UK government reignites data protection reform

On 8 March 2023, the UK government introduced the Data Protection and Digital Information (No.2) Bill. The bill is the result of the significant consultation held by the government in 2021, entitled "Data: a new direction ". It is the second version of the bill, replacing the original published in July 2022.

While the bill proposes wholesale changes to the UK's privacy framework, those changes can be characterised as an evolution, not a revolution. That said, the EU will undoubtedly be keeping a close eye on its progress insofar as the UK's adequacy status and the free flow of personal data between the EU and the UK are concerned.

The bill aims to reduce the administrative burden on businesses, promote innovation and reform the Information Commissioner's Office (ICO). It spans 205 pages, and mostly reflects what was proposed in the government's response to the consultation (about which, see our Insight), and what was covered in the original version.

However, there are some important changes introduced by the bill that businesses will need to consider should it come into effect as proposed, discussed below.  Businesses should also be aware that the bill includes to the definition of personal data.

Records of processing

Businesses (whether controllers or processors) will only need to keep records of processing where a  processing activity is likely to result in a high risk to the rights and freedoms of individuals, regardless of the size of their business (including the number of employees the business has).

In practice, the requirement to create and maintain records of processing under the General Data Protection Regulation (GDPR) has become something of an administrative burden for many businesses, so this proposed change may well save some businesses time and costs.

Removal of Data Protection Officers

Businesses will no longer need to appoint a Data Protection Officer (DPO); instead, if they carry out high risk processing (or are a public authority), they will be required to designate a "senior responsible individual" who will be accountable for data protection compliance.

While the day-to-day obligations of this role will not change dramatically, the individual must now be part of the business's senior management, as opposed to the current position, where the DPO reports to senior management but has to be independent of it. This flexibility is likely to be welcome news to businesses.

Removal of DPIAs

Businesses will no longer need to conduct data protection impact assessments (DPIAs). Instead, they will need to implement an "assessment of high risk processing".

This change aims to streamline data protection records by focusing a business's attention on how it operates, and introducing appropriate measures depending on the type of data it processes: for example, the bill removes the list of activities deemed to be high risk which was in the GDPR.

It remains to be seen whether this will amount to little more than a change of name in practice.

Removal of need for a UK representative

Data controllers that are not established in the UK no longer need to appoint a data protection representative within the UK.

Data subject access requests

The bill changes the test for refusing and charging for data subject access requests. If enacted, the "manifestly unfounded and excessive" test would be replaced by a "vexatious and excessive" test.

The government proposes that the adoption of this new test will allow businesses greater autonomy in refusing requests when the system is clearly being abused, although the devil will be in the detail as to how the Information Commissioner's Office (ICO) interprets the new test. (For more on this, see our Insight.)

Expanding use of cookies without consent

Currently, only "strictly necessary" cookies may be used without consent. The bill expands the categories of cookies that do not need consent to be dropped, including cookies collecting data for purposes such as statistical analysis and improvement of service or website use; however, users would still need to be given comprehensive information, and an opportunity to opt out.

Legitimate interests

In its operative provisions, the bill now includes examples of the types of processing that may be considered necessary for the purposes of a legitimate interest. These include processing for direct marketing purposes, intra-group transmission of personal data for internal administration purposes, and processing which is necessary to ensure the security of network and information systems.

However, these are only examples and, unlike the new concept of "recognised legitimate interests" (below), a controller will still be required to ensure its interests are not outweighed by the data subject's rights and interests.

'Recognised legitimate interests'

The bill introduces a limited number of "recognised legitimate interests". This means that, provided a business can demonstrate that processing is "necessary" for one of the recognised legitimate interests, that business will no longer be required to balance its legitimate interest against the data subject's interests, rights and freedoms.

Currently, the list of recognised legitimate interests is limited to areas including processing necessary in the public interest; national security, public security and defence; emergencies; safeguarding vulnerable individuals; and democratic engagement. The bill enables the Secretary of State to add new categories.

Changes to international transfers

A risk-based approach to the international transfer of personal data is introduced, meaning that organisations would be able to assess the data protection risks involved in using mechanisms such as the ICO's international data transfer agreement (IDTA) or Addendum for those transfers, and then decide on appropriate mitigation measures.

The bill also confirms that data transfer mechanisms lawfully entered into before it comes into force will continue to be valid afterwards.

Using the same risk-based approach, the Department for Science, Innovation & Technology would be able to make future UK adequacy decisions; however, this approach is different to that required for adequacy decisions under the GDPR. The requirement under the bill is a "not materially lower" standard of protection in the recipient country, whereas under the GDPR it is an adequate level of protection, interpreted as "essentially equivalent".

Automated decision-making

The bill reframes the provisions on automated decision-making to be a requirement for safeguards to be in place, rather than a prohibition with exceptions. More stringent provisions apply where an automated decision is based entirely or partly on special categories of personal data.

The Secretary of State may also make secondary regulations providing for cases where there is, or is not, to be taken to be meaningful human involvement in decision-making (meaningful human involvement being required to prevent processing from constituting automated decision-making).

Scientific research

The existing exceptions which apply for processing for the purposes of scientific research have been amended to make clear that they cover any research that can reasonably be described as scientific, whether  publicly  or  privately  funded,  and  whether  carried  out  as  a commercial or non-commercial activity.

ICO restructure and new identity

The ICO's name will change to the Information Commission. The Information Commission will act as an independent body corporate, with new reporting obligations to the government.

The Secretary of State will have greater oversight over the Information Commission, which means the government has the potential to influence guidance and codes of conduct.

Changes to PECR

The bill increases the maximum amount of fines under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) to be brought in line with the UK GDPR and Data Protection Act 2018, enabling the ICO to issue fines of up to £17.5 million or 4% of a business's global turnover for breaches of certain regulations under PECR, and up to £8.7 million or 2% of a business's global turnover for other breaches of PECR.

Providers of public electronic communications services will have an obligation to notify the ICO if they have reasonable grounds for suspecting that their users have contravened the direct marketing rules.

Osborne Clarke comment

The changes introduced by the bill to the UK's privacy framework are not unexpected, given they mostly reflect the government's response to its consultation. The second iteration of the bill makes relatively few substantive changes to the first version, though there are some useful changes, including on record keeping and international transfers and on scientific research.

The bill represents a small step away from the EU GDPR, rather than the giant leap that might be preferred by some businesses, perhaps in part because the UK government will be mindful of the risks involved in diverging too far from the EU GDPR, given that the EU-UK adequacy decision is scheduled for review in 2024.

The benefits of the free flow of data between the UK and the EEA for many UK businesses are likely to be favoured over the current administrative burdens of compliance using alternative mechanisms such as standard contractual clauses and the IDTA, especially for global businesses well acquainted with the requirements of the GDPR.

The bill is now awaiting a second reading, which is expected to happen in a matter of weeks. If it has not received Royal Assent by the end of the current parliamentary session in October, it will fall unless it is formally carried over into the next parliamentary session (which cannot be assumed, but is not unusual for significant legislation).

The Osborne Clarke data protection team will continue to monitor these developments, but if you would like to discuss any of these issues further, please get in touch with your usual Osborne Clarke contact or one of our experts below.