On 8th March 2023, the UK government introduced the Data Protection & Digital Information (No.2 Bill) to Parliament. Its objective is to “update and simplify” the UK’s data protection laws and certain other legislation. The Bill will help privacy professionals struggling with transfer risk assessments, as it allows these to be proportionate and risk-based, taking account of the nature and volume of data transferred. It removes the need for consent for cookies used for analytics and other low risk tracking and introduces more flexibility for use of automated decision making. Tweaks are also made to accountability requirements, replacing DPOs with a “senior responsible individual” and removing records of processing except for high risk processing. The Bill will have its Second Reading on 17 April; it will likely take until the end of 2023 to finish its way through Parliament.
We have set out a comprehensive summary of the changes proposed below. Many organisations will have benchmarked their privacy programmes against GDPR., sowe have indicated whether the changes will make life easier, or more difficult, by comparison with GDPR. Compliance becomes more difficult whenever there is change. We have tried to look beyond this, to show whether (novelty aside) the changes are helpful or not.
The below graphic, used throughout the insight, will label specific changes in the U.K. DPDI (No.2) Bill from -10(easier) to +10(more difficult) in comparison to the GDPR.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Explanatory Notes emphasize the importance of international data transfers – which “drive commerce, support research and innovation and help people to stay connected.”. In line with this, the Bill attempts to remove unnecessary bureaucracy associated with international data transfers, while still ensuring high standards of protection for personal data.
At present, most organisations will rely on standard contractual clauses to transfer personal data. They will also have to undertake a detailed transfer risk assessment. The Bill adjusts this. Exporters must consider if the standards of protection will not be materially lower than those applicable in the UK, and must act “reasonably and proportionately” in considering if this test is met, looking at all the circumstances including the nature and volume of personal data transferred (Art.46 (1A), 46(6 – 7)). This should give organisations considerable scope to streamline transfer risk processes for low-risk data transfers.
All the usual data safeguards (standard contract clauses, BCRs etc) remain. Some lacunae in the current regime have been addressed. At present, mechanisms that are most suitable to public authorities (legally binding instruments and administrative arrangements) can only be used with other public authorities, not for transfers to private sector organisations; this is widened. In addition, a rule making power is introduced to allow the Secretary of State to approve new clauses which – of themselves – are capable of ensuring that the data protection test is met; the Secretary of State can also specify safeguards that can be relied on to meet the data protection test. If such safeguards or clauses are introduced this would entirely remove the need for exporters to undertake transfer risk assessments.
In place of the somewhat condescending process to consider “adequacy”, the Bill introduces a more diplomatically tactful “data protection test”. The Secretary of State must consider if the standard of protection is not materially lower than that in the United Kingdom. The factors to be considered are more flexible, covering respect for the rule of law and human rights; the existence and powers of a supervisory authority; redress; onward transfer rules; relevant international obligations and the constitution, traditions and culture of the country. In addition, the desirability of transfers of data to and from the United Kingdom can be considered – although this does not remove the need to satisfy the data protection test. (Arts.45A – C).
All the current derogations are retained. The Secretary of State is given a rule-making power to specify situations when transfers will – or will not – be considered to be necessary on substantial public interest grounds.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill introduces a number of exemptions from the cookie consent requirement for situations which pose a low risk to user privacy. These include processing:
In each case, the provider must give information about the processing and an opportunity to object. There is a further exemption for processing necessary to respond to a request for emergency assistance (Reg. 6(2D)). In addition, the Bill gives examples of processing where no consent will be necessary because the processing is considered to be “strictly necessary” to deliver the service requested by the user (Reg.6(5)). In addition to examples which will be familiar to privacy professionals (such as facilitating shopping cart or form-filling functionality) these also include processing necessary to prevent or detect fraud in connection with the provision of the service. This will be particularly helpful for payment processing services that assess device data as an indicator of fraud (e.g. presence of suspect code or data otherwise inconsistent with the purported payer).
The Bill also includes a rule making power for the Secretary of State to require providers of information technology to have consent preference functionality, which will transmit the users’ preferences automatically to any site visited. Providers who do not offer such functionality may be prohibited from supplying their technology. This could cover technology ranging from phones, through to browser software, through to IoT devices. Industry has been trying and failing to address this for an extended period. The authors are sceptical that the UK government will have better success.
At the moment, the soft-opt-in rules (which allow email marketing to existing customers on an opt-out basis, when certain criteria are met) penalize charities and other non-commercial organisations. This is because the rules only apply when contact details are obtained in the context of a sale or negotiation for a sale. This imbalance is to be removed. Charities and other non-commercial organisations will be able to benefit from the soft opt-in so long as they have obtained contact details in the course of the individual expressing interest in the organisation or providing support (Reg 22 (3A)). Clauses 83 and 84 of the Bill introduce a rule-making power for the Secretary of State to exempt direct marketing made for the purposes of “democratic engagement” from the restrictions on use of email, telephone and automated calling for direct marketing purposes. UK privacy professionals may recall that the Scottish National Party was fined for sending automated calls by Sean Connery encouraging voters to vote SNP; this type of technique may now be permissible without consent. There are also changes to definitions, so that the Commission can take account of unconnected/ uncompleted calls when looking at breaches of direct marketing rules.
The Commission’s powers to enforce ePrivacy currently link to the 1998 Data Protection Act, meaning that penalties are capped at £500,000. This anomaly is addressed and enforcement powers under UK GDPR and the DPA 2018 will apply to ePrivacy breaches. Most breaches will attract the higher maximum penalty cap of £17,500,00 (i.e €20,000,000) or 4% of worldwide turnover (Reg.31 & new Schedule 1).
Lastly, there are new obligations for providers of publicly available electronic communications services or networks, requiring them to report to the Commission if they have reasonable grounds to believe that a person is breaching direct marketing rules by using their services (Regs 26A – C). Noncompliance leads to a fixed £1,000 penalty.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Although the Government has touted that its data reforms will save the UK economy £4.7 billion, and emphasised that the Bill will “further reduce the amount of paperwork organisations need to complete to demonstrate compliance”, the proposals in the Bill are not a radical reduction in the administrative burden for UK organisations.
Perhaps the biggest change is the removal of the obligation to complete a record of processing activities. In a change since the first version of the Bill was laid in the summer of 2022, the proposed new Article 30A of the UK GDPR will only require businesses that carry out processing “likely to result in a high risk to the rights and freedoms of individuals” to maintain records of processing. This will extend to their entire business, rather than just the processing considered high risk. The contents of these records – given the move to the plural, it appears a sole document is not required - include a very similar list of obligations to the revoked Article 30.One obligation is stricter than under GDPR – the records must include retention limits, with no limiting “where possible” as under Article 30. The need to name countries in which data is held remains, although the need to identify any transfer mechanism used is lost as is the obligation on processors to identify the processing they do for each controller.
There are substantial changes to data protection impact assessments. These are rebranded as an “assessment of high risk processing”, with the requisite content being a summary rather than systematic description of the purposes of processing and measures to mitigate risk. Gone too is the obligation to seek, where appropriate, the views of data subjects. Finally, the obligation to consult the Commissioner on unmitigated high risks is replaced by an optional ability to consult the Commission.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The government predicts that organisations that are currently compliant with the UK GDPR would “not need to significantly change their approach to be compliant with the new requirements”; this may not be true,.in particular in relation to DPOs. The Bill replaces the obligation to appoint a DPO with a requirement for a “senior responsible individual” (new Art. 27A). The CJEU has confirmed that DPOs must be independent from decision making about personal data processing; the senior responsible individual must be involved in such decisions. The government has said that GDPR-DPOs could be retained for the UK, “as long as there is appropriate oversight from the senior accountable individual”. It seems unlikely that the same individual could realistically perform both roles for organisations caught by both requirements. However, for smaller UK businesses, the switch will allow more flexibility in allocating responsibility without necessarily increasing headcount.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Although the government consulted on more radical proposals, such as cost ceilings or nominal fees for subject access, the Bill contains relatively minimal changes to data subject rights. There are some changes to what types of request can be refused, a new formal right to complain and some liberalisation of solely automated decision making.
Under the GDPR, requests can be rejected where they are “manifestly unfounded or excessive”. New Article 12A, retains “excessive” alongside a new reference to“vexatious” requests. The concept of “vexatious” requests exists under Freedom of Information law in the UK, where there is a substantial body of case law; it is not clear whether these could have relevance to data protection requests. The Bill itself suggests only that requests that are intended to cause distress, are not made in good faith, or that are an abuse of process could be vexatious. This broadly reflects the types of request the ICO currently considers to be manifestly unfounded, so this may not practically shift the types of requests that can be rejected. Much will rest on ICO guidance and application – much like it does today.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Data subjects are given a new right to complain to controllers (s.164A). This will require controllers to facilitate the making of complaints, to adopt measures such as an electronic complaint form, and to include information about this new right in privacy notices. Controllers may be obliged to notify the ICO of the number of complaints they have received. The ICO is also given the power to refuse to accept complaints from individuals until they have completed a complaint process with the relevant controller (s.165B). This may lead to a reduction in complaints that escalate to the ICO, and should limit the practice of the ICO taking a view on compliance without having taken the controller’s input into account.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Solely automated decision making is substantially liberalised. Broadly, the same restrictions are retained where the decision will rely on processing special category data. However, other significant, solely, automated decisions are now permitted, provided certain safeguards are put in place. These safeguards, must include abilities for data subjects to make representations, contest the decision and require human intervention. This change is similar approach to the UK position prior to GDPR, and will be welcomed as the existing prohibition on automated decision making is often problematic.
Other rights-related changes include tweaks to the situations in which the UK GDPR exempts controllers from the obligation to provide a notice, and a new Article 12B clarifying the extent to which the UK GDPR’s one month time period can be paused and extended.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill makes it easier for controllers to know if the purpose for which they are processing data will be accepted as “legitimate”. Art.6(9) includes examples of this –direct marketing, ensuring the security of network and information systems and transfers of personal data intra-group (all already mentioned in recitals 47 - 49). In addition, the Bill formally “recognises” certain interests as legitimate, listing them in Annex 1. These include disclosures to public bodies who assert that they need personal data to fulfil a public interest task; disclosures for national or public security or defence purposes; emergencies; prevention or detection of crime; safeguarding vulnerable individuals; and two pages of provisions relating to processing by elected representatives or candidates for political office. For these limited purposes, the requirement to carry out and document a balancing test against the rights of individuals is removed. In our experience, it is not usually difficult for controllers to determine that an interest is legitimate. It can be more difficult to determine if processing is “necessary”. When both of these points are clear, it can be disproportionately burdensome to document these assessments. The Bill does not alter either of these points in all but limited circumstances falling outside the day-to-day processing of most organisations.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill restates the GDPR provisions on purpose limitation. Annex 2 also introduces a list of purposes which are “deemed” compatible with the original purpose. These include disclosures to public authorities where the authority states it needs the data for a task in the public interest (which is also recognised by Art.23 UKGDPR); disclosures for public security purposes; emergency response; safeguarding vulnerable individuals; protecting vital interests; and preventing and detecting crime, assessing tax, and complying with legal obligations. (The last three now seem to be doubly accepted, as they already benefitted from specific exemptions under the DPA 2018). It also makes clear that purpose limitation is relevant when one controller wishes to use personal data for a new purpose. If controller B wishes to acquire personal data from controller A, controller A would have to consider how purpose limitation may affect disclosure of the data; however, controller B would be processing the data for its primary purpose so purpose limitation would not be relevant (Art.8A(1)). There is also an odd provision that provides that processing that is carried out to ensure that processing complies with GDPR, or to demonstrate that processing does so, will also be regarded as compatible.
If a controller originally relies on consent as its lawful basis, then the Bill writes into law the view held by ICO, that there is no scope to argue that processing for a further process can be compatible (Art.8A(4)). As consent must be specific, the only answer is to get new consent, unless a derogation applies and the controller cannot reasonably be expected to obtain consent.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill makes significant changes to the structure and governance of the ICO; the role of Information Commissioner as Corporation Sole is abolished and replaced by a body corporate called the Information Commission. There are transitional provisions within the Bill to ensure that all powers and obligations of the Commissioner transfer to the Commission and that the present incumbent will become the non-executive Chair of the Commission. The new structure is essentially a modernisation of the somewhat archaic Corporation Sole model, shared with Bishoprics and the Lord Mayor of London, to a structure which is similar to that of the FCA, CMA and OFCOM.
The Information Commission will consist of non-executive members led by the Chair and executive members led by a chief executive who will be appointed by the non-executive members. In addition to the Chair, who is appointed by the Crown on the recommendation of the Secretary of State, the Secretary of State may appoint other non-executive members and the Commission can appoint one of the non-executive members as deputy to the chair. The executive members of the Commission are appointed by the non-executive members. The main change is a greater role for the non-executive members ; by contrast the present model vests all authority with the Commissioner who delegates to other members of the organisation at his discretion. This change is re-enforced by the requirement that the Secretary of State must ensure, so far as practicable, that there are more non-executive members than executive members.
The proposed changes are unlikely to have any significant impact on ease of compliance, save perhaps for promoting greater consistency and a slower pace of change than with the present governance model
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Additional enforcement powers are granted to the Commission; these bolster the already significant mechanisms the ICO has to investigate and ensure compliance.The existing Information Notice powers are expanded to permit the Commission to require, not only that answers to specific questions are provided, but that specified documents be provided. This will give further ability for investigators to delve into suspected areas of non-compliance and remove some of the difficulty of having to ask for information ‘blind’ without being sure which questions will elicit the most useful information. This may place a greater compliance burden upon recipients of Information Notices as documents will have to be located and provided in addition to lists of questions which need to be answered.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Assessment Notice provisions are expanded to allow the Commission to require the recipient to instruct an approved person to prepare a report and provide it to the Commission. The Commission can dictate the content, form and date of completion of the report and the Controller/Processor must pay for it. Provisions are set out for determining who the approved person should be. Again, this will place a greater organisational and financial burden upon recipients of such notices and shifts the cost of analysis of data breach incidents from the regulator onto the affected organisation. One intended benefit is that there will be a single ‘version of the truth’ which may save time in disputes about the factual basis of any incident being investigated.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Arguably the most impactful new power is to issue Interview Notices whereby the Commission can call an individual to be interviewed, either in their capacity of Controller/Processor or as a present or past employee or manager of the same and to require them to answer questions. Unlike the powers described above, which are expansions of existing ones, this is an entirely new investigatory tool. Whilst other regulators possess similar powers the ICO has not previously been able to compel individuals to speak to them which has anecdotally been a source of some frustration. There are exemptions where parliamentary or legal privilege apply and also in respect of self-incrimination but not in respect of potential offences under the Data Protection Act or for perjury. It is an offence to knowingly or recklessly make a false statement and the Commission will have a power to impose a penalty notice for failure to comply with an interview notice, with significant fining powers aligned to those already available. The Commission must produce guidance on the factors to be considered when deciding to issue an interview notice . Once implemented these powers are likely to be used in a significant number of investigations, especially the more serious and complex, which will place additional burdens on organisations in managing and obtaining legal advice on how best to respond and manage them.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill makes one useful change for researchers; a number of minor cosmetic/ re-ordering changes; and one unhelpful change.
Researchers often want to re-use data for further research, not anticipated at the date of collection. Art.14(5)(b) provides that there is no need to provide a privacy notice to individuals in this case, if this would be impossible or involve disproportionate effort – in particular for processing for research purposes. However, this exemption only applies where personal data has not been collected directly from individuals. There is no equivalent exemption for directly collected data. This can be problematic where contact details have changed, or for large cohorts where the cost of providing new notice would make the research non-viable. A new exemption is introduced at Art.13(5); it is similar to the Art.14(5) exemption but is limited to processing for research purposes, which complies with research safeguards. Art. 13(6) notes that the age of the data, number of data subjects and safeguards applied.
Required safeguards for research were previously split between Art.89 and S.19 DPA 2018. These are now consolidated in one place, Chapter 8A UK GDPR. There are some minor drafting improvements to the previous provisions, including introducing a new acronym of “RAS purposes” (for processing for scientific and historic research and archiving in the public interest and statistical purposes), but the substance is unchanged.
New Art.4(7) provides that consent to an area of scientific research will still be “specific”, provided that, at the time consent was given, it was not possible to fully identify the purposes, this approach was consistent with generally recognised ethical standards and, so far as possible, individuals were allowed to consent to only part of the research.
There is a definition of “scientific research” which incorporates the existing text from recital 159 as well as expressly noting that research can be either a commercial or non-commercial activity. A definition of statistical purposes is included, which is processing to produce statistical surveys or results, where the resulting information is aggregate and not personal data and where the resulting information is not used to take measures or decisions with respect to an individual whose data was processed to produce the results.
The change to purpose limitation – providing that processing originally relying on consent must almost always be based on consent (see purpose limitation section above) – is potentially unhelpful and is less nuanced than the EU position. If researchers rely on consent to process personal data, then they will always need to rely on consent.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Some terms are re-defined. The changes clarify terms which privacy professionals likely already regarded as clear. By way of example, “personal data” is amended, to refer to “living individuals”, rather than natural persons, and to explain what is meant by “identified” and “identifiable”. Unhelpfully, these rules are set out in the DPA 2018, rather than in UK GDPR, meaning that practitioners will need to refer to two separate pieces of legislation in order to understand one basic term. There are similar cosmetic changes to the definition of pseudonymisation. There are also new definitions for historical research, scientific research purposes and statistical purposes and some clarificatory provisions relating to consent for scientific research. See the comments on research above.
Two of the changes to the definition of personal data are more substantive. First, new S.3(A of the DPA 2018 provides that information is identifiable if the data subject is identifiable by the controller or processor (by reasonable means) at the time of processing, or if the controller or processor knows, or ought to know that another person is likely to be able to obtain information from their processing and that is reasonably likely that that person will be able to identify the data subject. This seems to write the “motivated intruder” test into law. It also assists in situations where party A holds personal data and wants to release a de-identified subset of this data to party B. The data processed by party B will not automatically be personal data, because party A still holds identifiable source data; instead one must consider whether it is reasonably likely that a data subject would be identifiable to party B, or whether it is reasonably likely that the data subject would be identifiable to someone other than party B and that that party would be able to obtain information from party B’s processing.
Second, new s.3(A)(5) provides that: “an individual is identifiable by ‘reasonable means’ if the individual is identifiable by the person by any means that the person is reasonably likely to use’. In Breyer the CJEU noted that a data subject would not be identifiable if identification was prohibited by law, or if the risk of identification is insignificant. The reference to “any means” could broaden the scope of identifiability beyond Breyer requiring illegal means to be taken into account. The Explanatory Notes (para.106) note that whether means of re-identification are lawful “may be relevant to the overall assessment”: suggesting that this is not an automatic factor, as Breyer would suggest, so that this is indeed broader.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/