Changes to existing privacy framework proposed in Data Protection and Digital Information Bill

On 18 July 2022, the UK government introduced the Data Protection and Digital Information Bill (previously referred to as the Data Reform Bill). The Bill is the result of the significant consultation held by the government last year, entitled "Data: a new direction".

While the Bill proposes wholesale changes to the UK's privacy framework, those changes can be characterised as an evolution, not a revolution. That said, the EU will undoubtedly be keeping a close eye on the progress of the Bill insofar as the UK's adequacy status and the free flow of personal data between the EU and the UK are concerned.

The Bill aims to reduce the administrative burden on businesses, promote innovation and reform the Information Commissioner's Office (ICO). It spans 192 pages, and mostly reflects what was proposed in the government's response to the consultation (about which, see our Insight).

In this article, we summarise some of the key changes introduced by the Bill that businesses will need to consider should the Bill come into effect as proposed. There are other changes that businesses will also need to be aware of, including refinements to rules relating to automated processing, processing for research purposes, and record keeping obligations.

Removal of Data Protection Officers

Businesses will no longer need to appoint a Data Protection Officer (DPO); instead, if they carry out high risk processing (or are a public authority), they will be required to designate a "senior responsible individual" who will be accountable for data protection compliance. While the day-to-day obligations of this role will not change dramatically, the individual must now be part of the business's senior management, as opposed to the current position, where the DPO reports to senior management but has to be independent of it. This flexibility is likely to be welcome news to businesses.

Removal of DPIAs

Businesses will no longer need to conduct data protection impact assessments (DPIAs). Instead, they will need to implement an "assessment of high risk processing".

This change aims to streamline data protection records by focusing a business's attention on how they operate, and introducing appropriate measures depending on the type of data they process: for example, the Bill removes the list of activities deemed to be high risk, which was in the General Data Protection Regulation (GDPR).

It remains to be seen whether this will amount to little more than a change of name in practice.

Removal of need for a UK representative

Data controllers which are not established in the UK no longer need to appoint a data protection representative within the UK.

Data subject access requests

The Bill changes the test for refusing and charging for data subject access requests. If enacted, the "manifestly unfounded and excessive" test would be replaced by a "vexatious and excessive" test.

The government proposes that the adoption of this new test will allow businesses greater autonomy in refusing requests when the system is clearly being abused, although the devil will be in the detail as to how the Information Commissioner's Office (ICO) interprets the new test. (For more on this, see our Insight.)

Expanding use of cookies without consent

Currently, only "strictly necessary" cookies may be used without consent. The Bill expands the categories of cookies that do not need consent to be dropped, including cookies collecting data for purposes such as statistical analysis and improvement of service or website use; however, users would still need to be given comprehensive information, and an opportunity to opt out.

'Recognised legitimate interests'

The Bill introduces a limited number of "recognised legitimate interests". This means that, provided a business can demonstrate that processing is "necessary" for one of the recognised legitimate interests, that business will no longer be required to balance its legitimate interest against the data subject's interests, rights, and freedoms.

Currently, the list of recognised legitimate interests is very narrow (for example, it covers processing necessary in the public interest, national security, public security and defence, emergencies, safeguarding vulnerable individuals and democratic engagement), but the Bill enables the Secretary of State to add new categories.

Changes to international transfers

The Bill introduces a risk-based approach to the international transfer of personal data, meaning that organisations would be able to assess the data protection risks involved in using mechanisms such as the ICO's international data transfer agreement (IDTA) or Addendum for those transfers, and then decide on appropriate mitigation measures.

Using the same risk-based approach, the Department for Digital, Culture, Media and Sport (DCMS) would be able to make future UK adequacy decisions; however, this approach is different to that required for adequacy decisions under the GDPR. The requirement under the Bill is a "not materially lower" standard of protection in the recipient country, whereas under the GDPR it is an adequate level of protection, interpreted as "essentially equivalent".

ICO restructure and new identity

The ICO's name will change to the Information Commission. The Information Commission will act as an independent body corporate, with new reporting obligations to the government.

The Secretary of State will have greater oversight over the Information Commission, which means the government has the potential to influence guidance and codes of conduct.

Changes to PECR

The Bill increases the maximum amount of fines under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) to be brought in line with the UK GDPR and Data Protection Act 2018, enabling the ICO to issue fines of up to £17.5 million or 4% of a business's global turnover for breaches of certain regulations under PECR, and up to £8.7 million or 2% of a business's global turnover for other breaches of PECR.

Providers of public electronic communications services will have an obligation to notify the ICO if they have reasonable grounds for suspecting that their users have contravened the direct marketing rules.

Osborne Clarke comment

The changes introduced by the Bill are not unexpected, given they mostly reflect the government's response to its consultation.

The Bill has only proceeded through its first reading in Parliament, so it is likely there will be amendments to its current form before it becomes law. It is also possible that a government led by a new prime minister may take a different approach.

The Bill represents a small step away from the EU GDPR, rather than the giant leap that might be preferred by some businesses, perhaps in part because the UK government will be mindful of the risks involved in diverging too far from the EU GDPR, given that the EU-UK adequacy decision is scheduled for review in 2024.

The benefits of the free flow of data between the UK and the EEA for many UK businesses are likely to be favoured over the current administrative burdens of compliance using alternative mechanisms such as standard contractual clauses and the IDTA, especially for global businesses well acquainted with the requirements of the GDPR.

The Bill is now awaiting a second reading, which is scheduled for 5 September 2022 (when the House next sits following the summer recess).