At the time of last year’s IAPP Data Protection Intensive: U.K., no legislative proposals to reform the U.K. General Data Protection Regulation had been made public.
This year, on the first day of the conference in London, the U.K. government published the Data Protection and Digital Information (No.2) Bill. As the title suggests, this is the second iteration of a set of proposals to reform the U.K. GDPR. The first iteration — the Data Protection and Digital Information Bill — was published July 2022 and will now not proceed further in Parliament.
Here are my first reflections from reviewing the 212 pages of the bill and its Explanatory Memorandum:
• The proposals make targeted changes to the current law. The changes can largely be categorized into either substantive or presentational clarifications, discrete expansions to specific exemptions that give businesses more flexibility, and empowerment of future guidance-issuing or rule-making.
• Many of the targeted changes reflect feedback on the lived experience of the GDPR, based on a spectrum of views from stakeholders across the U.K. and internationally, and are proposed in pursuit of the government’s policy objective to reduce business compliance costs by delivering a new, "common-sense-led" version of the GDPR.
• The fundamental principles of the current U.K. GDPR, range of available data subject rights, core controller and processer obligations, and wider constitutional and regulatory environment for privacy would be unaffected by the proposals.
• Organizations that are already compliant with the current U.K. GDPR will not have to make changes to comply with the proposed U.K. GDPR. However, proposed reforms will offer organizations the ability to make use of new compliance efficiencies. The proposed reforms are unlikely to create dual or conflicting requirements where organizations elect to benchmark privacy practices to existing U.K., or even EU, GDPR standards.
Below are the top ten areas where I see greatest interest and impact for privacy pros.
1. Definitions: Data will only be considered as personally identifiable by an organization other than the controller or processor if that other organization will, or is likely to, obtain the information as a result of its data processing. If the other organization does not have, or is not likely to obtain, such information, the data will be considered anonymous and out of scope of the bill.
2. Legal bases: Proposals remove the need for organizations to balance their legitimate interests with the data subject’s rights and interests where the purpose for processing the data subject’s data is on the list of recognized legitimate interests. The current proposed list of recognized legitimate interests focuses on public interests, such as national security, defense, emergencies, preventing crime, safeguarding and democratic engagement. There is a procedure by which the government may add to this list in the future.
• NEW Proposals include a list of activities that may be regarded as in a data controller’s legitimate interest to process data. The activities are illustrative and nonexhaustive, and are moved from the recitals to the operative part of the U.K. GDPR. The activities are direct marketing, intraorganizational transmission of data and network and information systems security. Data controllers are still required to ensure their interests are not outweighed by the data subject’s rights and interests.
• NEW Commentary in the Explanatory Notes clarifies any legitimate commercial activity can be a legitimate interest, provided the processing is necessary and the balancing test is carried out.
3. Research: Proposals within the scope of scientific research include all activities that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or noncommercial activity.
• NEW Proposals include a list of illustrative and nonexhaustive types of scientific research, previously contained in the recitals and now moved to the operative parts of the U.K. GDPR, such as applied or fundamental research or innovative research into technological development.
• NEW It also clarifies that research into public health is only scientific research if it is in the public interest. Proposals exempt controllers from the requirement to provide notice where personal data has been collected directly from the data subject for research, archival or statistical purposes, and where providing such information would be impossible or require disproportionate effort.
4. International transfers: Proposals set out the test for adequacy regulations, colloquially referred to as data bridges, as where the standard of protection in the third country is not "materially lower" than under the U.K. GDPR, when "taken as a whole" and assessed in a "holistic way," recognizing different legal and cultural approaches to protecting privacy. Proposals set out the standard by which organizations must assess the lawfulness of their use of alternative, i.e., nonadequacy, transfer mechanisms. Organizations "acting reasonably and proportionately" must consider whether the standard of protection provided by the relevant transfer mechanism, e.g., standard contractual clauses, the third country’s laws and practices and the use of other safeguards would result in materially lower standards than that of those in the U.K. GDPR. Proposal for the secretary of state to issue regulations recognizing future mechanisms beyond the current list of mechanisms as providing safeguards for international data transfers.
• NEW Alternative transfer mechanisms lawfully entered into, before the new U.K. GDPR reforms take effect, will continue to be valid under the new U.K. GDPR regime.
5. Privacy paperwork:
• NEW Proposals require records of processing only for organizations that carry out processing activities likely to result in "high risk to the rights and freedoms of data subjects." High risk will be determined by taking the nature, scope, context and purposes of the processing into account. Previously, proposals exempted organizations from record keeping requirements where fewer than 250 people are employed and where there is no high-risk processing. This is in addition to proposals clarifying the high risk threshold for data protection impact assessments.
6. Privacy personnel: Proposals remove the requirement for controllers and processors not established in the U.K. to appoint a U.K. representative. Proposals replace requirements relating to the designation and roles of the data protection officer with provisions on the senior responsible individual. SRIs are only required for public bodies or where there is high risk processing. SRIs can combine their tasks with other roles in the organization and can delegate tasks.
7. Data subject rights: Proposals replace the "manifestly unfounded or excessive" threshold for refusing data subject rights requests with a "vexatious or excessive" threshold. When deciding whether and how to respond to data subject rights requests, controllers may take into account their resources, whether the request was intended to cause distress, made in bad faith, or is an abuse of process.
8. Cookies: Proposals expand the list of exemptions to when consent is required for placing cookies or similar tracking technologies on a user’s terminal equipment. Proposed exemptions include collecting statistical information about an information society service to make improvements, enabling the appearance or function of a website to reflect user preferences, installing necessary security updates to software on a device and identifying the an individual's geolocation in an emergency. With the exception of identifying users in emergency, users must be provided with clear, comprehensive information and a simple means of opting out.
9. Direct marketing: Proposals expand the ability to rely on opt-out consent to noncommercial organizations. Noncommercial organizations can send electronic marketing communications without prior consent for the purposes of furthering charitable, political or other noncommercial objectives, if the individual’s contact details were obtained in the course of the individual expressing interest or offering support to the objective.
• NEW Proposals create a duty on providers of public electronic communication services and networks to report suspicious activity relating to unlawful direct marketing to the ICO, with penalties for noncompliance and requirements for the ICO to publish guidance on what constitutes reasonable suspicion. The Explanatory Memorandum clarifies the network or service provider will not be required to intercept or examine the content of the communication.
10. Automated decision-making: Proposals define automated decision-making as involving "no meaningful human involvement" and requiring organizations making such decisions to disclose this to individuals, in addition to providing individuals the ability to challenge decisions by seeking human involvement. Proposals for the secretary of state include issuing regulations on whether a description of a decision is, or is not, to be regarded as having "a similarly significant effect" for the data subject, whether to make further provisions on the safeguards required for automated decision making and whether there is, or is not, meaningful human involvement in decision making.