Following Brexit, the United Kingdom (UK) will reform its data protection regime to ease the compliance burden on businesses in the UK and take advantage of the opportunities offered by Brexit. As a result, in July 2022 the UK began its reform, with the (nearly) final product being the Data Protection and Digital Information Bill, which is currently on its way to the House or Lords, and is set to receive Royal Assent sometime in 2024 (see the UK Parliament website).
The reform aims to guarantee a responsible use of data while still fostering innovation and competition. We will introduce the most important elements of the Bill, and assess what the proposed changes could mean for the UK adequacy decision of the European Commission and the UK´s data protection regime in general.
Attention: The Data Protection and Digital Information Bill does not repeal the existing UK data protection legislation, namely the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection 2018 but amends and supplements them, so that the Bill, UK GDPR and DPA 2018 must be read together to get a full picture.
Likely impact of the Bill
The Data Protection and Digital Information Bill aims to ease the compliance burden for UK businesses and does so through some of the key reforms mentioned below.
- It will likely have limited impact on those UK businesses acting as data processors for EU based companies, as they will continue to be subject to the stricter requirements of the EU General Data Protection Regulation (GDPR).
- Furthermore, UK companies belonging to an EU based corporate group will likely see little benefit, as most corporate groups will continue to adhere to the stricter EU standard globally, regardless of local deviations, this making compliance easier to manage.
Key reforms of the Bill
In the following, we introduce the most relevant changes for businesses subject to the existing UK data protection regime:
A key element of the proposal is the revision of existing accountability requirements. First, Data Protection Impact Assessments (DPIAs) are to be replaced by “Assessments of High Risk Processing”. Hereby, the obligation on controllers to consult the Information Commissioner’s Office (ICO) on certain high risk DPIAs is removed. Instead, controllers will merely have the possibility to do so.
Second, the obligation to appoint a Data Protection Officer (DPO) is replaced by a requirement to designate a Senior Responsible Individual (SRI). This is not only a possible change in terminology, but also a possible change in position and dependency, and thus accountability. A DPO must be independent and free to advise management directly. This may not be the case for Senior Responsible Individuals.
Finally, the requirements for record keeping are amended, records of processing activities (ROPA, Art. 30 UK GDPR) will become “records of processing of personal data” and will only be required of controllers and processors that carry out processing of personal data which, “taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals”. The records themselves, where required, are substantially similar to what is required currently. This means less companies will be obliged to keep UK records of processing activities.
The Data Protection and Digital Information Bill also removes the obligation to appoint a representative according to Art. 27 UK GDPR for businesses that are offering services from third countries to the UK. This would also reduce the burdens on companies in third countries providing goods or services to, or monitoring, individuals in the UK.
According to the UK GDPR, one of the grounds for processing personal data is legitimate interest. Businesses have to carry out a legitimate interest assessment (LIA), in which the business´s legitimate interests are weighed against the impact of the processing upon the data subject’s rights and interests, before any personal data may be processed. If this assessment indicates that the rights and interests of the data subjects prevail, the processing cannot be based on legitimate interest.
The proposed Bill intends to remove the need for a LIA to process personal data on the basis of legitimate interest for certain cases. For this purpose, the Bill provides a list of recognised legitimate interests. This creates certainty to UK businesses as to when they may rely on a legitimate interest.
The bill also provides a list of purposes for which processing may be treated as compatible with the original purpose for which the personal data may have first been collected. Companies collecting personal data for one purpose may thus rely on this list to process the same personal data for a purposes deemed compatible.
The Bill also empowers the Secretary of State to make regulations regarding information technology to enable consent to be given, or an objection to be made, automatically for all websites by users. Essentially, a universal consent and opt-out mechanism is meant to be created which can be installed on a laptop, phone or browser and will signal a user’s cookie preferences across websites automatically.
Most importantly, the fines for violations of the PECR rules regarding direct marketing will significantly higher.
Furthermore, a change of the criteria for the refusal and the charging of fees for data subject requests is proposed. The criterion “manifestly unfounded and excessive” stipulated in the UK GDPR is to be replaced by the criterion “vexatious and excessive” and thus expanded. The Bill also contains a non-exhaustive list of criteria to make it easier for companies to determine whether a request is “vexatious and excessive”.
The charging of fees is also provided for in the UK GDPR, but the Bill expands the situations where a fee may be charged.
The current UK GDPR only provides for provisions regarding complaints to the ICO, but not for complaints directly addressed to the controller.
The Data Protection and Digital Information Bill proposes to require the controller to receive electronically submitted complaints and to confirm receipt of complaints within 30 days. Essentially companies will have to set up an online complaint form on their website. A substantial response shall be provided “without undue delay”. If a data subject has not made use of this right, the ICO (resp. the proposed Information Commission) should be allowed decline the complaint. This limits data subject rights compared to those afforded under the GDPR, requiring data subjects to exhausted alternative remedies before seeking support from the supervisory authority.
Art. 22 UK GDPR currently provides for the right not to be subject to solely automated decision making that has legal or similarly significant effects for the data subject. The Bill proposes to replace this right, with a provision that ensures that controllers provide the following safeguards, if “significant” decisions are taken by solely automated means:
- providing information about these decisions taken in relation to the data subject to the data subject,
- enabling the data subject to make representations with regard to these decisions,
- enabling the data subject to request human intervention by the controller with regard to such decisions,
- enabling the data subject to contest such decisions.
The proposed amendments have been subject to discussions as they could threaten the adequacy status of the UK. Decisions made by automated means always entail the risk of discriminatory outcomes. Whether the adequacy status could be affected by this amendment depends in particular on how “significant decisions” will be defined.
Another delicate change the Bill proposes concerns international data transfers. Significantly deviating from its EU counterpart, the Bill proposes to introduce a risk-based approach for international data transfers. The current adequacy test is to be replaced by a so-called “data protection test”. When carrying out this test, it is determined whether the data protection standard provided in the data receiver’s country is “not materially lower” than the standard in the UK. The test is intended to enable greater flexibility in assessing the protection level in a third country.
The UK has and will continue to deviate from the EU Commission regarding granted adequacy decision, so that the list of adequate third countries will differ from the UK to the EU.
Moreover, a reform of the ICO is proposed. The Information Commissioner will be replaced by an Information Commission with some additional powers. As mentioned above, it is proposed that the Information Commission may reject certain complaints by data subjects, if the complaint has not been made to the controller first.
Consequences for the UK adequacy decision?
The proposed reforms do not repeal the current UK data protection regime. Instead, the proposals mainly modify the obligations that organisations already have under the existing data protection regime, in order to reduce compliance burdens for businesses.
However, the Bill still does propose some significant changes, especially with regard to international data transfer and automated decision-making. The more the UK data protection regime diverges from its EU counterpart, the higher the risk that the EU might conclude that the UK does not have an adequate data protection regime for personal data. This could lead to a revocation of the UK´s adequacy decision.
British Minister for Media, Data and Digital Infrastructure Matt Warman commented on this controversy:
“The EU does not require countries to have the same rules to grant adequacy […] so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”
No substantial changes to the Data Protection and Digital Information Bill are expected in the House of Lords, though it is not impossible. Until the final text is completed, no reliable statement can be made as to whether the UK´s adequacy decision is in jeopardy. The EU Commission will take the reform into account for its assessment of the UK adequacy decision next year.
Meanwhile, UK based companies should make a decision regarding the standards they wish to uphold in their data protection management systems. While UK data protection legislation may no longer impose certain requirements, EU based clients, partners and/or holding companies may continue to do so. UK companies deciding to continue to uphold EU standards will in large parts meet any UK imposed data protection requirements and thus be in compliance with UK and EU standards, though they may have no legal obligation to do so.
These companies would however be well advised to still implement certain, future UK-specific requirements, such as an online complaint form, as a violation here may lead to a heavy penalty in the UK if not implemented. Certain UK deviations will therefore exist in future.