Published: April 2023
Navigate by Topic
On 8 March 2023, the U.K. government introduced the Data Protection and Digital Information (No. 2) Bill to Parliament. Its objective is to “update and simplify” the U.K.’s data protection laws and certain other legislation. The Bill will have its second reading 17 April; it will likely take until the end of 2023 to finish its way through Parliament.
We have set out a comprehensive summary of the changes proposed below. Many organizations will have benchmarked their privacy programs against the EU General Data Protection Regulation, so we have indicated whether the changes will make life easier, or more difficult, by comparison with the GDPR. Compliance becomes more difficult whenever there is change. We have tried to look beyond this, to show whether (novelty aside) the changes are helpful or not.
The below graphic, used throughout the resource, will label specific proposed changes in the U.K. DPDI (No.2) Bill from -10 (easier) to +10 (more difficult) in comparison to the GDPR.
The Explanatory Notes emphasize the importance of international data transfers – which “drive commerce, support research and innovation, and help people to stay socially connected.” In line with this, the Bill attempts to remove unnecessary bureaucracy associated with international data transfers, while still ensuring high standards of protection for personal data.
At present, most organizations will rely on standard contractual clauses to transfer personal data. They will also have to undertake a detailed transfer risk assessment. The Bill adjusts this. Exporters must consider if the standards of protection will not be materially lower than those applicable in the U.K. and must act “reasonably and proportionately” in considering if this test is met, looking at all the circumstances including the nature and volume of personal data transferred (Article 46(1A), 46(6 – 7)). This should give organizations considerable scope to streamline transfer risk processes for low-risk data transfers.
In place of the somewhat condescending process to consider adequacy, the Bill introduces a more diplomatically tactful data protection test. The secretary of state must consider if the standard of protection is not materially lower than that in the United Kingdom. The factors to be considered are more flexible, covering respect for the rule of law and human rights; the existence and powers of a supervisory authority; redress; onward transfer rules; relevant international obligations and the constitution, traditions, and culture of the country. In addition, the desirability of transfers of data to and from the United Kingdom can be considered – although this does not remove the need to satisfy the data protection test. (Articles 45(A-C)).
The Bill introduces a number of exemptions from the cookie consent requirement for situations which pose a low risk to user privacy. These include processing:
- Solely for the purpose of analytics, carried out with a view to improve the website or information society service, (Regulation 6(2A)).
- To optimize content display, or to reflect user preferences about content display, for example, adjusting content to suit screen size, (Regulation 6(2B)).
- Solely to update software, or necessary for security purposes – so long as privacy settings are not altered and there is an ability for the subscriber or user to disable or postpone the update, or to remove or disable the software (Regulation 6(2C)).
At the moment, the soft-opt-in rules, which allow email marketing to existing customers on an opt-out basis, when certain criteria are met, penalize charities and other non-commercial organizations. This is because the rules only apply when contact details are obtained in the context of a sale or negotiation for a sale. This imbalance is to be removed. Charities and other non-commercial organizations will be able to benefit from the soft opt-in so long as they have obtained contact details in the course of the individual expressing interest in the organisation or providing support (Regulation 22 (3A)).
The U.K. Information Commissioner's Office powers to enforce ePrivacy currently link to the 1998 Data Protection Act, meaning that penalties are capped at £500,000. This anomaly is addressed and enforcement powers under the U.K. GDPR and the Data Protection Act 2018 will apply to ePrivacy breaches. Most breaches will attract the higher maximum penalty cap of £17,500,00, i.e., €20,000,000, or 4% of worldwide turnover (Regulation 31 & new Schedule 1).
Perhaps the biggest change is the removal of the obligation to complete a record of processing activities. The proposed new Article 30(A) of the UK GDPR will only require businesses that carry out processing “likely to result in a high risk to the rights and freedoms of individuals” to maintain records of processing. This will extend to their entire business, rather than just the processing considered high risk. The contents of these records – given the move to the plural, it appears a sole document is not required – include a very similar list of obligations to the revoked Article 30.
There are substantial changes to data protection impact assessments. These are rebranded as an “assessment of high risk processing,” with the requisite content being a summary rather than systematic description of the purposes of processing and measures to mitigate risk. Gone too is the obligation to seek, where appropriate, the views of data subjects. Finally, the obligation to consult the information commissioner on unmitigated high risks is replaced by an optional ability to consult the ICO.
Data protection impact assessments
The government predicts organizations that are currently compliant with the U.K. GDPR would “not need to significantly change their approach to be compliant with the new requirements;” this may not be true, in particular in relation to data protection officers. The bill replaces the obligation to appoint a DPO with a requirement for a “senior responsible individual” (new Article 27A). The Court of Justice of the European Union has confirmed DPOs must be independent from decision-making about personal data processing; the senior responsible individual must be involved in such decisions. The government has said that GDPR-DPOs could be retained for the U.K., “as long as there is appropriate oversight from the senior accountable individual.” It seems unlikely the same individual could realistically perform both roles for organizations caught by both requirements. However, for smaller U.K. businesses, the switch will allow more flexibility in allocating responsibility without necessarily increasing headcount.
Data subject rights and automated decision-making
The bill contains relatively minimal changes to data subject rights. There are some changes to what types of requests can be refused, a new formal right to complain and some liberalization of solely automated decision-making.
Under the GDPR, requests can be rejected where they are “manifestly unfounded or excessive.” New Article 12A, retains “excessive” alongside a new reference to “vexatious” requests. The Bill itself suggests only that requests that are intended to cause distress, are not made in good faith, or that are an abuse of process could be vexatious. This broadly reflects the types of request the ICO currently considers to be manifestly unfounded, so this may not practically shift the types of requests that can be rejected. Much will rest on ICO guidance and application – much like it does today.
Data subjects are given a new right to complain to controllers (Section 164A). This will require controllers to facilitate the making of complaints, to adopt measures such as an electronic complaint form, and to include information about this new right in privacy notices. Controllers may be obliged to notify the ICO of the number of complaints they have received. The ICO is also given the power to refuse to accept complaints from individuals until they have completed a complaint process with the relevant controller (Section 165B).
Solely automated decision-making is substantially liberalized. Broadly, the same restrictions are retained where the decision will rely on processing special category data. However, other significant, solely, automated decisions are now permitted, provided certain safeguards are put in place. These safeguards, must include abilities for data subjects to make representations, contest the decision and require human intervention. This change is similar approach to the U.K. position prior to the GDPR and will be welcomed as the existing prohibition on automated decision-making is often problematic.
The Bill makes it easier for controllers to know if the purpose for which they are processing data will be accepted as “legitimate.” Article 6(9) includes examples of this – direct marketing, ensuring the security of network and information systems and transfers of personal data intra-group (all already mentioned in Recitals 47 - 49). In addition, the bill formally “recognises” certain interests as legitimate, listing them in Annex 1. These include disclosures to public bodies who assert that they need personal data to fulfil a public interest task; disclosures for national or public security or defence purposes; emergencies; prevention or detection of crime; safeguarding vulnerable individuals; and two pages of provisions relating to processing by elected representatives or candidates for political office. For these limited purposes, the requirement to carry out and document a balancing test against the rights of individuals is removed.
The bill restates the GDPR provisions on purpose limitation. Annex 2 also introduces a list of purposes which are “deemed” compatible with the original purpose. These include disclosures to public authorities where the authority states it needs the data for a task in the public interest (which is also recognized by Article 23 U.K. GDPR); disclosures for public security purposes; emergency response; safeguarding vulnerable individuals; protecting vital interests; and preventing and detecting crime, assessing tax, and complying with legal obligations.
If a controller originally relies on consent as its lawful basis, then the Bill writes into law the view held by ICO, that there is no scope to argue that processing for a further process can be compatible (Article 8A(4)). As consent must be specific, the only answer is to get new consent, unless a derogation applies, and the controller cannot reasonably be expected to obtain consent.
The Information Commission
The bill makes significant changes to the structure and governance of the ICO; the role of Information Commissioner as corporation sole is abolished and replaced by a body corporate called the Information Commission. There are transitional provisions within the bill to ensure all powers and obligations of the Commissioner transfer to the Information Commission and that the present incumbent will become the non-executive Chair of the Commission. The new structure is similar to that of the Financial Conduct Authority, Competition and Markets Authority and Ofcom.
The Information Commission will consist of non-executive members led by the chair and executive members led by a chief executive who will be appointed by the non-executive members. The main change is a greater role for the non-executive members; by contrast the present model vests all authority with the commissioner who delegates to other members of the organization at his discretion. This change is re-enforced by the requirement that the secretary of state must ensure, so far as practicable, that there are more non-executive members than executive members.
The proposed changes are unlikely to have any significant impact on ease of compliance, save perhaps for promoting greater consistency and a slower pace of change than with the present governance model.
Additional enforcement powers are granted to the Information Commission. The existing information notice powers are expanded to permit the Information Commission to require, not only that answers to specific questions are provided, but that specified documents be provided. This will give further ability for investigators to delve into suspected areas of noncompliance and remove some of the difficulty of having to ask for information “blind” without being sure which questions will elicit the most useful information. This may place a greater compliance burden upon recipients of information notices as documents will have to be located and provided in addition to lists of questions which need to be answered.
Assessment notice provisions have been expanded to allow the Information Commission to require the recipient to instruct an approved person to prepare a report and provide it to the ICO. The Information Commission can dictate the content, form, and date of completion of the report and the controller/processor must pay for it. Provisions are set out for determining who the approved person should be.
Arguably the most impactful new power is to issue interview notices whereby the Information Commission can call an individual to be interviewed, either in their capacity of controller/processor or as a present or past employee or manager of the same and to require them to answer questions. Unlike the powers described above, which are expansions of existing ones, this is an entirely new investigatory tool. Whilst other regulators possess similar powers the ICO has not previously been able to compel individuals to speak to them which has anecdotally been a source of some frustration. Once implemented these powers are likely to be used in a significant number of investigations, especially the more serious and complex, which will place additional burdens on organizations in managing and obtaining legal advice on how best to respond and manage them.
Researchers often want to re-use data for further research, not anticipated at the date of collection. Article 14(5)(b) provides that there is no need to provide a privacy notice to individuals in this case, if this would be impossible or involve disproportionate effort – in particular for processing for research purposes. However, this exemption only applies where personal data has not been collected directly from individuals. There is no equivalent exemption for directly collected data. This can be problematic where contact details have changed, or for large cohorts where the cost of providing new notice would make the research non-viable. A new exemption is introduced at Article 13(5); it is similar to the Article 14(5) exemption but is limited to processing for research purposes, which complies with research safeguards. Article 13(6) notes that the age of the data, number of data subjects and safeguards applied.
Required safeguards for research were previously split between Article 89 and Section 19 DPA 2018. These are now consolidated in one place, Chapter 8A U.K. GDPR. There are some minor drafting improvements to the previous provisions, including introducing a new acronym of “RAS purposes” (for processing for scientific and historic research and archiving in the public interest and statistical purposes), but the substance is unchanged.
Some terms are redefined. The changes clarify terms which privacy professionals likely already regarded as clear. By way of example, “personal data” is amended, to refer to “living individuals”, rather than natural persons, and to explain what is meant by “identified” and “identifiable.” There are similar cosmetic changes to the definition of pseudonymization. There are also new definitions for historical research, scientific research purposes and statistical purposes and some clarificatory provisions relating to consent for scientific research. See the comments on research above.
New Section 3(A) of the DPA 2018 seems to write the “motivated intruder” test into law. It assists in situations where party A holds personal data and wants to release a deidentified subset of this data to party B. The data processed by party B will not automatically be personal data, because party A still holds identifiable source data; instead one must consider whether it is reasonably likely that a data subject would be identifiable to party B, or whether it is reasonably likely that the data subject would be identifiable to someone other than party B and that that party would be able to obtain information from party B’s processing.