recognised under DPDI1 were public interests including national security, defence and crime prevention. DPDI2 does not change this approach but it moves a non-exhaustive list of the types of processing which may be necessary for the purposes of a legitimate interest from the recitals to the body of the new Bill. This includes direct marketing; intra-group transfers where necessary for internal administrative processes; and processing necessary for ensuring the security of networks and information systems. The Explanatory Notes further clarify that any legitimate commercial activity can be a legitimate interest provided the processing is necessary and subject to meeting the requirements of the balancing test.
- Records of processing (ROPAs) – DPDI1 aimed to simplify the current UK GDPR requirement to keep ROPAs, not only in terms of the information to be recorded, but by providing an exemption for SMEs not carrying out high-risk processing. DPDI2 goes significantly further. It removes the SME exemption and provides instead that ROPAs are only required where high-risk processing is being carried out. The ICO is required to publish examples of processing likely to pose a high risk to the rights and freedoms of individuals.
- Automated decision making – DPDI1 introduced a new definition of solely automated decision-making to the effect that it was solely automated processing involving no human intervention. DPDI2 adds that when considering whether or not there is meaningful human involvement in taking a decision "a person must consider, amongst other things, the extent to which the decision is reached by means of profiling". There is provision for the Secretary of State to make regulations on this subject. This addition is somewhat unclear as to what the role of profiling plays and whether, in itself, it indicates an automated decision subject to Article 22 restrictions.
- International data transfers – DPDI1 introduced a new data protection test for assessing adequacy. This has not changed but the government has further clarified that that transfer mechanisms lawfully entered into before the new Bill comes into effect will continue to be valid and can be relied on going forward so there will be no need for updates.
- PECR, direct marketing and cookies – the provision of soft opt-in for direct marketing for non-commercial activities and other changes introduced under DPDI1 remain, including a new duty on providers of public electronic communications networks to notify the ICO of any reasonable grounds of suspicion of unlawful direct marketing, with penalties for non-compliance, The ICO is required to publish guidance on what constitutes reasonable suspicion, and the Explanatory Notes make it clear that this does not constitute a monitoring duty or an obligation to intercept or inspect communications. There are no changes to DPDI1 proposals on cookies. Significantly increased fines for breach of PECR-equivalent regulations are also retained.
The government has also published a summary of key EHCR issues under the Bill and information standards for health and social care.
What does this mean for you?
The more than six month delay between publication of DPDI1 and DPDI2 does not seem to have resulted in significant changes, therefore pleasing neither those who thought the Bill did not move far enough away from the UK GDPR, nor those who wanted to see less divergence.
For those organisations already compliant with the UK GDPR, few changes will be necessary, although in some cases, they may be desirable, especially where businesses are not also required to comply with the EU GDPR. Nonetheless, there are significant changes and cross-EU border businesses will need to adapt to parallel regimes.
The government continues to assert that the planned changes to the UK data protection regime will not jeopardise EU adequacy although no confirmation of that has been made by the EU. The Secretary of State has considerable scope in the area of data exports so much will depend on whether the government chooses to effectively grant UK adequacy (although the terminology is not the same as the EU's) to countries not similarly approved by the EU.
DPDI2 is considered likely to have a relatively smooth path to enactment given some of the government's original, more radical proposals were dropped following the initial consultation period, and is likely to pass this year. The application date will be set out by the Secretary of State with enabling provisions coming in immediately and a number of sections (including in relation to representatives of controllers or processors not established in the UK) coming in two months after the Bill becomes law.
