On 8 March 2023 the UK government heralded its new Data Protection and Digital Information (No 2) Bill (the Bill) as a “new common-sense-led version of the EU’s GDPR” that would save the UK economy more than £4 billion over the next 10 years and ensure that privacy and data protection are securely protected”. However, despite the government’s optimistic claims, the Bill has fuelled concerns that UK divergence from the EU’s GDPR would put at risk the EU-UK adequacy decision, and that any cost-savings that might be achieved by businesses operating solely within the UK would be far outweighed by additional costs and complexity faced by businesses operating internationally.
The EU’s adequacy decision in favour of the UK permits the free flow of personal data between the UK and the EU and wider EEA. However, that adequacy decision included a “sunset clause” limiting its duration for four years from 28 June 2021 with renewal available only if the UK continues to ensure an adequate level of data protection. The adequacy decision is also subject to reassessment before 2025 if there is any material change in UK data protection law. Consequently, the Bill will be closely scrutinised by the European Commission, with the possibility that any major divergence that is implemented into law could result in immediate loss of the UK’s status as an “adequate” jurisdiction.
In a May 2022 speech in Brussels, UK Information Commissioner John Edwards was keen to play down the risk of divergence from EU data protection law likely to flow from the predecessor to the current Bill: “I urge you to look beyond any political rhetoric, and stress test the proposal against a criteria of risk to EU interests, and I am sure when you do so you will find it holds up”.
The Bill certainly departs from or dilutes aspects of the EU GDPR. The key question is whether the resulting divergence would be considered a step too far by the European Commission. On many points, the Information Commissioner’s invitation to look beyond the political rhetoric and to recognise the limited effect of the proposed changes seems fair enough. For example:
- the Bill would remove the need for overseas data controllers without a UK establishment to appoint an Article 27 Representative. However, they would still have to ensure that there is a point of contact and a conduit for enforcement of obligations under UK GDPR;
- the Bill would remove the need for many organisations not undertaking high-risk processing to create and maintain records of processing activities (RoPA), but that would not relieve those organisations from the obligation to ensure that personal data is processed on a fair, lawful and transparent basis, and any organisation deciding to dispense with RoPA would risk impairing their ability to respond to subject access requests or to understand and mitigate the impact of any data breach or cyber-attack;
- the Bill would replace the Data Protection Officer (DPO) role with an obligation to appoint a “Senior Responsible Individual”. While the requirement that the individual be an executive would seem to sit uneasily with the independence required of a DPO, the Senior Responsible Individual would be required to recuse themselves from any decision that involved a conflict of interests.
While it is certainly possible to characterise many of the “common-sense” reforms as moderate and unlikely to threaten the EU-UK adequacy decision, there are areas of concern. They include:
- the potential for a significant increase in solely automated decision-making by private sector organisations. This stems from the proposed addition of “legitimate interests” under Article 6(1)(f) as a lawful basis available to support automated decision-making. The Bill also includes provisions suggesting that whether a decision has been taken with “meaningful human involvement” may depend on whether the decision has been reached by means of profiling. That would seem to give considerable leeway for systems based on profiling but configured to produce recommendations rather than decisions. That more limited concept of “meaningful human involvement” might be viewed as a concern by the EU Commission;
- the proposed abolition of the Information Commissioner’s Office (ICO) and its replacement with a new Information Commission (IC). The proposed appointment processes, with direct appointment of board members and the Secretary of State’s role in recommending the chair, plus the Secretary of State’s powers to approve IC codes of practice raise concerns about whether the IC would be sufficiently independent from government to meet EU requirements for robustly independent supervisory authorities.
The Bill does include some elements likely to receive a warm welcome from business. They include:
- an updated and expanded definition of scientific research which would facilitate processing (and further processing) of personal data for research and development purposes, whether publicly or privately funded, and whether carried out as a commercial or as a non-commercial activity. This broader definition is intended to promote the UK as a centre for innovation; and
- a provision stating that organisations may continue to use existing international data transfer mechanisms, enabling international businesses to use mechanisms such as EU Standard Contractual Clauses and the UK Addendum if (for example) the UK were to make its own adequacy decision in favour of a jurisdiction not similarly recognised by the EU.
Devils and details
Looking at the Bill alone, the Information Commissioner’s May 2022 invitation to look through the political rhetoric to find the limited substance of reform seems reasonable enough. However, the fact that the Bill has been introduced will, in itself, trigger close EU scrutiny and accelerate a reassessment of the UK’s status as an adequate jurisdiction.
That scrutiny is unlikely to be limited to the political rhetoric specifically relating to the Bill or to its detailed contents of the Bill. The UK government’s wider political rhetoric and legislative activities might also fuel EU concern. Recital 1 of GDPR states that data protection is a fundamental right, protected under Article 8 of the European Convention on Human Rights (ECHR). Any move by the UK government to dissociate itself, or to formally withdraw from the ECHR would cast severe doubt on the basis and reliability of UK data protection. Those concerns would be exacerbated if the UK were to withdraw from other relevant international instruments, such as the Council of Europe’s Convention 108+ on data protection.
Unlikely though such isolationism might once have seemed, the Bill was introduced only a day after the UK Home Secretary was compelled to state that the Government wished to proceed with its Illegal Migration Bill even though it was not compatible with rights under the ECHR. The UK government’s determination to ignore or override the ECHR is unlikely to reassure the European Commission when it considers whether to confirm or renew the UK’s status as a jurisdiction providing adequate protection for data subjects’ fundamental and ECHR-rooted rights and freedoms.