Reforming data protection

Following a consultation on reforming the UK’s data protection laws – partly designed to “provide an opportunity for the UK to reshape its approach to regulation” post-Brexit – the government has published the Data Protection and Digital Information Bill (previously dubbed the “Data Reform Bill”).

The forthcoming legislation follows several years of upheaval to the data protection regime, first as a result of the EU General Data Protection Regulation (GDPR) in 2016 which was transposed into UK law by the Data Protection Act 2018 (DPA). Although the EU GDPR is no longer enforceable in the UK following the Brexit transition period, its key principles, rights and obligations were retained in UK legislation known as the UK GDPR.

Changes to the data protection landscape

Following are some of the key changes proposed in the new Data Protection and Digital Information Bill.

Subject Access Requests

Subject Access Requests (SARs) – which can be submitted by individuals in order to gain access to their data – can currently be refused (or a fee applied) if the request is “manifestly unfounded or excessive”. Under the Bill, this exemption will apply instead to SARs which are considered “vexatious or excessive”. This change arguably increases the scope for organisations to refuse SARs or charge a fee, although this will depend on the interpretation by the Information Commissioner’s Office (ICO).

Privacy and Electronic Communications Regulations

Under the Privacy and Electronic Communications Regulations (PECR), all websites which are operated by UK organisations must gain consent from users if they wish to track them with the use of cookies. The only cookies which can be used without consent are those which are “strictly necessary” in order to allow the website to function properly. 

The Bill will expand the types of cookies which are permitted without consent, to include those which are required to obtain statistics (eg Google Analytics) in order to improve the user experience, although the user must still have the ability to opt out.

An interesting new clause to be added by the Bill to the PECR (section 6B) opens up the possibility of enabling web users to provide universal cookie consent, which could potentially put an end to the barrage of cookie consent pop-ups over multiple websites. There are already tools which can prevent many of these pop-ups but they don’t currently allow users to select their preferences.

The Bill also significantly increases the maximum fines for breaches of the PECR, from the current £500,000, to the higher of £17.5 million or 4 per cent of a business’s global turnover.

Data protection flexibility

The Bill aims to make the data protection regime more flexible. For example, it limits the scope of personal data, introducing a subjective test of whether individuals are identifiable by the controller or processor by reasonable means at the time of processing.

The Bill introduces a new list of “recognised legitimate interests” which can be relied upon by organisations for data processing purposes; there will be no need to carry out a legitimate interest assessment if the type of data processing is on this list.

International transfers of data will become more flexible under the Bill compared to the existing EU GDPR framework, with the introduction of a risk-based approach for purposes of adequacy decisions.

Data Protection Officers

The GDPR introduced a requirement for public authorities and organisations carrying out high risk data processing to appoint Data Protection Officers (DPOs) to independently oversee compliance with their data protection obligations. Under the proposed Bill, instead of a DPO, the same organisations will need to appoint a senior responsible individual who “must be part of the organisation’s senior management”. Although their duties will remain the same, their status as part of the management team may potentially lead to conflicts of interest.

Data Protection Impact Assessments

Under the current law, Data Protection Impact Assessments (DPIAs) must be carried out where processing is likely to result in a high risk to individuals. The Bill replaces DPIAs with Assessments of High Risk Processing. In practice, this appears to merely be a change of name.

Data controllers

The Bill removes the requirement for non-UK based data controllers to appoint a data protection representative in the UK.

Information Commissioners Office

The name of the ICO will change to the “Information Commission” and it will have some new reporting obligations to the government, as well as being subject to greater oversight by the Secretary of State.

Automated decision making

There is currently a general prohibition on automated decision making (eg using algorithms and AI) under Article 22 of the UK GDPR. The Bill removes this general prohibition and replaces it with specific safeguards, essentially making it easier for organisations to implement automated decision making processes.

What do lawyers need to advise their clients?

The broad aim of the Data Protection and Digital Information Bill appears to be about making the data protection regime slightly more flexible for businesses. However, most of the general obligations will still remain, so it’s important to ensure that compliance measures continue as normal. And in respect of adhering to the PECR, this is even more crucial in light of the huge increase in maximum fines for breaches.

Organisations should review their data protection procedures in preparation for the new legislation, and consider if they can take advantage of any benefits, such as saving time by implementing automated decision making systems.

Any company documentation pertaining to data protection, such as policies and guidance, should be reviewed in light of the changes. References to obsolete terms such as DPO and DPIAs will need to be updated.

The second reading of the Bill is due to take place on 5 September 2022. It’s worth bearing in mind that a new Prime Minister is due in post around the same time, which could potentially lead to further amendments.

Further reading

UK government formalises data protection reform following consultation – Osborne Clarke

Changes to UK Data Protection Laws: Key headlines – Dentons

UK Data Protection and Digital Information Bill: in detail – Pinsent Masons

Alex Heshmaty is technology editor for the Newsletter. He runs Legal Words, a legal copywriting agency based in the Silicon Gorge. Email alex@legalwords.co.uk.

Photo via Piqsels.