Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: Can the new bill deliver on its promise of 'business-friendly' data protection regulation?

On March 8, 2023, the UK Government introduced the Data Protection and Digital Information (No. 2) Bill to Parliament, alongside various statements about what the new law would achieve. In its press release of the same date, the Government advertised the Bill as a simplified framework that will "not be costly to implement," will "reduce the amount of paperwork," and provide "businesses with more flexibility," all while ensuring the regime "maintains data adequacy with the EU."

Can the Bill deliver on its lofty ambitions? Natalie Farmer, Director and Foreign Legal Consultant at Fieldfisher (Silicon Valley) LLP, scrutinizes the impact of some of the Government's core, pro-business changes.

da-kuk / Signature collection / istockphoto.com

Background

The fundamental principles underpinning the Bill remain unchanged, so how much will the Bill move the dial? On May 10, 2023, the Government published the Keeling Schedules setting out the precise details of the changes the Bill will make to the UK General Data Protection (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), if it becomes law.

Legitimate interests

The GDPR's most flexible legal basis (legitimate interests) is not without its challenges. In order to rely on legitimate interests as a basis for processing, a controller must determine that the processing is necessary and that the interests pursued are not overridden by the rights or fundamental interests of the relevant data subjects. The Bill seeks to remove the need for any guesswork by green-lighting a number of activities that will be deemed to meet the standard; these interests will be listed in the UK GDPR as 'recognised legitimate interests.' Additionally, the Bill introduces a non-exhaustive list of activities that may be considered necessary for the purposes of a legitimate interest (including direct marketing, intra-group data transfers for business administration purposes, and network and information security).

Business-friendly assessment

The current focuses of the 'recognised legitimate interests' (for which no legitimate interest assessment is needed) are national security, emergency situations, and safeguarding the vulnerable. There is scope to expand this list, which could prove valuable to businesses if the Government decides to introduce greenlit commercial activities. However, as it stands, the recognized legitimate interests are of limited application. With respect to direct marketing, intra-group data transfers, and network and information security (the activities which 'may' be considered necessary for a legitimate interest), the proposal provides some comfort; however, these are activities that in many cases would have been able to proceed on the basis of legitimate interests in any event. Overall, the Bill's attempt to add certainty to the legitimate-interests basis for processing seems unlikely to yield a significant benefit to commercial organizations.

Scientific research for commercial purposes

UK data protection law provides derogations from certain core requirements where the processing in question is undertaken for scientific research purposes. The Bill introduces a new definition of scientific research purposes which clarifies that such purposes can exist irrespective of whether the research is carried out in connection with commercial or non-commercial activities. Additionally, the new definition explains that scientific research should be understood to include 'any research that can reasonably be described as scientific' and shall include processing 'for the purposes of technological development.'

Business-friendly assessment

This change could potentially be very useful for businesses reliant on data processing for research and development purposes, particularly in the field of artificial intelligence (AI) or where technological developments are underpinned by machine learning, requiring large volumes of data that may be difficult to reproduce. The derogations applicable to processing for scientific research purposes limit the application of data subject rights, including the right to access data and the right to restrict data processing; processing falling within the definition would be exempt from the need to build out data subject rights processes that may be impossible to reconcile with the purposes pursued. Additionally, the Bill confirms that processing for the purpose of scientific research will not violate the purpose limitation principle, even where the data in question was originally collected for a different purpose; in other words, scientific research processing will be deemed 'compatible' without the need for further assessment, which will potentially provide a huge amount of flexibility for data controllers to repurpose data in this context.

International transfers

The Bill introduces a new regime for UK data transfers and decision-making in connection with UK adequacy regulations, which departs from the European Commission's standard of 'essential equivalence.' The Bill proposes that a third country can be deemed 'adequate' where the standard of data protection in the third country is not 'materially lower' than under the UK GDPR when 'taken as a whole,' recognizing different legal and cultural approaches to protecting privacy, as well as the country's respect for the rule of law and human rights. Similarly, the Bill also provides that when using an alternative transfer mechanism (such as Standard Contractual Clauses (SCCs)) organizations 'acting reasonably and proportionately' must consider whether the standard of protection provided in the context of the third country's laws and practices would result in a materially lower standard than under the UK GDPR.

Business-friendly assessment

The UK data transfer regime builds in flexibility which is absent from the EU regime under the EU General Data Protection Regulation (EU GDPR). The holistic approach to reviewing the laws and practices of recipient jurisdictions should allow the Government to establish adequacy with greater ease than under the 'essential equivalence' standard. The real business benefit, however, may be limited if the UK's adequacy in the eyes of the European Commission is jeopardized by a more flexible onward transfer regime. Additionally, global businesses are likely to need to comply with the EU GDPR alongside the UK framework, which may require additional safeguards for transfers to third countries notwithstanding that the UK has granted adequacy.

Reducing administrative burdens

ROPAs/DPIAs

The Bill reduces the scope of the record of processing activities (ROPA) requirement, such that controllers and processors will only be required to maintain a ROPA where they carry out processing activities that are likely to result in 'high risk to the rights and freedoms of data subjects.' The Bill also removes the Data Protection Impact Assessment (DPIA) requirement and replaces it with a more flexible assessment obligation, limited to instances of high-risk processing.

Business-friendly assessment

Data mapping is an essential first step for any data protection compliance project and is generally overlapping with the requirement to complete a ROPA. Removal of the ROPA requirement will not alleviate the burden of data mapping, but the removal of the prescribed format will be welcomed by businesses. Equally, the Bill's requirement to assess high-risk processing certainly feels like a less burdensome project than the completion of a DPIA.

Removal of UK representative requirement

The Bill proposes to remove the requirement for controllers and processors not established in the UK to appoint a UK representative. The Bill does not replace the role with any alternative function.

Business-friendly assessment

This change is likely to be well received by non-UK businesses that fall within the scope of the UK GDPR as it will instantly remove a compliance cost from the business (i.e., the cost of appointing a third-party service provider to provide this function). Given the ease by which non-UK businesses can be contacted electronically, the removal of the representative requirement does not seem likely to have a real impact on the ability of data subjects and regulators to contact non-UK controllers and processors (and ultimately enforce the law).

Replacement of the DPO role

The Bill replaces the requirement to appoint a data protection officer (DPO) with new a requirement to designate a 'senior responsible individual' (SRI). The new SRI requirement applies only to public bodies or organizations involved in high-risk processing. SRIs must be members of senior management (with responsibility for significant decision-making in connection with the management or organization of the business), but the Bill does not stipulate any other credentials. The SRI's functions are largely aligned with the role of the DPO, but the Bill makes special provision for the management of conflicts of interest. Unlike a DPO, that cannot be appointed where there is a conflict of interest, an SRI can delegate a task if a conflict arises, but otherwise continue to provide the SRI role.

Business-friendly assessment

For some businesses, particularly smaller businesses who have outsourced their DPO, the replacement of the DPO role with the role of the SRI may be a welcomed cost saving. On the other hand, the SRI requirement places a burden on senior management and may result in the diversion of valuable management time. On the whole, however, the replacement of the complex threshold criteria for the appointment of a DPO with the more straightforward high-risk processing standard for SRIs will reduce uncertainty for businesses and limit the legal analysis required in connection with the appointment.

Changes to data subject rights

The Bill will replace the 'manifestly unfounded or excessive' threshold for refusing data subject rights requests with a 'vexatious or excessive' threshold. When deciding whether a data subject request is vexatious or excessive, the Bill explicitly permits controllers to take into account their resources, the nature of the request, whether the request is repetitive, and how long ago any previous request was made. The Bill also gives specific examples of requests that may be considered vexatious (and could therefore be lawfully refused by the controller), including requests that are:

  • intended to cause distress;
  • made in bad faith; or
  • an abuse of process.

Business-friendly assessment

This change lowers the standard for the refusal of a request and gives controllers tangible grounds for refusal. Controllers will still need to be able to evidence the reasons why they consider a request to be vexatious, but the codified examples provide far more certainty than under the current law. This change could cut down the administrative burden of dealing with nuisance requests, designed to detract from management time, freeing up resources for genuine privacy-related inquiries. On this basis, this is a business-friendly change, which creates more room for maneuver for a controller to allocate scarce resources; but controllers will likely be cautious given the likelihood that a refusal is escalated to the regulator (at least until the regulatory guidance catches up with the changes to the law).

Automated decisions

The current UK GDPR includes a general prohibition on the taking of automated decisions (i.e., decisions based solely on automated processing), where those decisions produce legal or 'similarly significant effects' on the individual, unless such decision-making falls into one of the limited exemptions. The Bill entirely reframes the automated decision-making rules, with the general prohibition applying only where the automated decision is based entirely or partly on special categories of personal data or relies upon the new 'recognised legitimate interest' basis for processing. The result is that the Bill allows for significant decisions to be taken based on solely automated processing, where the processing is based on a traditional legal basis under the UK GDPR and involves personal data which does not fall within the special categories. With respect to this decision-making, the Bill prescribes various safeguards (including allowing the data subject to obtain human intervention and contest the decision).

Business-friendly assessment

As noted above, the Bill turns the current regime on its head, permitting automated decision-making across a wide range of non-sensitive processing, in place of the current general prohibition. While valuable safeguarding remains and automated decisions taken on the basis of special categories of data are off the table (unless an exemption applies), the Bill's revised regime provides a more fertile ground for technological innovation, consistent with the Government's wider agenda.

New exemptions from the cookie rules

The PECR currently prohibit the use of cookies and similar technologies (i.e., technologies which store or access information on a user's terminal device) without the end user's consent unless such technologies are 'necessary for the provision of [the service] requested.' With the exemption narrowly interpreted, most cookies and similar technologies require prior end-user consent before deployment. The Bill expands the list of exemptions to allow cookies to be used, without prior consent, for the purpose of:

  • collecting statistical information about an online service, in order to make improvements to that service;
  • enabling the appearance or function of a website to reflect user preferences;
  • installing necessary security updates to software on a device; and
  • identifying an individual's geolocation in order to process a request for emergency assistance.

Business-friendly assessment

The enumerated exemptions from the consent requirement will inevitably reduce the number of consents that a business has to obtain for UK compliance purposes. The existing, narrow exemption for 'necessary' cookies does not provide businesses with a great deal of certainty or flexibility to bypass the consent requirement for vital processing; the Bill provides a change that is likely to be welcomed in this respect.

Conclusion

While the Bill introduces changes that will inevitably lower the compliance burden, the revised version of the UK data privacy framework is unlikely to be a regime that is 'not costly to implement.' The removal of unnecessary paperwork and mandatory outsourced compliance functions are business-friendly steps, but data privacy compliance in the UK will remain complex and will still require significant investment.

On the other hand, the Government's ambition to provide 'businesses with more flexibility' may be achieved through the Bill. Changes to the rules on automated decision-making and the expanded definition of scientific research may open a number of doors for businesses, potentially paving the way for increased innovation.

Whether businesses will 'save billions' remains to be seen.

Natalie Farmer Director (Registered Foreign Legal Consultant with the State Bar of California)
[email protected]
Fieldfisher (Silicon Valley) LLP, Palo Alto