UK Government introduces Data Protection and Digital Information Bill

Following Brexit, the United Kingdom (UK) plans to reform the UK data protection regime. As a result, on 18 July 2022 the UK Government introduced its proposal of the Data Protection and Digital Information Bill (Bill) to the UK parliament. The Bill aims to guarantee a responsible use of data while still fostering innovation and competition. We will introduce the most important elements of the Bill, and assess what the proposed changes could mean for the UK adequacy decision of the European Commission.

Background of the Data Protection and Digital Information Bill

The current UK data protection regime is governed by the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) – which is equivalent to the EU General Data Protection Regulation (GDPR).

In 2021, the UK Government held a major consultation on the reform of the UK data protection regime. Following that, on 10 May 2022, the introduction of a Data Reform Bill was officially announced in the Queen’s speech. On 17 June 2022, the UK Government’s department for Digital, Culture, Media and Sport (DCMS) published its response to the consultations on the reforms, indicating which proposals are likely to be part of the Bill.

Finally, on 18 July 2022, as a result of the consultation process, the Data Protection and Digital Information Bill was introduced to the UK parliament. The Bill now needs to be approved by the parliament. It is expected that some significant changes will take place during this process.

Purpose and intended benefits of the Bill

According to the Queens speech’s briefing notes, the reforms are intended to, “create a trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.”

The proposed changes are mainly focused on business interests, aiming to reduce businesses compliance burdens. By reducing the burdens businesses face, their competitiveness and efficiency should be enhanced.

In addition, rules around research should be simplified to foster innovation and scientific progress and to maintain/ensure the UK’s leading position in research. For this purpose, the (re)use of data for research purposes should also be facilitated.

Finally, the Bill is intended to reform the Information Commissioner’s Office (ICO), equipping it with the capabilities to ensure more effective enforcement.

Key proposals of the Bill

The Bill is divided into six chapters: data protection, digital verification services, customer and business data, other provisions about digital information, regulation and oversight and final provisions. In the following, we introduce the most relevant changes for businesses to the existing UK data protection regime:

An important change is the proposed amended definition of personal data. Under the Data Protection Act 2018 personal data is defined as, “any information relating to an identified or identifiable living individual”. The Bill proposes to limit the notion of “identifiable living individuals”, in that an individual is considered identifiable only if:

  • the individual is identifiable by the controller or processor by reasonable means at the time of the processing; or
  • where the controller or processor ought to know that a third party will, or likely will, obtain the information as a result of the processing and the individual will likely be identifiable by that third party by reasonable means at the time of the processing.

This proposed definition limits the data that is subject to data protection law, namely to data which allows the identification of individuals directly by a controller or processor at the time of processing, and to data which would allow a third party, that is likely to receive the data, to identify an individual at the time of processing by reasonable means.

This proposed change to the definition is remarkable as it limits the scope of data protection law in the UK compared to the scope of data protection law in the European Union (EU) and European Economic Area (EEA). The General Data Protection Regulation´s (GDPR) definition of “personal data” contains no limitations linked to the time of the processing, who may identify the individual, or dependencies on the knowledge of the controller or processor. Should the UK´s reform go through and the definition of personal data be limited in the UK this may mean in practice that data, which is protected in the EU and EEA, may not enjoy such protections in the UK.

Another key element of the proposal is the revision of existing accountability requirements. First, Data Protection Impact Assessments (DPIAs) are to be replaced by “Assessments of High Risk Processing”. Hereby, the obligation on controllers to consult the ICO on certain high risk DPIAs is removed. Instead, controllers will merely have the possibility to do so.

Second, the obligation to appoint a data protection officer (DPO) is replaced by a requirement to designate a “senior responsible individual”. This is not only a possible change in terminology, but also a possible change in position and dependency, and thus accountability. A DPO must be independent and free to advise management directly. This may not be the case for “senior responsible individuals”.

Finally, the requirements for record keeping are amended, records of processing activities (Art. 30 UK GDPR) will become “records of processing personal data”. Businesses will thus still have to keep records of their processing activities, but these will have to be less detailed. Moreover, companies with less than 250 employees are exempted from the obligation, unless the processing is high risk.

The Bill also removes the obligation to appoint a representative according to Art. 27 UK GDPR for businesses that are offering services from third countries to the UK. This would also reduce the burdens on companies in third countries providing goods or services to, or monitoring, individuals in the UK.

According to the UK GDPR, one of the grounds for processing personal data is legitimate interest. Businesses have to carry out a legitimate interest assessment (LIA), in which the business´s legitimate interests are weighed against the impact of the processing upon the data subject’s rights and interests, before any personal data may be processed. If this assessment indicates that the rights and interests of the data subjects prevail, the processing cannot be based on legitimate interest.

The proposed Bill intends to remove the need for a LIA to process personal data on the basis of legitimate interest for certain cases. For this purpose, the Bill provides a list of recognised legitimate interests.

The Bill also intends to amend the Privacy and Electronic Communications Regulation (PECR) and proposes that more types of cookies, and similar technologies, may be used without the express consent of the data subject.

Under current data protection law, cookies can only be used without the data subjects’ consent, if they are strictly necessary for the purposes of providing a website or online service, the legal basis for processing then being legitimate interest.

The Bill proposes to broaden the cases in which cookies can be used without the users consent (opt-in), e.g. where cookies are used for purposes of web analytics, functionality enhancements or to install automatic software updates. However, the user still needs to be able to opt-out in all of these cases. The Bill hereby expands the cases in which processing can be done on the basis of legitimate interest.

Important note: Cookies used for web analytics should only be permissible without consent, if the information is not shared with third parties except to enable the third party to assist with improvements to the website or service.

Furthermore, a change of the criteria for the refusal and the charging of fees for data subject requests is proposed. The criterion “manifestly unfounded and excessive” stipulated in the UK GDPR is to be replaced by the criterion “vexatious and excessive” and thus expanded. The Bill also contains a non-exhaustive list of criteria to make it easier for companies to determine whether a request is “vexatious and excessive”.

The charging of fees is also provided for in the GDPR, but the Bill expands the situations where a fee may be charged.

The current UK GDPR only provides for provisions regarding complaints to the ICO, but not for complaints directly addressed to the controller.

The Bill proposes to require the controller to confirm receipt of complaints within 30 days. A substantial response shall be provided “without undue delay”. If a data subject has not made use of this right, the ICO (resp. the proposed Information Commission) should be allowed decline the complaint. This limits data subject rights compared to those afforded under the GDPR, requiring data subjects to exhausted alternative remedies before seeking support from the supervisory authority.

Art. 22 UK GDPR currently provides for the right not to be subject to solely automated decision making that has legal or similarly significant effects for the data subject. The Bill proposes to replace this right, with a provision that ensures that controllers provide the following safeguards, if “significant” decisions are taken by solely automated means:

  • providing information about these decisions taken in relation to the data subject to the data subject,
  • enabling the data subject to make representations with regard to these decisions,
  • enabling the data subject to request human intervention by the controller with regard to such decisions,
  • enabling the data subject to contest such decisions.

The proposed amendments have been subject to discussions as they could threaten the adequacy status of the UK. Decisions made by automated means always entail the risk of discriminatory outcomes. Whether the adequacy status could be affected by this amendment depends in particular on how “significant decisions” will be defined.

Another delicate change the Bill proposes concerns international data transfers. Significantly deviating from its EU counterpart, the Bill proposes to introduce a risk-based approach for international data transfers. The current adequacy test is to be replaced by a so-called “data protection test”. When carrying out this test, it is determined whether the data protection standard provided in the data receiver’s country is “not materially lower” than the standard in the UK. The test is intended to enable greater flexibility in assessing the protection level in a third country.

Moreover, a reform of the ICO is proposed. The Information Commissioner will be replaced by an Information Commission with some additional powers. As mentioned above, it is proposed that the Information Commission may reject certain complaints by data subjects, if the complaint has not been made to the controller first.

The commission would be less independent than the current ICO, the government being able to set more requirements to create a more uniform approach. The proposed change in independence of the ICO is a significant deviation from the GDPR´s requirements for supervisory authorities.

Consequences for the UK adequacy decision?

The proposed reforms do not repeal the current UK data protection regime. Instead, the proposals mainly modify the obligations that organisations already have under the existing data protection regime, in order to reduce compliance burdens for businesses.

However, the Bill still does propose some significant changes, especially with regard to international data transfer and automated decision-making. The more the UK data protection regime diverges from its EU counterpart, the higher the risk that the EU might conclude that the UK does not have an adequate data protection regime for personal data. This could lead to a revocation of the UK´s adequacy decision.

British Minister for Media, Data and Digital Infrastructure Matt Warman commented on this controversy: “The EU does not require countries to have the same rules to grant adequacy […] so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”

It can be expected that there will be substantial changes to the proposal in the upcoming legislative process. Until the final text is completed, no reliable statement can be made as to whether the UK´s adequacy decision is in jeopardy. It will be interesting to see, if the described risks will be taken into consideration.