UK: Overview of the Data Protection and Digital Information Bill
The introduction of the Data Protection and Digital Information Bill ('Bill 143')1 to the House of Commons on 18 July 2022 marks an important step towards achieving the planned reform of the UK's post-Brexit data protection framework, with many significant proposed changes for organisations to be aware of. In this Insight, OneTrust DataGuidance Research discusses Bill 143 and provides a snapshot of some of the key provisions to take into account.
In the accompanying Explanatory Notes to Bill 1432, it is recalled that this legislative review is a direct result of the UK's departure from the EU. More than this, it is outlined that this proposed legislation is intended to 'update and simplify' UK data protection law, reducing burdens for organisations while maintaining high standards. Furthermore, it elaborates upon the Government's view that the current regime amounts to a 'box-ticking' exercise for organisations, thus discouraging a more proactive and systematic approach. Legislation subject to reform in Bill 143 includes not only the UK General Data Protection Regulation ('UK GDPR') and its complementary Data Protection Act 2018, but also the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('PECR'), which provides privacy rights in relation to electronic communications.
For further information on the origins of the bill and its provisions, see our previous Insight articles analysing the previous steps on the path to reform of the UK data protection regime.
Notably, Bill 143 aims to amend the definition of an 'identifiable living individual', to whom information must relate in order to be considered personal data under Section 3 of the Data Protection Act 2018. Specifically, Bill 143 states that information being processed will count as information relating to an identifiable living individual where:
- the living individual is identifiable by the controller or processor by reasonable means at the time of processing; or
- where the controller or processor knows, or ought reasonably to know that:
- another person will, or is likely to, obtain the information as a result of the processing; and
- the living individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing.
As such, the assessment of identifiability will lie with the controller/processor or other persons who may receive the information, as opposed to anybody else. Moreover, Bill 143 aims to expand on when an identifiable living individual may be either directly or indirectly identifiable, stating that this will depend upon whether additional information is or not necessary for identification, respectively.
Furthermore, Bill 143 amends the definition of research and statistical purposes, for example by adding that processing for scientific research will mean 'any research that can reasonably be described as scientific', which includes 'processing for the purposes of technological development or demonstration, fundamental research or applied research'. Consent for the purposes of scientific research is also amended, for instance by adding that consent in relation to the area of scientific research must be consistent with generally recognised ethical standards which are relevant to the area of research. Per Bill 143, consent may also be given to scientific research where it is not possible to fully identify the purposes for which the personal data is to be processed.
International data transfers
Bill 143 makes some drastic changes to the UK's approach to data transfers. Clause 21 of Bill 143 inserts Schedules 5 (on general processing regarding transfers of personal data to third countries), 6, (on law enforcement processing regarding transfers of personal data to third countries) and 7 (on consequential and transitional provisions), which amend Chapter 5 of the UK GDPR and Chapter 5 of Part 3 of the 2018 Act.
Furthermore, Bill 143 moves away from the 'adequacy test' to a new 'data protection test', whereby third countries are no longer required to have 'essentially equivalent' levels of data protection but rather merely that these are 'not materially lower'. Factors which will be considered in a data protection test include the following:
- respect for rule of law and human rights in the country or international organisation;
- existence of a competent enforcement authority;
- arrangements for redress for data subjects, whether judicial or non-judicial;
- rules about the transfer of personal data from the country or organisation to others;
- any relevant international obligations to which the country or international organisations is subject, specifically noting the Council of Europe's Convention 108; and
- the constitution, traditions, and culture of the country or organisation.
Moreover, Bill 143 provides that the Secretary of State may issue regulations that specify standard data protection clauses which they consider are capable of securing that the data protection test is met, in relation to transfers of data generally or in relation to a type of transfer specified in the regulations.
As a side note, the Information Commissioner's Office ('ICO') updated, on 25 July 2022, its Guide to Binding Corporate Rules, providing the procedure for the approval of UK BCRs where applicable and revised/simplified approach whereby it only requests supporting documents once during the UK approval process3.
Bill 143 proposes to move away from the 'legitimate interests assessment' approach which is required in order to rely on Article 6 of the UK GDPR, to a preordained list of 'recognised legitimate interests', which currently include:
- democratic engagement;
- national security;
- public security and defence;
- processing necessary to the public interest
- safeguarding vulnerable individuals;
- detecting, apprehending, or investigating crime; and
Data subject rights
Clauses 7 to 10 of Bill 143 pertain to amendments affecting data subject rights. Information provision obligations are being clarified, though not materially changed, to ensure clarity that the disproportionate effort or impossibility exemption under Article 14(5)(b) of the UK GDPR applies to all processing where the data was not collected directly from the data subject.
Bill 143 includes some far-reaching changes to the current approach to data subject access requests ('DSARs'), whereby controllers will no longer be required to respond to all DSARs which are not 'manifestly unfounded or excessive'. Rather, controllers will be entitled to refuse to respond to DSARs which are 'vexatious or excessive'. 'Vexatious' requests are described in Bill 143 as those which are:
- intended to cause distress;
- not made in good faith; or
- an abuse of process.
Moreover, factors to be considered in determining whether a request is vexatious/excessive more generally are clarified as including the nature of the request, the relation between the data subject and controller, and the resources available to the controller.
From DPIAs to AHRPs
Regarding Data Protection Impact Assessments ('DPIAs'), these are to be replaced by an assessment of high-risk processing ('AHRP'). Notably, Bill 143 does away with the scenarios where a DPIA/AHRP is required (per Article 35(3) of the UK GDPR), as well as the requirement to seek the advice of a data protection officer ('DPO') when carrying out a DPIA/AHRP.
From ROPAs to appropriate records
Clause 15 proposes to remove and replace Article 30 of the UK GDPR and Section 61 of the 2018 Act. In practice, this signifies that controllers or processors alike would no longer be required to keep records of processing activities ('ROPAs'). Under Article 30A of the UK GDPR, controllers must maintain 'appropriate records of processing personal data' carried out by or on their behalf. Such records must include at least:
- where the personal data is;
- purposes for processing;
- who the controller shared, or intends to share, it with;
- how long the controller intends to retain it;
- whether and if so which special categories of personal data are included; and
- whether the personal data include that which relates to criminal convictions and offences or related security measures.
Likewise, processor records must include at least the name and contact details of the controller and where the personal data is located. Both controller and processor records must include information about how it ensures the personal data is secure, but caveats that this is 'where possible'.
Digital verification services
Verification services are defined in Bill 143 as services provided at the request of an individual, consisting of:
- ascertaining or verifying a fact about the individual from information provided otherwise than by the individual; and
- confirming to another person that the fact about the individual has been ascertained or verified from information so provided.
Digital verification services ('DVS'), per Bill 143, are therefore the above services provided to any extent by means of the internet.
Moreover, the Secretary of State would be required to publish a DVS trust framework, i.e. a document setting out the rules concerning the provision of a DVS. The Secretary of State would also have to set up a register of DVS providers and would be empowered to issue DVS 'trust marks', which may used in the course of providing DVS.
Bill 143 aims to introduce some important changes to the regulation of automated decision-making. For example, it defines a decision based solely on automated processing as one which involves no human intervention. Further, data subjects will only have a right to obtain human intervention with regards to 'significant' decisions in this vein, as opposed to decisions that produce legal effects concerning them or which similarly significantly affect them.
Cookies and tracking technologies
Bill 143 also includes some noteworthy changes for the regulation of cookies and tracking technologies. Significantly, Bill 143 proposes to extend the types of cookies which do not require a user's consent to be placed on their device, to include not only 'strictly necessary cookies' but also cookies that are used to gather statistical information and improve services.
Additionally, Bill 143 empowers the Secretary of State to formulate regulations that will enable information technology to automatically consent or object to the placement of cookies. The aim of this is to reduce the burden of individually accepting/rejecting cookies across multiple websites.
Notably, Bill 143 creates a definition for direct marketing, as 'communication (by whatever means) of advertising or marketing material which is directed to particular individuals'. Such definition is inserted into the PECR.
Furthermore, Bill 143 proposes that fines under the PECR for nuisance calls/texts are increased, from a maximum of £500,000 to the maximum penalties under the UK GDPR (e.g. up to 4% of global turnover or £17.5 million, whichever is greater).
From DPOs to senior responsible individuals
Instead of a DPO, Bill 143 stipulates that organisations should appoint a 'senior responsible individual' who is 'part of the organisation's senior management'. Such an individual would be responsible for data protection matters within an organisation, with the mandatory tasks being expanded in some areas to include dealing with data breaches as well as complaints related to data processing.
Clause 13 of Bill 143 seeks to remove Article 27 of the UK GDPR, which requires controllers and processors to appoint a UK-based representative.
Business data/open data
Bill 143 aims to the facilitate the use of 'smart data schemes', which would enable data sharing amongst businesses. These schemes would allow for the secure sharing of data, at the customer's request, to authorised third parties.
Changes to the ICO
Finally, Bill 143 proposes some significant changes to the ICO, for one by changing its name to the Information Commission and recreating it as a body corporate. Changes are also proposed in practical areas such as the regulator's governance structure, duties, and enforcement powers. For example, it establishes a principal objective for the Information Commission, which is:
- to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers, and others and matters of general public interest; and
- to promote public trust and confidence in the processing of personal data.
Notably, Bill 143 adds that, in carrying out their functions, the Information Commission should have regard to matters such as promoting competition and innovation. This aligns with the conclusions of the National Data Strategy that was launched by the UK government at the end of 2020, which highlights the role that personal data plays in driving business innovation. Moreover, the Information Commission is tasked with creating a strategy for carrying out their duties under data protection legislation, as well as codes of practice as required.
The UK's Information Commissioner, John Edwards, acknowledged that Bill 143 had been laid in Parliament as part of his opening speech to the Data Protection Professional Conference 20224, stating that the reforms and the bill ''strike a good balance in making improvements''. Simultaneously, Edwards released the ICO's strategic plan for the next three years, ICO25, which outlines how it plans to achieve its goals in this crucial period for data protection in the UK5.
In summary, many of the above changes appear to be in line with the view expressed in the Explanatory Notes that Bill 143 aims at reducing burdens for organisations (e.g. changes to DPO appointment and placement of cookies). Following a positive DPIA from the Department of Media, Culture and Sport6, Members of Parliament will next consider Bill 143 at Second Reading on Monday 5 September 2022.
Troy Boatman Editor
1. Available at: https://publications.parliament.uk/pa/bills/cbill/58-03/0143/220143.pdf
2. Available at: https://publications.parliament.uk/pa/bills/cbill/58-03/0143/en/220143en.pdf
6. Available at: https://publications.parliament.uk/pa/bills/cbill/58-03/0143/Data%20Protection%20and%20Digital%20Information%20Bill%20Impact%20Assessment%20-%20Final%20submission.pdf