On March 8, 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the “Bill”) which proposes to update the current UK data protection regime.
The Bill and its Explanatory Notes can be found here and here (respectively).
The Bill is the culmination of a process that started with the UK government’s National Data Strategy, announced at the end of 2020. In September 2021, the UK government launched a consultation setting out its proposed reforms of the UK’s data protection regime following Brexit, in particular, the General Data Protection Regulation (EU) 2016/679 as it forms part of retained EU law in the UK (“UK GDPR”), with an aim to create “a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards”.
In response to the consultation, the UK government introduced its first draft of a reform bill on July 18, 2022 (the “first Bill”). However, in October 2022, after a change of leadership, the government announced an intention to introduce additional changes and to replace the UK GDPR “with [a] business and consumer-friendly, British data protection system.”
The Bill reflects those objectives, which the government hopes will reduce administrative and financial burdens on organisations and provide them with greater flexibility on how to comply with certain aspects of the UK data protection law.
Key changes:
The Bill does not intend radically to change the core principles, concepts and obligations of organisations under the current UK data protection regime.
Some key takeaways from the Bill include:
- Legitimate interests: the Bill introduces a list of “recognised” legitimate interests where a legitimate interest assessment is not required. This means that data controllers need not assess whether such processing is overridden by the interests or rights of the data subject on a case-by-case basis. These legitimate interests include processing for purposes such as national security, defence, emergencies, preventing crime, safeguarding and democratic engagement.
In addition, the Bill also introduces a list of examples of processing purposes where it says legitimate interests may exist. These include: i) direct marketing; ii) intra-group transfer of data; and iii) security of network and information systems. This proposal is unlikely to materially change the current position under the UK GDPR as the recitals of the UK GDPR already call out the abovementioned purposes as examples where legitimate interests may exist, and companies will still need to carry out a legitimate interest assessment for processing conducted for these purposes. However, that the Bill specifically recognises that legitimate interests may apply for certain processing activities may provide a degree of legal certainty for some organisations.
- Scientific research: there are certain exemptions under the UK GDPR that apply to the processing of personal data for scientific research purposes. The Bill amends the definition of “scientific research” to clarify that processing for commercial purposes may also constitute “scientific research”, which again will provide legal certainty for some organisations.
- UK Representative: the Bill proposes to remove the GDPR obligation that applies to non-UK organisations to appoint a representative in the UK.
- Cookies: the Bill proposes to remove the requirement to obtain consent for the placement of cookies (and similar technologies) for certain ‘low-risk’ processing purposes. These purposes where consent will not be required include:
- Collecting statistical information about how a website is used (e.g., using analytics cookies for analysing how many people are accessing the website, and what they are clicking on);
- Enabling the appearance or function of a website to reflect user preferences (e.g., functionality cookies); and
- Installing software updates on a device that are necessary for security reasons.
- Direct marketing: the Bill imposes a duty on public electronic communication services and networks (PEC services and networks) to notify the UK’s Information Commissioner’s Office (ICO) where they have reasonable grounds for suspecting that a breach of the direct marketing rules might be occurring (e.g., indication of speculative, unsolicited marketing).
- Breaches of PECR: the maximum penalty that can be imposed in the event of an infringement of the Privacy and Electronic Communications Regulations (PECR), which is the UK regulation implementing the EU e-Privacy Directive, is increased from the current maximum of £500,000 to either 4% of global turnover or 17.5 million GBP, whichever is greater.
- Records of processing activities: the Bill limits the obligation to maintain records of processing activities to only organisations that carry out processing activities that are likely to result in ‘high risk to the rights and freedoms of data subjects’.
- International transfers: the ‘data protection test’ to be used to assess whether a third country to which personal data is to be exported provides a standard of protection that is acceptable from a UK data protection standpoint, which was originally proposed by the first Bill, has been retained. The test will be met if the standard of protection for the processing of data in the third country is not ‘materially lower than the standard of protection’ under the UK data protection law. The Bill also clarifies that the transfer mechanisms (such as the International Data Transfer Agreement and the UK Addendum) entered into before the Bill takes effect will continue to be valid.
Practical impact:
Save for a few additional obligations that will apply to a small group of companies (PEC services and network providers), the Bill does not introduce any new obligations and therefore most companies will be compliant with the Bill if they are compliant with the EU GDPR.
Some of the changes proposed by the Bill can indeed help reduce paperwork and certain red tape. For instance, organisations are likely to benefit from the proposed removal of the requirement to obtain consent for the placement of certain cookies for ‘low-risk’ processing, and for non-UK organisations, the obligation to appoint a UK representative.
However, multi-national organisations that also have EU operations may need to take care when considering whether to revise their data protection governance framework to fully take advantage of the changes proposed by the Bill. For example, they may need to consider whether they are able to segregate the UK data from the EU data in order to ensure that the changes proposed by the Bill do not also apply to the EU data. This segregation may prove difficult for companies that for decades have treated the UK and EU data in the same way under one single data protection governance framework.
UK adequacy decision:
The EU’s UK adequacy decision is limited in duration and will expire on June 27, 2025 (unless it is revoked or renewed before then). Once the current UK adequacy decision expires, the EU will renew the adequacy only if it determines that the UK continues to ensure an adequate level of data protection.
Whether or not the Bill will have any impact on the UK adequacy decision is therefore still not clear, but the process is largely out of the control of the UK government. There may be some areas, such as the independence of the ICO, which may potentially be of concern to the EU. There could also be external factors, such as the political climate and the relationship between the UK and EU, that may have an impact on the EU’s determination as to whether to renew the UK’s adequacy. The UK government and the ICO have repeatedly expressed that adequacy does not mean equivalence so there should be some scope for change. As noted above, the Bill does not radically change the core principles, concepts and obligations of organisations as compared to the current data protection regime, and therefore one could argue that the UK data protection regime remains the closest aligned with the EU data protection regime. However, ultimately, the final decision will rest with the EU.