The Data Protection and Digital Information Bill

A key element of the proposal is the revision of existing accountability requirements. First, Data Protection Impact Assessments (DPIAs) are to be replaced by “Assessments of High Risk Processing”. Hereby, the obligation on controllers to consult the Information Commissioner’s Office (ICO) on certain high risk DPIAs is removed. Instead, controllers will merely have the possibility to do so.

Second, the obligation to appoint a Data Protection Officer (DPO) is replaced by a requirement to designate a Senior Responsible Individual (SRI). This is not only a possible change in terminology, but also a possible change in position and dependency, and thus accountability. A DPO must be independent and free to advise management directly. This may not be the case for Senior Responsible Individuals.

Finally, the requirements for record keeping are amended, records of processing activities (ROPA, Art. 30 UK GDPR) will become “records of processing of personal data” and will only be required of controllers and processors that carry out processing of personal data which, “taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals”. The records themselves, where required, are substantially similar to what is required currently. This means less companies will be obliged to keep UK records of processing activities.

The Data Protection and Digital Information Bill also removes the obligation to appoint a representative according to Art. 27 UK GDPR for businesses that are offering services from third countries to the UK. This would also reduce the burdens on companies in third countries providing goods or services to, or monitoring, individuals in the UK.

According to the UK GDPR, one of the grounds for processing personal data is legitimate interest. Businesses have to carry out a legitimate interest assessment (LIA), in which the business´s legitimate interests are weighed against the impact of the processing upon the data subject’s rights and interests, before any personal data may be processed. If this assessment indicates that the rights and interests of the data subjects prevail, the processing cannot be based on legitimate interest.

The proposed Bill intends to remove the need for a LIA to process personal data on the basis of legitimate interest for certain cases. For this purpose, the Bill provides a list of recognised legitimate interests. This creates certainty to UK businesses as to when they may rely on a legitimate interest.

The bill also provides a list of purposes for which processing may be treated as compatible with the original purpose for which the personal data may have first been collected. Companies collecting personal data for one purpose may thus rely on this list to process the same personal data for a purposes deemed compatible.

The Bill also intends to amend the Privacy and Electronic Communications Regulation (PECR) and proposes that more types of cookies, and similar technologies, may be used without the express consent of the data subject. Cookies will still require notice to be given, so that cookie banners are not entirely done away with, but the Bill provides legal certainty regarding which cookies do not require consent and expands the purposes for which cookies may be set without consent. Website and app operators can under the Bill use cookies without consent for the purposes of analytics, user experience, software updates or the provision of emergency assistance.

The Bill also empowers the Secretary of State to make regulations regarding information technology to enable consent to be given, or an objection to be made, automatically for all websites by users. Essentially, a universal consent and opt-out mechanism is meant to be created which can be installed on a laptop, phone or browser and will signal a user’s cookie preferences across websites automatically.

Most importantly, the fines for violations of the PECR rules regarding direct marketing will significantly higher.

Furthermore, a change of the criteria for the refusal and the charging of fees for data subject requests is proposed. The criterion “manifestly unfounded and excessive” stipulated in the UK GDPR is to be replaced by the criterion “vexatious and excessive” and thus expanded. The Bill also contains a non-exhaustive list of criteria to make it easier for companies to determine whether a request is “vexatious and excessive”.

The charging of fees is also provided for in the UK GDPR, but the Bill expands the situations where a fee may be charged.

The current UK GDPR only provides for provisions regarding complaints to the ICO, but not for complaints directly addressed to the controller.

The Data Protection and Digital Information Bill proposes to require the controller to receive electronically submitted complaints and to confirm receipt of complaints within 30 days. Essentially companies will have to set up an online complaint form on their website.  A substantial response shall be provided “without undue delay”. If a data subject has not made use of this right, the ICO (resp. the proposed Information Commission) should be allowed decline the complaint. This limits data subject rights compared to those afforded under the GDPR, requiring data subjects to exhausted alternative remedies before seeking support from the supervisory authority.

Art. 22 UK GDPR currently provides for the right not to be subject to solely automated decision making that has legal or similarly significant effects for the data subject. The Bill proposes to replace this right, with a provision that ensures that controllers provide the following safeguards, if “significant” decisions are taken by solely automated means:

• providing information about these decisions taken in relation to the data subject to the data subject,
• enabling the data subject to make representations with regard to these decisions,
• enabling the data subject to request human intervention by the controller with regard to such decisions,
• enabling the data subject to contest such decisions.

The proposed amendments have been subject to discussions as they could threaten the adequacy status of the UK. Decisions made by automated means always entail the risk of discriminatory outcomes. Whether the adequacy status could be affected by this amendment depends in particular on how “significant decisions” will be defined.

Another delicate change the Bill proposes concerns international data transfers. Significantly deviating from its EU counterpart, the Bill proposes to introduce a risk-based approach for international data transfers. The current adequacy test is to be replaced by a so-called “data protection test”. When carrying out this test, it is determined whether the data protection standard provided in the data receiver’s country is “not materially lower” than the standard in the UK. The test is intended to enable greater flexibility in assessing the protection level in a third country.

The UK has and will continue to deviate from the EU Commission regarding granted adequacy decision, so that the list of adequate third countries will differ from the UK to the EU.

Moreover, a reform of the ICO is proposed. The Information Commissioner will be replaced by an Information Commission with some additional powers. As mentioned above, it is proposed that the Information Commission may reject certain complaints by data subjects, if the complaint has not been made to the controller first.