Resource Center / Resource Articles / UK data reform: What's proposed
UK data reform: What's proposed
This resource covers UK data protection reform and the significant changes to the data laws proposed.
Last updated: November 2024
Contributors:
Navigate by Topic
The U.K.'s latest effort to reform data protection law began 23 Oct. with the first reading of the Data Use and Access Bill in the House of Lords. Although less extensive than the previous government's proposed legislation, the new bill still envisages a significant number of changes to U.K. data protection law.
Some changes will make data protection compliance slightly easier for organizations — removing the need for consent for analytics cookies, for example. However, if the legislation goes through in its current form, some will impose more obligations. Privacy notices, for example, will have to be amended to refer to a new data subject right to complain, and additional types of special category data could be introduced. The U.K. Information Commissioner's Office would also be reconstituted and given strengthened powers — including related to enforcement of breaches of the e-Privacy Directive.
This is a comprehensive summary of the proposed changes to data protection law. Many organizations will have benchmarked their privacy programs against the U.K. General Data Protection Regulation, and some changes will make life easier, others more difficult, by comparison. The barometers indicate the degree of change.
The bill contains a myriad of provisions that go beyond data protection — although these often overlap with privacy thematically. For example, it reintroduces provisions contained in the abandoned Data Protection and Digital Information Bill that relate to digital ID verification services and provisions that aim to give customers real-time access to data processed by businesses — rather, in the way open banking already operates. The bill also proposes changes to the Online Safety Act. In the interests of brevity, these are not addressed here.
This article includes content previously contributed by James Moss.
Legend
The barometer below, used throughout the resource indicates the degree of change in the proposed U.K. data protection reform from -10, easier, to +10, more difficult, in comparison to the U.K. GDPR.
More special category data?
The bill includes a new mechanism to allow the introduction of more classes of special category data. This power would be exercised by secondary legislation, under the affirmative resolution procedure. As there is a prohibition on processing special category data, this provision could have wide-reaching effect if it is used. One proposed amendment to the DPDI Bill before it was dropped was the addition of all children's data as special category data. Proposals such as this could have dramatic impact with little legislative oversight.
Data transfers
When organizations transfer personal data to countries where there is no adequacy decision, they must undertake a detailed transfer risk assessment and implement safeguards, such as using standard contractual clauses. The Data Use and Access Bill adjusts this. Exporters must instead consider if the standards of protection will be materially lower than those applicable in the U.K. They must act "reasonably and proportionately" in considering if this test is met, looking at all the circumstances including the nature and volume of personal data transferred per Article 46 (1A) and 46(6 – 7). This should give organizations scope to streamline transfer risk processes for low-risk data transfers, although existing guidance from the ICO already makes this a possibility in the U.K., unlike the EU.
In place of the somewhat condescending process to consider adequacy, the bill introduces a more diplomatically tactful data protection test, in which the secretary of state must decide if the standard of protection is materially lower than that in the U.K. The factors to be considered are more flexible, covering respect for the rule of law and human rights; the existence and powers of a supervisory authority; redress; onward transfer rules; relevant international obligations; and the constitution, traditions and culture of the country. In addition, the desirability of transfers of data to and from the U.K. can be considered, although this does not remove the need to satisfy the data protection test.
e-Privacy
Cookie consent rules under the bill will now also apply to a person who "instigates" the storage or access to stored data, possibly allowing the ICO to take enforcement action against website publishers, rather than the advertising technology vendors with whom the publisher works. The bill also introduces exemptions from the cookie consent requirement for situations that pose a low risk to user privacy.
These include processing:
- Solely for the purpose of analytics, carried out to improve the website or information society service, of optimizing content display, or of reflecting user preferences about content display. In each case clear information must be given about the processing, and there must be an ability to opt out.
- Strictly necessary to protect information for security purposes, to prevent or detect fraud or technical faults in connection with the requested service, or to facilitate automatic authentication or maintain a record of the selections made on a service by the subscriber or user.
The ICO's power to impose penalties under the Privacy and Electronic Communications Regulations — both for cookie and electronic marketing-related breaches — is currently capped at 500,000 GBP. This anomaly is addressed, and enforcement powers under the GDPR, and the Data Protection Act 2018 will apply to e-privacy breaches. Most breaches will attract the higher maximum penalty cap of 17.5 million GBP or 4% of worldwide turnover.
Communications service providers are subject to a parallel personal data breach reporting regime. This is to be aligned with the 72-hour deadline under the GDPR, although the requirement to notify all breaches remains. Lastly, there are obligations for the Commission to encourage representative bodies to produce codes of conduct, which it is then required to review and potentially approve. There is also a provision for accreditation bodies to be set up to monitor compliance with these codes of conduct.
Data subject rights and automated decision-making
The bill contains relatively minimal changes to data subject rights.
The legislation now more clearly spells out the deadline for responding to requests. It reflects ICO guidance that, if the controller reasonably requests further information to identify the processing covered by the request, then the "clock stops" until this information is provided.
The bill also clarifies the controller's obligation is to provide such data, as it can after a reasonable and proportionate search. Prior case law established this would be the case based on the principle of proportionality under EU law. Brexit cast doubt on whether this should still be considered, so the point is now beyond doubt. It echoes existing ICO guidance on the topic, so it will not come as a surprise to controllers but should provide comfort when dealing with aggressive data subjects.
Further changes to subject access requests are made in respect of court procedure. Under the bill, if a court is required to determine whether a data subject is entitled to information under their right of access or portability, it can require the controller to make this information available for inspection. However, the court may not require it to be disclosed to the data subject or their representatives until after it makes a decision.
Data subjects are given a new right to complain to controllers, which will require controllers to facilitate the creation of complaints, adopt measures such as an electronic complaint form and include information about the new right in privacy notices, binding corporate rules, etc. Controllers may be obliged to notify the ICO of the number of complaints received.
Data subject rights
Solely automated decision-making is substantially liberalized, and more clarity is given to the meaning of solely in this context. It is defined as when there is no meaningful human involvement in the decision and in providing factors to consider during assessment. Broadly, the same restrictions are retained as in the GDPR, in which the decision relies on processing special category data.
However, other significant, solely automated decisions are now permitted, provided certain safeguards are put in place. These safeguards include the ability for data subjects to make representations, contest decisions and require human intervention. This change reflects a similar approach to the U.K.'s position prior to the GDPR and will be welcome as the existing prohibition on automated decision-making is often problematic.
Legitimate interests
The bill makes it easier for controllers to know if the purpose for which they are processing data will be accepted as legitimate. Article 6(9) includes examples of this such as direct marketing, ensuring the security of network and information systems, and transfers of personal intragroup data, which are all already mentioned in Recitals 47-49.
In addition, the bill formally recognizes certain interests as legitimate, listing them in Annex 1. These include disclosures to public bodies that assert they need personal data to fulfil a public interest task, disclosures for national or public security or defense purposes, emergencies, prevention or detection of crime, and safeguarding vulnerable individuals. For these limited purposes, the requirement to carry out and document a balancing test against the rights of individuals is effectively removed.
The overall effect is that, in some limited circumstances outside the day-to-day processing of most organizations, any question of whether an interest is legitimate is removed and there is no need to undertake a balancing test.
These provisions are largely unchanged from the earlier DPDI Bill. Earlier provisions providing that processing by elected representatives amounts to a recognized legitimate interest have been removed.
Purpose limitation
The bill restates GDPR provisions on purpose limitation, while adding a new compatible purpose of ensuring or demonstrating compliance with Article 5(1). Annex 2 also introduces a list of purposes which are deemed compatible with the original purpose. These include disclosures to public authorities that state they need the data for a task in the public interest, which is also recognized by GDPR Article 23, as well as disclosures for public security purposes, emergency response, safeguarding vulnerable individuals, protecting vital interests, preventing and detecting crime, assessing tax, and complying with legal obligations.
If a controller originally relies on consent as its lawful basis, then Article 8A(4) of the bill notes new consent will be required for further processing unless a derogation applies and the controller cannot reasonably be expected to obtain consent. This view is also held by the ICO.
The Information Commission
The bill makes significant changes to the structure and governance of the ICO. The role of Information Commissioner as a "corporation sole" is replaced by a body corporate called the Information Commission. There are transitional provisions within the bill to ensure all powers and obligations of the Commissioner transfer to the Commission and the present Commissioner becomes the nonexecutive chair of the Commission.
The Information Commission will consist of nonexecutive members led by the chair and executive members led by a chief executive to be appointed by the nonexecutive members.
The main change is a greater role for the nonexecutive members. This change is reinforced by the requirement that the secretary of state must ensure, so far as practicable, there are more nonexecutive members than executive members.
The proposed changes are unlikely to have any significant impact on ease of compliance.
The Commission's role and obligations
The bill sets out the Commission's primary objectives to secure an appropriate level of protection for personal data and to promote public trust and confidence in processing personal data. The Commissioner must regard other wider public interest factors such as preventing and detecting crime and the desirability of promoting innovation and competition.
The Commission must also consider children may be less aware of the risks of personal data processing and their rights. This has been added by comparison to the DPDI Bill. It may be helpful if the Commission as required to consider the public interest in freedom of expression. The Commission must publish and report on its key performance metrics annually and the regulatory action it has taken that year.
The ICO was already required to produce stipulated codes of practice, such as the Children's Code. The bill has added enabling provisions allowing the Secretary of State to add to the list of codes the Commissioner must produce. U.K.-watchers may recall codes on educational technology were suggested during the progress of the DPDI Bill, so this may return. The Commission is also required to carry out and publish reports on the impact of any proposed codes of conducts.
The Commission's role and obligations
The Commission's enforcement powers
The bill grants additional enforcement powers to the Commission. Existing information notice powers are expanded to permit the Commission to require specified documents be provided. This will give further ability for investigators to delve into suspected areas of noncompliance and remove some of the difficulty of having to ask for information without being sure which questions will elicit the most useful information.
This will place a greater compliance burden on recipients of information notices as documents will have to be located and provided, in addition to lists of questions needing to be answered. Further, there are opportunities to shape the narrative and tone of responses when organizations are required to provide information, which is much harder when full documents must be shared.
Information notice
The assessment notice provisions are expanded to allow the Commission to require the recipient to instruct an approved person to prepare a report and provide it to the Commission. The Commission can dictate the report's content, form and date of completion, and the controller/processor must pay for it. Provisions are set out for determining who the approved person should be.
Again, this will place a greater organizational and financial burden upon recipients of such notices and shift the cost of data breach incident analysis from the regulator onto the affected organization. One intended benefit is that there will be a single "version of the truth," which may save time in disputes about the factual basis of any incident being investigated.
Assessment notice provisions
The Commission will be granted a new power to call an individual to be interviewed, either in the capacity of controller/processor, as a present or past employee or manager, or an individual who otherwise worked for the controller/processor. Unlike the powers described above, which are expansions of existing ones, this is an entirely new investigatory tool.
While other regulators possess similar powers, the ICO was not previously able to compel individuals to speak to it. There are exemptions when parliamentary or legal privilege apply, and exemptions in respect of self-incrimination but not regarding potential offenses under the Data Protection Act. It is an offense to knowingly or recklessly make a false statement, and the Commission will have the power to impose a penalty notice for failure to comply with an interview notice, with significant fining powers aligned to those already available. The Commission must produce guidance on the factors to be considered when deciding to issue an interview notice.
Call an individual to be interviewed
Research
Researchers often want to reuse data for further research not anticipated at the date of collection. In this case, Article14(5)(b) states there is no need to provide a privacy notice to individuals if it would be impossible or involve disproportionate effort, particularly for processing for research purposes. However, this exemption only applies when personal data has not been collected directly from individuals. There is no equivalent exemption for directly collected data.
This can be problematic when contact details have changed or, for large cohorts, when the cost of providing new notice would make the research nonviable. Article 13(5) introduced a new exemption that is similar to the Article 14(5) exemption but limited to processing for research purposes, which complies with research safeguards. Article 13(6) notes the age of the data, number of data subjects and safeguards applied should all be considered.
Required safeguards for research were previously split between Article 89 of the GDPR and Section 19 of the Data Protection Act. These are now consolidated in one place, Chapter 8(A) of the GDPR. A new acronym of RAS purposes — for processing of scientific and historic research and archiving in the public interest and for statistical purposes — is introduced. However, the substance of the existing law is however unchanged, so this is a case of redrafting for the sake of redrafting.
International law enforcement requests
The bill acknowledges the special relationship between the U.K. and the U.S. by recognizing the agreement between the two governments on requests to access data for the purposes of countering serious crime.
Under the new provisions, controllers may rely on legal obligation as the lawful basis or condition for processing personal and special category data when it is necessary to respond to such requests. This simplifies the rules for responding to law enforcement requests from U.S. authorities but does not help multinational organizations, which need to comply with other types of legal obligations across different jurisdictions.
As there has historically been concern in the privacy community regarding U.S. law enforcement's access to personal data, it remains to be seen whether this move will impact the European Commission's adequacy finding for the U.K. It may be of some comfort that the U.K.-U.S. agreement referred to was signed prior to Brexit in October 2019 and, therefore, would have been considered in the adequacy procedure.
International law enforcement requests
Additional resources
-
expand_more
Additional UK privacy resources
Approved