On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.
The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.
Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent. The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same. But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.
Processing activities with a ‘recognised legitimate interest’
Schedule 1 to the Bill sets out the types of processing activities which the Government has determined have a “recognised legitimate interest”, and which will not require a legitimate interest balancing test to be carried out. This list may come as a disappointment to some as it is not as broad as the UK Government’s original consultation envisaged. The list includes processing personal data for the purpose of detecting, investigating, or preventing crime; disclosures to people carrying out tasks in the public interest (e.g., responding to non-binding requests for data from law enforcement authorities); and a fairly broad category of processing necessary for the purposes of “democratic engagement”.
This list is not static, however, as the Bill grants the Secretary of State for Digital, Culture, Media & Sport the power to amend or add to this list of recognized legitimate interests through secondary legislation.
Amended rules on “compatible” processing, including purposes deemed compatible with the original purpose
Section 6(3) of the Bill indicates that where a controller wishes to process personal data for a new purpose, and determines that the new purpose is compatible with the original purpose(s), they will still need to establish a valid legal basis. This is a departure from the current position under the UK GDPR, where Recital 50 expressly states that no new legal basis is necessary in these circumstances. This could increase the burden on controllers, who in some circumstances would need to assess (a) whether a new use of data is compatible with the original purposes, and (b) conduct a separate legitimate interests assessment.
In addition, Schedule 2 to the Bill introduces a list of processing purposes which will by default be considered compatible with the original processing purposes. These purposes are similar to those which are considered to be ‘recognised legitimate interests’ mentioned above, meaning that in addition to these purposes being deemed “compatible” controllers will not need to conduct a balancing test in relation to them. The list also contains some additional purposes, including processing for the protection of vital interests of data subjects or processing that is necessary for compliance with a legal obligation (in addition to the existing presumption that processing for scientific and historical research, archiving, and statistical purposes is compatible).
Broad scientific research definition
At the heart of the UK Government’s approach to data protection reform was the idea that data protection rules should not restrict scientific research and development. The consultation response indicated that the UK Government would create a statutory definition of “scientific research” based on the language of Recital 159 GDPR. The Bill does this, but reframes the language from Recital 159 in a way that arguably broadens the scope to cover “privately funded…technological development or demonstration” (s. 2). It is possible that private companies’ internal product development and improvement could, therefore, be captured by this definition. This could give companies greater scope to use existing data for product development, as Article 6(4) GDPR presumes that scientific research will generally constitute a compatible purpose.
Less prescriptive GDPR accountability obligations
As previewed in the Government’s consultation response, the Bill removes the requirement for companies to appoint a data protection officer (“DPO”), and replaces it with a requirement to appoint a “senior responsible individual” (“SRI”) (s. 14). The SRI has similar tasks and position to a DPO under the GDPR, but without, for example, such strict independence requirements. In addition, the SRI is only required to be appointed where there is processing that is likely to result in a high risk to the rights and freedoms of individuals. In any event, John Edwards, the Information Commissioner, has stated the ICO will still take account of whether companies have appointed a DPO when conducting investigations, and that he expects companies whose activities involve a lot of data processing to appoint such a DPO.
The Bill also replaces existing obligations to conduct data protection impact assessments and maintain records of processing with similar, but arguably less prescriptive requirements (ss. 17-18). For example, an “assessment of high risk processing” will need to contain only “a summary of the purposes of the processing”, and not “a systematic description of the envisaged processing operations and the purposes of the processing”, as is required under the EU GDPR. In addition, the content requirements for records of processing are arguably more flexible, although controllers and processors must assess what is appropriate in light of, among other things, the nature, purposes, scope and risks of the processing.
Notably, the Bill replaces the obligation to consult the ICO if an assessment reveals a high risk arising from the processing with an option to do so (presumably because, as the UK Government noted in its response to the consultation, compliance with the obligation is patchy).
Specified situations where cookies can be used without consent
Section 79 of the Bill introduces one of the most discussed reforms to the UK’s Data Protection regime, permitting the use of cookies for what the Explanatory Notes term “purposes that are considered to present a low risk to people’s privacy”. The Bill will allow the use of cookies without consent (albeit subject to certain conditions) for ‘non-intrusive’ specific purposes, namely first-party analytics, enabling website functionality, software security updates, or for emergency assistance (and with scope for the Secretary of State to expand that list). Although this does not do away with cookie consent entirely, the Bill empowers the Secretary of State to require a specific person to develop or make available a mechanism that allows users’ consent choices to be honored across different websites or services.
The purposes for which cookies can be used without consent are similar to those set out in the proposed EU ePrivacy Regulation. Unlike the Council of the EU’s proposals for the ePrivacy Regulation, the Bill does not include any provisions that would enable electronic communications service providers to use communications data for additional purposes.
Greater penalties for PECR breaches and additional direct marketing-related obligations on communications service providers
As set out in the consultation response, the Bill will align the potential penalties for breaches of PECR–including direct marketing rules–with those set out in the GDPR. In addition, the Bill would require providers of services that enable direct marketing to inform the ICO if they have “reasonable grounds to believe” that their service is being used to infringe these rules. It is not clear, however, the circumstances in which such grounds would arise.
Removing the prohibition on automated decision-making in Article 22 GDPR
The Bill will amend Article 22 GDPR, to grant data subjects’ rights to specific safeguards over covered automated decision-making (e.g., rights to human review and to contest decisions), rather than an outright prohibition with exceptions (s. 11). This may give controllers more scope to rely on the legitimate interests legal basis for automated decision-making, but there is also a specific obligation for controllers to provide information about specific decisions to data subjects, which arguably goes beyond the existing requirements.
A new Information Commission, and new approaches to enforcement
Consistent with the Government’s consultation response, the Bill would scrap the current Office of the Information Commissioner as it is currently constituted and replace it with a body corporate called the Information Commission, with the same functions as the current Information Commissioner, but with a different structure and subject to greater oversight from the Government (ss. 101 and 102). Interestingly, the Commissioner, John Edwards, has reportedly indicated in recent speeches that the Commission may take a new approach to enforcement, and may focus on restoration for victims of infringements, and may look to make binding rulings about business practices or questions of law outside the context of an investigation.
Additional provisions
The Bill also covers matters quite separate from the UK GDPR, the DPA and PECR, including rules around digital verification services (ss. 46-60), how overseas trust services will be recognised (ss. 87-91), and how the Government can create rules through secondary legislation to mandate Open Data schemes such as Open Banking (ss. 61-77). It also empowers the Secretary of State to pass regulations to implement data sharing agreements for law enforcement purposes (s. 93).
Next steps
The Bill was formally introduced to Parliament on the 18 July, and has not yet been the subject of any scheduled debate. Parliament is now in recess, and will return on 5 September 2022, by which point there will be a new Prime Minister, so there is scope for the Bill to change as it progresses through Parliament. The Bill is expected to take around 9 months to achieve its full passage through Parliament, meaning it will potentially receive Royal Assent in Spring 2023. The Covington team will monitor developments and can answer any further questions about the Bill or the legislative process.