A Second Reading, and therefore the first opportunity for MPs to debate the provisions of DPDI No. 2, has been provisionally scheduled for Monday 17 April 2023, and until then, it is unclear whether it is likely to proceed in its current form. 

So far, we are waiting for comment from the European Commission and the European Data Protection Board ('EDPB'). John Edwards, the UK's Information Commissioner, has been broadly supportive and has said "I welcome the reintroduction of the Data Protection and Digital Information Bill and support its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights".

The views of the European Commission are particularly important since there are concerns that by moving away from the General Data Protection Regulation (EU) 2016/679 ('GDPR') the UK may be putting the finding of adequacy from the EU at risk. It is key to keep adequacy to ensure that data continues to flow between the EEA and the UK without additional controls and formalities. This is certainly something recognised by the DSIT as, whilst it says in its press release that it wants to move away from the 'one size fits all' approach of the EU GDPR, it also says that it still seeks to keep data adequacy. Certainly, if data adequacy is lost, the savings referred to by the DSIT may turn into substantial costs. An updated Impact Assessment from the Regulatory Policy Committee¹ was published on 28 March 2023 stating that the cost of losing the EU adequacy agreement will be between £2.1bn and £3.8bn over a decade.

So, what does the DPDI No. 2 change? Whilst there are additional provisions, much of the groundwork was laid by the first DPDI.

There are some clear positives for organisations coming out of the reform. It provides for a list of recognised 'legitimate interests' – if the processing falls within the list then the balancing test normally required won't need to be done. It appears to lower the threshold permitting organisations to refuse to respond to data subject access requests ('DSARs'), it clarifies that the exemption given to research extends to commercial research as well as public sector research and it makes it clear that non-commercial organisations, such as charities, don't need to get opt-in consent for fundraising and promoting their aims.

There are also some changes where it is unclear what the practical impact of the change will be. These include the change from a data protection officer ('DPO') to a Senior Responsible Person, the change from a Data Protection Impact Assessment ('DPIA') to a 'risk assessment', and the changes to the obligations to have an Article 30 record of processing or Record of Processing Activities ('RoPAs').

Changes to legitimate interests

Legitimate interests is a flexible and widely used lawful basis by businesses for the processing of personal data. The difficulty with it is that businesses often struggle with the requirement to balance their interests against those of the individual. DPDI No. 2 removes the need for this assessment where the processing falls within certain 'recognised legitimate interests'. These are set out in Annex 1 to the Bill and include: where the processing is necessary for the purposes of responding to an emergency or where the processing is necessary for the purposes of safeguarding a vulnerable individual amongst others. A procedure is also set out for the UK Government to add to this list in the future. Any processing outside of the list will still, however, require the organisation to carry out the balancing test.

Changes to DSARs 

DPDI No. 2 retains the proposal from the first bill to change the wording for the threshold of when organisations can decline to respond to a DSAR. The EU GDPR/UK GDPR's 'manifestly unfounded or manifestly excessive' threshold for refusing requests or charging a reasonable fee is replaced with a new 'vexatious or excessive' threshold.

Current guidance from the Information Commissioner's Office ('ICO') on the right of access provides a limited list of circumstances where 'manifestly unfounded or manifestly excessive' might apply, for example, an individual makes a request but then offers to withdraw it in exchange for a benefit from the organisation or where the request is being used to target a member of staff against who the requester has a personal grudge.

The scope of what falls within 'vexatious or excessive' in DPDI No. 2 seems to be broader and permit organisations to refuse to respond in more cases. Controllers will now be able to take into account their resources and may be able to refuse requests intended to cause distress, not made in good faith, or which are an abuse of process. The devil is in the detail and it is hoped that the ICO will issue guidance promptly to shed some light on where the line is drawn.

A further welcome clarification is that the DPDI No. 2 makes it clear that the time period for responding to a request does not run whilst waiting for a requestor to confirm their identity (if requested), provide any reasonably necessary clarifications requested by the controller, or pay any fees due.

At the time of writing, it appears that the reference to fees is to fees payable where the request is 'vexatious or excessive' – charging the individual making the request is an alternative to refusing to deal with it. It was thought that a fee for making a DSAR might be reintroduced.

Email and other electronic marketing 

Email and other digital marketing consents are often tricky for an organisation to obtain. Customers will often choose not to opt in. Under the current provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR'), commercial organisations can rely on a simpler route – the soft opt-in. Broadly speaking, where a business has already sold something to a customer and the same business wishes to sell more of the same or similar and has given the customer the ability to opt out of marketing at the point their data is collected and in subsequent communications, then that business can market without opt in consent. This has not previously been available to non-commercial organisations such as charities for their fundraising activities. DPDI No. 2 changes this and permits this soft opt-in to be used by non-commercial organisations to promote their charitable, political, and other non-commercial aims. 

Cookies

While the EDPB's best practice guidance on cookie banners has become more restrictive, requiring a 'reject all' button, DPDI No. 2 has relaxed the UK approach. The ability to drop cookies without consent will be extended to things such as collecting statistical information to improve an online service, allowing a website to adapt to the preferences of a user in relation to its functions or appearance, installing security updates, and identifying the location of an individual in an emergency. Whilst this initially appears useful to UK businesses, if the website is a global website, the stricter guidance of the EDPB will still need to be met.

It is important to note that the AdTech industry doesn't consider that DPDI No. 2 goes far enough, and the Interactive Advertising Bureau is disappointed that it doesn't extend cookie consent exemptions to advertising measurements and analytics.

Clarification of what is personal data and when it is anonymous

Whilst the basic definition of personal data is retained, the DPDI No. 2 clarifies when individuals are 'identifiable' and when the data can be regarded as anonymous and therefore outside of the data protection regime. 

DPDI No. 2 also clarifies that where a data subject becomes identifiable through either the data controller or processor losing control of data by failure to implement appropriate security measures, this lack of risk mitigation means that they would know, or ought to have reasonably known, that a third party would be able to process the data to transform it into information relating to an identifiable individual. As such, in this instance the individual is to be regarded as identifiable, even if they were not prior to the loss of control of that data.

No need for UK representatives

DPDI No. 2 removes the requirement for non-UK established businesses to appoint a UK representative. This is likely to be widely welcomed by overseas organisations.

Record keeping and RoPAs

Under DPDI No. 2, only organisations which carry out processing which results in a high risk to the rights and freedoms of individuals are required to maintain RoPAs. Even then, the type of record has changed, although it is broadly similar to that required by Article 30 of the UK GDPR. Whilst this will undoubtedly be welcomed by organisations struggling with their RoPA and updating it, not having a record will make it harder for businesses to have a picture of their data processing and consequently may make it harder to understand what other compliance obligations it has. 

DPOs are no more

The role of the DPO no longer exists under DPDI No. 2. Instead (as was the case under the first DPDI) organisations are required to appoint a Senior Responsible Individual if it carries out high risk processing or is a public body. This obligation applies to both controllers and processors. It is hard to see how much difference this will make.

DPIAs are also gone

DPDI No. 2 removes the need to carry out a DPIA but does still require organisations to identify and manage risks relating to their processing where it is high risk. Again, whilst more flexibility around how to manage risk is now permitted, there isn't wide ranging change here.

Automated decision-making 

Clause 11 of the DPDI No. 2 makes a significant change to Article 22 of the UK GDPR. It substitutes the whole of Article 22 of the UK GDPR with a new provision by which processing based solely on automated decision-making is only restricted and subject to certain conditions where it involves the processing of special category data.

It also clarifies what is meant by automated decision-making and explains that it requires there to be no meaningful human involvement.

What can organisations do now to prepare?

The text of DPDI No. 2 is not yet set in stone but since some of the key provisions come from its predecessor it may not change significantly, not least as the first DPDI was regarded 'pretty uncontentious'² by Labour. It would therefore be sensible to consider the impact of the Bill and plan for its implementation, whilst keeping an eye out for changes, of course.

If an organisation is purely UK focused and not caught by the extra-territorial effect of the EU GDPR then it has more latitude to change its approach and take advantage of the relaxation of things, such as the cookie rules and the obligations in relation to RoPAs and DPIAs. It is likely, however, that many businesses will have European operations or be caught by the extra-territorial effect of the EU GDPR and therefore its ability, or indeed appetite to change and go for the more relaxed approach, may be much more limited. It may wish to stick with the EU GDPR approach for all its operations to make life easier and certainly many of the reforms permit sticking with the EU approach.

Non-commercial businesses should consider how they could adapt their systems to move to the soft opt-in approach for the electronic promotion of their aims and fundraising.

Ultimately, it will be interesting to see whether DPDI No. 2 has the impact that the Government wants in relation to minimising the red tape in data protection or whether businesses decide to largely stick with their established systems implemented in 2018 for the GDPR.

Joanne Bone Partner
[email protected]
Irwin Mitchell LLP, Leeds

1. See: https://www.gov.uk/government/publications/data-protection-and-digital-information-no-2-bill-rpc-opinion-green-rated
2. See: https://hansard.parliament.uk/commons/2022-09-05/debates/FB4997E6-14A2-4F25-9472-E2EE7F00778A/BusinessStatement