Introduction

The accompanying Explanatory Notes to the Bill ('the Explanatory Notes')³ provide that the Bill is intended to update and simplify the UK's data protection framework, with a view to reducing burdens on organisations, while maintaining high data protection standards. In addition, the Explanatory Notes highlight that the Bill would provide organisations with greater flexibility on how to comply with certain aspects of data protection legislation, improve the clarity of the framework, particularly for research organisations, and provide more certainty and stability for cross-border flows of personal data.

Notably, the Bill consists of the following six parts:

• Part 1 - Data protection;
• Part 2 - Digital verification;
• Part 3 - Customer data and business data;
• Part 4 - Digital information - privacy and electronic communications;
• Part 5 - Oversight and enforcement; and
• Part 6 - final provision.

Definitions

Personal data

The UK General Data Protection Regulation (Regulation (EU) 2016/679) ('UK GDPR') and the UK Data Protection Act 2018 ('the Data Protection Act') apply to the processing of personal data, which is defined in Section 3 of the Data Protection Act as any information relating to an identified or identifiable living individual.

In line with Bill No. 1, Clause 1 of the Bill amends Section 3 of the Data Protection Act to provide that information will be considered as relating to an 'identifiable living individual' where:

• the living individual is identifiable by the controller or processor by reasonable means at the time of processing; or
• the controller or processor knows, or ought reasonably to know that:
  • another person will, or is likely to, obtain the information as a result of the processing; and
  • the living individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing.

Furthermore, Clause 1 of the Bill adds new sections to clarify and further expand on the requirements in the abovementioned bullet points, to assist organisations in assessing whether the information is considered personal data.

Scientific research

The Department for Science, Innovation and Technology ('the Department') noted in its press release that current data laws are unclear on how scientists can process personal data for research purposes, which holds them back from completing vital research that can improve the lives of people across the country. Against this background, Clause 2 of the Bill updates the definition of scientific research, by amending Article 4 of the UK GDPR.

The Bill notes that, provided that the processing meets this requirement, it does not matter whether the research is privately or publicly funded or whether it was carried out as a commercial or non-commercial activity.

Legal bases

Scientific research

In line with Bill No. 1, Clause 3 of the Bill amends Article 4 of the UK GDPR. In particular, it does so by clarifying a way for controllers processing data for scientific research purposes to obtain consent to an area of scientific research, where it is not possible to fully identify the purposes for which the personal data is to be processed at the time of collection.

Clause 3(3) of the Bill introduces new conditions for valid consent in this regard, namely that:

• consent does not fall within that definition of Article 4(11) of the UK GDPR because (and only because) it is given to the processing of personal data for the purposes of an area of scientific research;
• at the time the consent is sought, it is not possible to fully identify the purposes for which personal data is to be processed;
• seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research; and
• so far as the intended purposes of the processing allow, the data subject is given the opportunity to consent only to processing for part of the research.

Other legal bases

By way of amending Article 6(1)(e) of the UK GDPR, which is concerned with the lawful grounds for processing personal data, Clause 5 of the Bill makes clarifications to the public tasks lawful ground, introducing a new lawful ground under the new Article 6(1)(ea). This new Article provides that processing will be lawful where it is necessary for a 'recognised legitimate interest', whereby such interests are listed in Annex 1 of the Bill as follows:

• disclosure for purposes of processing described in Article 6(1);
• national security, public security, and defence;
• emergencies;
• crime;
• safeguarding vulnerable individuals; and
• democratic engagement.

Notably, in line with Article 6(1)(f) of the UK GDPR, this provision is only available to controllers other than public authorities, or where public authorities are not processing personal data in the performance of their tasks.

Additionally, Clause 5(9) of the Bill provides illustrative and non-exhaustive examples of activities which may constitute a legitimate interest of the controller when relying on Article 6(1)(f) of the UK GDPR, namely:

• processing that is necessary for the purposes of direct marketing,
• intra-group transmission of personal data (whether relating to clients, employees, or other individuals) where that is necessary for internal administrative purposes; and
• processing that is necessary for the purposes of ensuring the security of network and information systems.

Purpose limitation

Clause 6 of the Bill outlines new conditions for determining whether the reuse of personal data (i.e. further processing) is permitted in compliance with the purpose limitation principle outlined in Article 5(1)(b) of the UK GDPR. It does so by introducing the new Article 8A, which allows controllers to assess whether their processing activity is carried out in a manner compatible with the original purpose. In this regard, among other provisions, Article 8A(3) lists circumstances where processing personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose, whereas Article 8A(2) lists factors controllers may consider in making such a determination, including whether there is:

• any link between the original purpose and the new purpose;
• the context in which the personal data was collected, including the relationship between the data subject and the controller;
• the nature of the personal data, including whether it is a special category of personal data or personal data related to criminal convictions and offences;
• the possible consequences of the intended processing for data subjects; and
• the existence of appropriate safeguards (for example, encryption or pseudonymisation).

Furthermore, the Bill establishes additional restrictions on the further processing of personal data that was originally collected on the basis of consent.

Data subject rights

Clause 7 of the Bill provides for a new Article 12A which clarifies circumstances where controllers can charge a reasonable fee for, or refuse to act on, requests which are considered 'vexatious or excessive'.

Access requests

Clause 8(3) of the Bill amends Article 12 of the UK GDPR to change the time limit for responding to requests from data subjects, substituting the existing one-month response period, to the 'applicable time period', and sets out what the applicable time period is in different circumstances. Generally, however, requests from data subjects must be responded to within one month of being received.

Information provision obligations

Clause 9(1) of the Bill adds an additional paragraph to the end of Article 13 of the UK GDPR, which creates an exemption from Article 13(3) for processing for research, archiving, and statistical purposes where there would be a disproportionate effort to provide the required information to data subjects and where the research is in line with the safeguards for research found in Article 84B of the new Chapter 8A of the UK GDPR, introduced by Clause 22 of the Bill. Specifically, with Clause 9(1), the Bill inserts a non-exhaustive list of factors for data controllers to determine what could constitute a disproportionate effort for the purposes of the new exemption.

With regard to data subjects' right to information under Articles 13 and 14 of the UK GDPR, Clause 10 of the Bill introduces a new section in the Data Protection Act which provides an exemption for information which is subject to legal professional privilege, which protects all communications between a professional legal advisor and their clients, and allows competent authorities to 'neither confirm nor deny' as a response in certain circumstances.

Handling data subject requests

The Bill introduces amendments to controllers' handling of complaints by data subjects, thereby requiring controllers to:

• facilitate the making of complaints by taking appropriate steps, including making enquiries about the subject matter of the complaint to the extent appropriate, and informing the complainant about the progress of the complaint;
• acknowledge receipt of the complaint within a period of 30 days, beginning on the day the complaint is received; and
• take appropriate steps to respond to the complaint from the data subject and inform the complainant of the outcome of the complaint, without undue delay.

Notably, the Bill also sets out a power for the Secretary of State ('SoS') to make regulations to require controllers to notify the Information Commissioner's Officer ('ICO') of the number of complaints they have received in relation to certain periods.

Automated decision-making

The Department has also noted that the Bill will allow organisations to use automated decision-making with more confidence, with safeguards in place for individuals about whom those decisions are taken, meaning that data subjects will be made aware when such decisions are made and can challenge and seek human review when those decisions may be inaccurate or harmful.

Particularly, Clause 11 of the Bill replaces Article 22 of the UK GDPR with new Articles 22A to D, whereby automated decision-making is no longer restricted to the three circumstances outlined in Article 22 of the UK GDPR. Instead, the Bill's new provisions introduce conditions for conducting automated decision-making more generally, and permit such decision-making using special categories of personal data under Article 9(1) of the UK GDPR if certain conditions are met.

Additionally, Clause 11 of the Bill outlines safeguards for automated decision-making organisations, whereby controllers must, among other things, ensure that safeguards for the data subjects' rights, freedoms, and legitimate interests are in place.

Controller and processor obligations

With regard to controller and processor obligations under the UK GDPR and the Data Protection Act, listed below are notable amendments to such obligations introduced by the Bill.

UK-based representative

Clause 13 of the Bill removes Article 27 from the UK GDPR in its entirety. As such, controllers and processors who must comply with the UK GDPR pursuant to Article 3(2) of the UK GDPR will no longer be required to appoint a UK-based representative.

From DPO to 'senior responsible individual'

Clause 14 of the Bill replaces the requirements attached to the appointment of a data protection officer ('DPO') in Articles 37 to 39 of the UK GDPR and Sections 69 to 71 of the Data Protection Act, and introduces new requirements for controllers and processors to designate a 'senior responsible individual' to be responsible for data protection risks within their organisations or delegate that task to a suitably skilled individual.

In this regard, Clause 14 of the Bill sets out criteria for when a senior responsible individual needs to be appointed, namely where the controller or processor is a public body (except for courts or tribunals acting in their judicial capacity) or where they are carrying out processing that is likely to result in a high risk to individuals. Additionally, the senior responsible individual is required to be part of the organisation's senior management. Nonetheless, the position of the senior responsible individual can be carried out jointly by more than one person on a job-share basis, but it must be someone that is a part of the organisation's senior management. Clause 14 of the Bill introduces further amendments with regard to conditions and requirements attached to the appointment of such an individual(s), including that the contact details of the senior responsible individual be publicly available and sent to the Information Commissioner.

From ROPAs to appropriate records

Clause 15 of the Bill removes Article 30 of the UK GDPR and Section 61 of the Data Protection Act on records of processing activities ('ROPAs') and replaces them with new requirements on record-keeping, namely the requirement to keep an 'appropriate record' about the personal data.

Central to the new provisions, is the exemption for controllers or processors from the duty to keep such records, unless they are carrying out high-risk processing activities. The new provisions set out the factors which controllers and processors must consider when deciding what is an 'appropriate' record, including the nature, scope, and context of the processing; the risks their processing poses to individuals; and the resources available to the controller or processor, and notes that records must include information as to how the controller or processor will ensure that the data is secure, where possible.

From DPIAs to AHRPs

Clause 17 of the Bill replaces Data Protection Impact Assessments ('DPIAs') with 'assessments of high-risk processing' ('AHRPs') under Article 35 of the UK GDPR. The amendments therein change various requirements under the current Article 35 of the UK GDPR. More specifically, the amendments provide that the controller's AHRP will need to include a summary of the purposes of the processing, an assessment of whether the processing is necessary and the risks it poses to individuals, and a description of how the controller intends to mitigate any risks.

Importantly, other changes include:

• a duty on the ICO to produce and publish a document containing examples of types of processing which it considers likely to result in a high risk to the rights and freedoms of individuals; and
• a provision that makes optional the previous requirement for controllers to consult the ICO prior to processing where an assessment under Article 35 of the UK GDPR indicates that the processing would result in a high risk.

International transfers

The Department also highlighted that the Bill ensures that businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if they are already compliant with current UK data laws. As such, the Department remarked that this will ensure that British businesses do not need to pay more costs or complete new checks to show compliance with the updated rules.

In this regard, the Bill addresses international transfers in three distinct schedules:

• Schedule 5 on personal data transfers to third countries generally;
• Schedule 6 on personal data transfers to third countries by law enforcement bodies; and
• Schedule 7 on consequential and transitional provisions.

With regard to Schedule 5, the Bill amends Chapter 5 of the UK GDPR and Chapter 5 of Part 3 of the Data Protection Act to reform the UK's regime for international transfers of personal data.

The amendments provide that a controller or processor may transfer personal data to a third country or an international organisation only if:

• one of the following conditions is met:
  • the transfer is approved by regulations issued by the SoS that are in force at the time of the transfer;
  • the transfer is made subject to appropriate safeguards; or
  • the transfer is made in reliance on a derogation for specific situations; and
• the transfer is carried out in compliance with the other provisions of the rest of the UK GDPR.

'SoS regulations' instead of adequacy decision

As noted in the bullet points above, the amendments confer the SoS the power to approve transfers of personal data, by way of regulations, to:

• a third country; or
• an international organisation.

Notably, of the conditions specified in the amendments, the SoS may only make regulations to this effect if it considers that the 'data protection test', provided for under the new provisions, is met regarding the requirements related to transfers. Here, the test is met if the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under:

• the UK GDPR;
• Part 2 of the Data Protection Act; and
• Parts 5 to 7 of the Data Protection Act, so far as relevant to general processing.

Moreover, the amendments set out a non-exhaustive list of what the SoS must consider when making such an assessment, and imposes further conditions on the issuance of regulations to this effect by the SoS.

Appropriate safeguards

A transfer of personal data to a third country or an international organisation by a controller or processor may be made subject to appropriate safeguards in the following circumstances:

• in a case in which:
  • safeguards are provided in connection with the transfer as described in Article 46 of the UK GDPR as amended by the Bill or in regulations by the SoS for further safeguards that may be relied on for the purposes of Article 46; and
  • the controller or processor, acting reasonably and proportionately, considers that the data protection test (mentioned above) is met in relation to the transfer or that type of transfer; or
• in a case in which:
  • safeguards are provided by an instrument that is intended to be relied on in connection with the transfer or that type of transfer; and
  • each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument.

RAS purposes - Safeguards for processing

Clause 22 of the Bill amends the UK GDPR by creating a new chapter which combines the existing safeguards currently found in Article 89 of the UK GDPR and Section 19 of the Data Protection Law for data processing for archiving in the public interest, scientific, historic, and statistical research purposes, the so-called 'RAS purposes'. Furthermore, new articles introduced by the Bill outline safeguards required when processing personal data for RAS purposes.

Digital verification services

Towards the aim of regulating digital verification services ('DVS'), Clauses 47 and 48 of the Bill require the SoS to:

• prepare and publish a document setting out rules concerning the provision of digital verification services, named the 'DVS trust framework'; and
• establish and maintain a publicly available DVS register of organisations providing DVS.

Organisation must be registered in the DVS register if they hold a certificate issued by an accredited conformity assessment body confirming that they are providing DVS in accordance with the DVS trust framework. Specifically, they will have to comply with the registration requirements under Clause 49 of the Bill and must pay the relevant fee set under Clause 50 of the Bill. If an organisation has been removed from the register and applies to be re-registered during the specified period in which it has been removed from the register, the SoS must refuse the application.

Regarding the removal of persons from the DVS register, the Bill notes that the SoS has the power to remove an organisation from the DVS register if the organisation is failing to comply with the DVS trust framework or has failed to provide information to the SoS where a notice has been issued. In addition, the SoS must remove an organisation from the DVS register when the organisation asks to be removed, stops providing DVS, or no longer holds a certificate from an accredited conformity assessment body.

Part 3 - Customer and business data

Clause 61 of the Bill provides for definitions for the terms 'business data', 'customer data', and 'data holder', among others. Notably, under this part, the SoS or Sectary of Treasury are given authority to make provision, by way of regulations, requiring a data holder to provide customer data to the customer, at their request; or to a person authorised, at the authorised person's request.

Furthermore, the Bill provides that the SoS or the Sectary of Treasury may, by regulations, make provision enabling or requiring a data holder:

• to produce, collect or retain, or arrange for the production, collection, or retention of, customer data; and/or
• to make changes to customer data, including to require rectification of inaccurate customer data, at the request of a customer or authorised person.

In this regard, the provisions enable regulations to provide for the production, collection, and retention of customer data so that data holders have specific data to hand in order to ensure that smart data schemes, i.e. the secure sharing of customer data, upon the customer's request, with authorised third-party providers, can operate consistently and effectively.

Likewise, Clause 64 of the Bill provides for the principal regulation-making power in relation to business data, which is envisaged to be used in conjunction with customer data regulations under Clause 62. In particular, this enables the SoS or the Sectary of Treasury to make regulations requiring data holders to provide business data to the customer or to third parties eligible to receive data under the regulations. The new provisions also outline that the regulations may, additionally or alternatively, require data holders to publish business data.

Part 4 - Privacy and electronic communications

This part outlines amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('the PEC Regulations').

The Department elaborated that the Bill gives organisations more clarity about when they can process personal data without needing consent or weighing up their own interests against individuals' rights for certain public interest activities. The Bill, through Clause 7(2)(a), amends Regulation 6 of the PEC Regulations, thereby introducing new exceptions to the consent requirement in Regulation 6(1) for lawful use of cookies and similar technologies, in connection with purposes that are considered to present a low risk to people's privacy. These exceptions are set out in new paragraphs in Regulation 6, and provide for:

• an exception permitting the storage of information, or access to information, for the purpose of collecting statistical information about how an organisation's information society service ('ISS') is used, with a view to making improvements to that service;
• an exception for the purpose of enabling the way an ISS appears or functions when displayed on a subscriber or user's device, to adapt to the preferences of that subscriber or user (for example, their font preferences);
• an exception for the purpose of enabling the installation of software updates on a subscriber or user's device that are necessary for security reasons, subject to certain conditions; and/or
• an exception where the sole purpose is to enable the geographical position of a subscriber or user to be ascertained so that assistance can be provided in response to emergency communication from the user or subscriber's terminal equipment.

Furthermore, the Bill provides for built-in flexibility with regards to cookie consent exceptions, as it introduces a provision giving the SoS the power to add new exceptions to the cookie consent requirements and vary any existing exceptions. Additionally, Clause 83(1) of the Bill provides that the SoS may make exceptions from the direct marketing provisions in the PEC Regulations for communications carried out for the purposes of democratic engagement.

Moreover, Clause 82 of the Bill adds a new provision to Regulation 22 of the PEC Regulations so that non-commercial organisations will be treated the same as commercial organisations in respect of the so-called 'soft opt-in' rule, whereby commercial organisations can send electronic marketing communications to a person without consent if their contact details were collected during the sale of a product or service, or negotiations of a sale.

Notably, Clause 85 of the Bill introduces new Regulations 26A to C to the PEC Regulations. These regulations place a duty on public electronic communication service and public electronic communication network providers to report suspicious activity relating to unlawful direct marketing activity to the ICO, set out the penalties for non-compliance, and require the ICO to publish guidance on what might constitute reasonable suspicions.

Part 5 - Regulation and oversight

Notably, Clauses 100 and 101 of the Bill establish a body corporate, the Information Commission, meant to replace the existing regulator, the ICO, which is currently structured as a corporation sole. Nonetheless, the Explanatory Notes clarify that the nature of the regulator's role and responsibilities remains fundamentally unchanged.

Conclusion

Overall, the Bill introduces comprehensive changes, both in the form of amendments to existing data laws, and new legislation governing areas, including data and digital information landscape. The changes illustrate movement toward the aim of facilitating research, business, and lessening the compliance burden of UK data laws on organisations. It remains to be seen whether the Bill reflects an accurate picture of the UK's new data direction, and undoubtedly, the impact this would have on the UK's adequacy status under the GDPR.

For further information on the origins of the Bill and its provisions, see our previous Insight articles on Bill No. 1 and the previous steps on the path towards reforming the UK data protection regime.

Alice Muasher Senior Privacy Analyst
[email protected]
Bahar Toto Privacy Analyst
[email protected]

1. Available at: https://publications.parliament.uk/pa/bills/cbill/58-03/0265/220265.pdf
2. Available at: https://publications.parliament.uk/pa/bills/cbill/58-03/0143/220143.pdf
3. See at: https://publications.parliament.uk/pa/bills/cbill/58-03/0265/en/220265en.pdf