UK Government introduces Data Protection and Digital Information Bill

An important change is the proposed amended definition of personal data. Under the Data Protection Act 2018 personal data is defined as, “any information relating to an identified or identifiable living individual”. The Bill proposes to limit the notion of “identifiable living individuals”, in that an individual is considered identifiable only if:

• the individual is identifiable by the controller or processor by reasonable means at the time of the processing; or
• where the controller or processor ought to know that a third party will, or likely will, obtain the information as a result of the processing and the individual will likely be identifiable by that third party by reasonable means at the time of the processing.

This proposed definition limits the data that is subject to data protection law, namely to data which allows the identification of individuals directly by a controller or processor at the time of processing, and to data which would allow a third party, that is likely to receive the data, to identify an individual at the time of processing by reasonable means.

This proposed change to the definition is remarkable as it limits the scope of data protection law in the UK compared to the scope of data protection law in the European Union (EU) and European Economic Area (EEA). The General Data Protection Regulation´s (GDPR) definition of “personal data” contains no limitations linked to the time of the processing, who may identify the individual, or dependencies on the knowledge of the controller or processor. Should the UK´s reform go through and the definition of personal data be limited in the UK this may mean in practice that data, which is protected in the EU and EEA, may not enjoy such protections in the UK.

Another key element of the proposal is the revision of existing accountability requirements. First, Data Protection Impact Assessments (DPIAs) are to be replaced by “Assessments of High Risk Processing”. Hereby, the obligation on controllers to consult the ICO on certain high risk DPIAs is removed. Instead, controllers will merely have the possibility to do so.

Second, the obligation to appoint a data protection officer (DPO) is replaced by a requirement to designate a “senior responsible individual”. This is not only a possible change in terminology, but also a possible change in position and dependency, and thus accountability. A DPO must be independent and free to advise management directly. This may not be the case for “senior responsible individuals”.

Finally, the requirements for record keeping are amended, records of processing activities (Art. 30 UK GDPR) will become “records of processing personal data”. Businesses will thus still have to keep records of their processing activities, but these will have to be less detailed. Moreover, companies with less than 250 employees are exempted from the obligation, unless the processing is high risk.

The Bill also removes the obligation to appoint a representative according to Art. 27 UK GDPR for businesses that are offering services from third countries to the UK. This would also reduce the burdens on companies in third countries providing goods or services to, or monitoring, individuals in the UK.

According to the UK GDPR, one of the grounds for processing personal data is legitimate interest. Businesses have to carry out a legitimate interest assessment (LIA), in which the business´s legitimate interests are weighed against the impact of the processing upon the data subject’s rights and interests, before any personal data may be processed. If this assessment indicates that the rights and interests of the data subjects prevail, the processing cannot be based on legitimate interest.

The proposed Bill intends to remove the need for a LIA to process personal data on the basis of legitimate interest for certain cases. For this purpose, the Bill provides a list of recognised legitimate interests.

The Bill also intends to amend the Privacy and Electronic Communications Regulation (PECR) and proposes that more types of cookies, and similar technologies, may be used without the express consent of the data subject.

Under current data protection law, cookies can only be used without the data subjects’ consent, if they are strictly necessary for the purposes of providing a website or online service, the legal basis for processing then being legitimate interest.

The Bill proposes to broaden the cases in which cookies can be used without the users consent (opt-in), e.g. where cookies are used for purposes of web analytics, functionality enhancements or to install automatic software updates. However, the user still needs to be able to opt-out in all of these cases. The Bill hereby expands the cases in which processing can be done on the basis of legitimate interest.

Important note: Cookies used for web analytics should only be permissible without consent, if the information is not shared with third parties except to enable the third party to assist with improvements to the website or service.

Furthermore, a change of the criteria for the refusal and the charging of fees for data subject requests is proposed. The criterion “manifestly unfounded and excessive” stipulated in the UK GDPR is to be replaced by the criterion “vexatious and excessive” and thus expanded. The Bill also contains a non-exhaustive list of criteria to make it easier for companies to determine whether a request is “vexatious and excessive”.

The charging of fees is also provided for in the GDPR, but the Bill expands the situations where a fee may be charged.

The current UK GDPR only provides for provisions regarding complaints to the ICO, but not for complaints directly addressed to the controller.

The Bill proposes to require the controller to confirm receipt of complaints within 30 days. A substantial response shall be provided “without undue delay”. If a data subject has not made use of this right, the ICO (resp. the proposed Information Commission) should be allowed decline the complaint. This limits data subject rights compared to those afforded under the GDPR, requiring data subjects to exhausted alternative remedies before seeking support from the supervisory authority.

Art. 22 UK GDPR currently provides for the right not to be subject to solely automated decision making that has legal or similarly significant effects for the data subject. The Bill proposes to replace this right, with a provision that ensures that controllers provide the following safeguards, if “significant” decisions are taken by solely automated means:

• providing information about these decisions taken in relation to the data subject to the data subject,
• enabling the data subject to make representations with regard to these decisions,
• enabling the data subject to request human intervention by the controller with regard to such decisions,
• enabling the data subject to contest such decisions.

The proposed amendments have been subject to discussions as they could threaten the adequacy status of the UK. Decisions made by automated means always entail the risk of discriminatory outcomes. Whether the adequacy status could be affected by this amendment depends in particular on how “significant decisions” will be defined.

Another delicate change the Bill proposes concerns international data transfers. Significantly deviating from its EU counterpart, the Bill proposes to introduce a risk-based approach for international data transfers. The current adequacy test is to be replaced by a so-called “data protection test”. When carrying out this test, it is determined whether the data protection standard provided in the data receiver’s country is “not materially lower” than the standard in the UK. The test is intended to enable greater flexibility in assessing the protection level in a third country.

Moreover, a reform of the ICO is proposed. The Information Commissioner will be replaced by an Information Commission with some additional powers. As mentioned above, it is proposed that the Information Commission may reject certain complaints by data subjects, if the complaint has not been made to the controller first.

The commission would be less independent than the current ICO, the government being able to set more requirements to create a more uniform approach. The proposed change in independence of the ICO is a significant deviation from the GDPR´s requirements for supervisory authorities.