On March 8, 2023, the Data Protection and Digital Information (No. 2) Bill (the Bill) was presented to the UK Parliament by Michelle Donelan (the secretary of State for Science, Innovation and Technology). The Bill is designed to reform the UK GDPR, the UK Data Protection Act 2018 and the Public and Electronic Communications Regulations 2003, making data protection compliance easier for businesses to understand and implement.
The Bill replaces the original bill (original bill), issued last year in July 2022. The original bill relaxed some of the requirements of the UK data protection laws and introduced new powers for the Information Commissioner’s Office (ICO), which have broadly been retained in the new version.
What’s in the Bill
Here are the main headlines from the Bill:
- Record keeping: only organizations whose processing activities are “likely to result in a high risk to the rights and freedoms of individuals” will need to maintain records of processing. This is designed to reduce the burden on organizations to keep records of all processing activities and, instead, focus on high risk operations. This is a change from the position in the original bill which only exempted small organizations from having to maintain records.
- Legitimate interests: the Bill sets out a list of examples of when legitimate interests could apply to controllers. This is a slight shift from the original bill which did not include a list of examples. The list of examples in the Bill are non-exhaustive and controllers will still need to conduct a balancing test when relying on this legal basis. The aim, however, is to provide additional guidance to organizations who intend to rely on legitimate interests to justify its processing. The examples in the Bill include direct marketing, intra-group transmission of personal data, and security of information systems.
- Scientific research: the Bill includes a revised definition of scientific research: “processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.” Unlike the original bill, the new version acknowledges that scientific research can be used commercially. This broadened definition includes processing for the purposes of technological development or demonstration, fundamental research or applied research (to the extent these activities can be described as scientific). However, research in public health will only amount to scientific research if it is in the public interest. The ICO has already issued guidance on this topic and this is aligned with that.
- Nuisance call and texts: the Bill increases fines for nuisance calls and texts – up to the greater of 4% of global turnover or £17.5 million.
- Marketing: the Bill imposes new obligations on “providers of a public electronic communications service” to notify the ICO of any “reasonable grounds” for suspecting that a person is contravening or has contravened any of the direct marketing rules when using the service or network. Such notification must be made within 28 days of reasonable grounds for suspicion coming to the provider’s attention. It remains to be seen what would be considered reasonable. Providers will unlikely be expected to intercept communications to comply with the new rule.
- Cookies: as in the original bill, consent for cookies will not be required for online trackers placed for the purposes of collecting statistical information to bring improvements, for the installation of necessary security updates, or to locate individuals in an emergency. The DSIT has said that it will engage with organizations in relation to the cookie provisions – so it may not be the last of this development.
- Automated decision-making: despite certain fears that Article 22 of the UK GDPR would be removed, the Bill specifies that in determining whether or not there has been meaningful human involvement, the organization must consider the extent to which the decision is reached by profiling. This implies that a decision reached through means of profiling would indicate little human involvement.
- International transfers: the original bill did not have an impact on the UK’s safeguards for transfers (i.e. the UK International Data Transfer Agreement (IDTA) and UK Addendum). The Bill does not change this position. The Bill does say that transfer mechanisms entered into before the Bill takes effect will continue to be valid under the new regime, providing they are already compliant with UK laws. No doubt, this will be music to many organizations’ ears who have been incorporating the UK’s IDTA and UK Addendum into their agreements with third parties to govern international transfers of UK personal data.
Too much of a divergence?
The Department for Science, Innovation and Technology’s (DSIT) aim has been to introduce a “simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws.” The UK Information Commissioner, John Edwards, has already issued a statement welcoming the Bill and supports what he considers to be an aim to help organizations to “grow and innovate” but also maintain high standards of data protection.
However, will this UK divergence provide much flexibility for organizations collecting UK personal data? If an organisation has EU – as well as UK – customers then they will still need to comply with their GDPR obligations when processing EU personal data. So relaxing some of the rules for processing UK personal data may have little benefit for many organizations who need to comply with GDPR.
Separately, if the Bill takes effect will the provisions lead to the UK losing its adequacy status? The DSIT has said the Bill will reinforce international confidence in the UK’s handling of personal data; but let’s not forget the four-year sunset clause contained in the UK data adequacy agreement, which allows the European Commission to review its adequacy decision in 2025. The European Commission has said it could withdraw the agreement at any time if the UK fails to appropriately protect the data of European Union citizens. In the event of significant divergence, the European Commission might feel the UK has shifted too far. At the time that data protection adequacy was granted, the Commissioner for Justice Didier Reynders said data protection adequacy was an essential component of the UK-EU relationship.
When determining a country’s adequacy under GDPR, the European Commission will be assessing whether or not that country provides an “essentially equivalent” level of data protection to that which exists in the EU. This means a third country’s data protection legislation does not need to mirror that of the GDPR, but demonstrate some form of equivalence. So some divergence might not hurt the UK’s adequacy.
Will the European Commission raise its eyebrows to the new Bill and reassess the UK’s adequacy? Only time will tell.