Data Protection and Digital Information Bill (No 2)

On 8 March 2023, the Government confirmed that DPDI Bill (No 1) had been withdrawn and Secretary Donelan introduced the Data Protection and Digital Information Bill (No 2) (DPDI Bill (No 2)).

In the official press release, Secretary Donelan said it would “unlock £4.7 billion in savings for the UK economy over the next 10 years and maintain the UK’s internationally renowned data protection standards so businesses can continue to trade freely with global partners, including the EU”.

The press release further states: this is a "new common-sense-led UK version of the EU’s GDPR" which will "reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online".

This Bill was debated at second reading on Monday 17 April 2023 and has now been sent to a Public Bill Committee which will scrutinise the Bill line by line and is expected to report to the House by Tuesday 13 June 2023.

Read the Bill

Important revisions introduced in DPDI Bill (No 2) include:

Enabling innovation

Previous Bill

Clarified how personal data can be used for research, statistical and historical purposes and clarified the meaning of these purposes. The intention being to make it easier for scientists to use personal data for research purposes and conduct important research for the public good.

New Bill

Changes retained with new wording added to clarify “scientific research purposes” including commercial or non-commercial activity, and a change to broaden the meaning of “scientific research”, to encompass processing activities which can “reasonably be described as” scientific in nature.

Legitimate Interest

Previous Bill

Changed the scope of what is considered to be a legitimate interest: legitimate interest is a lawful basis for processing where personal data may be used by the controller or a third party provided their legitimate interests are not overridden by the rights and freedom of the individual. Specified that certain interests are “recognised legitimate interests”, meaning it will not be necessary to carry out that balancing test.

New Bill

Retains the changes to the scope of what is considered “legitimate interest” and has added a new clause providing three non-exhaustive examples of processing, that may be considered necessary processing for the purpose of legitimate interest. Including processing necessary for direct marketing; ensuring the security of IT systems, and intra-group transmission of personal data for internal administrative purposes.

Chris Combemale, CEO of the Data and Marketing Association has welcomed this move; “Attracting and retaining customers and donors is a fundamental legitimate interest of businesses and charities, so we are delighted the government has acknowledged this in the reforms to help drive innovation and growth.”

The fact that direct marketing may be carried out as a legitimate interest is not new. This is already in GDPR Recital 47; but it’s now reinforced by its presence in the Bill. However, we have to remember that under UK’s Privacy and Electronic Communications Regulations (PECR) there will still be certain circumstances where consent is required rather than legitimate interests.

It is also worth keeping an eye on the Experian-ICO case. A recent appeal tribunal supported Experian’s assertion that their uses of data for specific direct marketing purposes is a valid legitimate interest. The ICO is planning to appeal the decision, however.

International Transfer Regime

Previous Bill

International transfers have always been part of the UK data protection regime and the previous bill did not make changes to the UK's existing transfer safeguards. Introduced a data protection test for data exporters to apply when making transfers and assessing the protection offered in the recipient country.

New Bill

Press release: The Government press release states the improved bill will “support even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation.”

Clarifies that transfer mechanisms used to transfer personal data outside of the UK which were lawfully entered into before the new bill comes into force continue to be valid.

Cookies

Previous Bill

Cookie regime amended to permit the use of cookies without obtaining consent for certain additional defined purposes including for statistical purposes to assess how services on a website are used, to improve the services or the website. These changes apply to the Privacy and Electronic Communications (EC Directive) Regulations 2003.

New Bill

Press release: The Government press release states that the UK Government aims to reduce annoying cookie pop ups.

The new bill has not made any further changes to the Privacy and Electronic Communications (EC Directive) Regulations 2003 but has retained the changes suggested in the previous bill.

Data Protection Rights – Automated decision making

Previous Bill

Changes to automated decision making: a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision.

New Bill

Press release: The Government press release highlights the DPDI Bill (No 2) aims to increase public spending and business confidence in AI technology, by clarifying the circumstances when robust safeguards apply to automated decision making.

The new bill clarifies that when assessing whether there is a meaningful human involvement in the act of decision making, a person must consider the extent to which the decision is reached by means of profiling.

Some other points worth noting:

How personal data is defined

Existing law: The definition of personal data under GDPR is very broad, and organisations need to carefully consider whether an individual could be identified directly or indirectly. For example, could data be matched with other data to identify someone?

Proposed: The Bill introduces the concept of an ‘identifiable living individual’. It’s proposed an individual would only be ‘identifiable’ if the means to identify them are available to the controller, the processor or by others likely to receive the data.

This is a nuanced change, which in limited circumstances could render some data no longer falling within the scope of UK data protection law. This could prove a welcome development for some organisations, but it will still be necessary to justify why you consider certain data could not reveal an ‘identifiable living individual’.

Data Protection Risk Assessments

Existing law: Organisations are required to conduct a Data Protection Impact Assessment (DPIA) for high-risk processing activities. The ICO and many EU regulators provide a list of examples of when a DPIA must be conducted (and when it might be a good idea). UK/EU GDPR sets out what criteria should be included in assessment.

Proposed: Businesses will no longer be required to conduct a DPIA. They’ll need to implement an assessment for high risk processing, but will have more flexibility and won’t be tied to specific DPIA requirements or templates.

Increased flexibility for organisations regarding when and how they conduct risk assessments should be welcomed. However, if you currently have an effective risk screening process and DPIA template which works for your business, and many do, you may decide there is no reason to ‘fix something that’s not broken’.

DPIAs are a well-established method to identify and mitigate privacy risks prior to the launch of any project involving personal data. We recognise some organisation may wish to benefit from the new flexibility and look for efficiencies by adopting a streamlined and perhaps bespoke process for risk assessments. 

Senior Responsible Individual

Existing law: Some (but certainly not all) organisations fall within the mandatory requirement to appoint a DPO. Others have voluntarily chosen to appoint one. A DPO’s position within the business, responsibilities and tasks are mandated under UK GDPR.

Proposed: Organisations will no longer need to appoint a DPO. If they are a public authority or carry out ‘high risk’ processing, they will be required to appoint a Senior Responsible Individual (SRI) – someone accountable in the business for data protection compliance. This individual must be a member of senior management.

There’s has been some misunderstanding about which organisations are required to appoint a DPO. Some businesses have felt they needed to appoint one when in fact they didn’t need to. Others have appointed DPOs virtually in name only, without fully appreciating the legal obligations relating to the role. Ultimately, more clarification is needed on exactly how this role should operate, in comparison to the current DPO role.

Increased fines under PECR

Existing law: Fines for violations under UK PECR are capped at £500,000.

Proposed: Bring the level of maximum fines in line with UK GDPR, meaning the ICO could issue fines of up to circa £17 million, or 4% of a business’s global turnover.

The ICO tends to take a proportionate approach to enforcement, and we envisage substantial fines would be reserved for spammers and rogue telemarketing businesses who flagrantly disregard the rules. If this goes some way to deterring bad operators and protecting the public, this could be a good thing.

Information Commission

The Information Commissioner’s Office (ICO) name could be set to change to the Information Commission. It will act as an independent body, with plans for new reporting obligations to the Government. It’s intended there will be more government oversight of the Commission.

Conclusion

DPDI Bill (No 2) introduces more flexibility for organisations in terms of how they manage their record keeping and compliance with data protection legislation. In addition, the proposed changes to the cookies regime give more flexibility, for example the changes may allow the use of certain analytical cookies without consent where the data is being used to improve services/websites.

Organisations will need to consider the proposed requirements of DPDI Bill (No 2) carefully and understand how it will change UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) 2003.

Organisations will need to check that their current standards and internal processes meet the proposed new requirements established by DPDI Bill (No 2). In the majority of cases where organisations are compliant with the current data protection regime, they will be compliant with the new regime.

Whilst the DPDI Bill (No 2) will see the UK data protection regime moving further away from the EU data protection regime, the DPDI Bill (No 2) is not a radical change. The main thrust of the UK data protection regime will stay the same but some of the proposed changes in DPDI Bill (No 2) will reduce the compliance burden on businesses.

As with DPDI Bill (No 1), the most significant question is whether the changes proposed will, in the eyes of the EU, mean personal data is not considered to be adequately protected in the UK and put the UK's adequacy decision with the EU at risk.

What next?

The Bill will progress through Parliament and may be amended further. If it doesn’t progress quickly enough it may stumble. If it fails to pass before a general election, would a new Government be so keen on reform?