The Data Protection and Digital Information Bill: Taking Back Control of Data Protection in the UK? | Orrick, Herrington & Sutcliffe LLP

The law project

On July 18, 2022, the Data Protection and Digital Information Bill (the Bill) was introduced for debate in Parliament, in one of the UK’s first moves towards privacy reform. data after Brexit.

The bill introduces a number of proposals put forward by the Department for Digital, Culture, Media and Sport in June this year, in response to its consultation on data reform.

The bill covers a number of data protection issues, ranging from the definition of personal data to international data transfers, data subject access requests, cookies and legitimate interests assessments. In addition, the bill aims to reform the current UK regulator, the Information Commissioner’s Office (ICO), in favor of a new information commission, as well as removing certain accountability requirements for organisations, such as the requirement for a data protection officer, representative and data protection impact assessments.

One step away from matching?

Some of these changes will be more controversial than others, however, the wide range of reforms may raise eyebrows in Europe, as currently the UK data protection regime mirrors that of the European Union.

Essential equivalence between the UK and EU regimes has been essential to business continuity after Brexit. In particular, the European Union’s “adequacy” finding in favor of the UK in June 2021 has enabled the lawful transfer of personal data from Europe to the UK with minimal disruption to activities. This could change if the European Union decides to revoke the UK’s adequacy decision in light of the changes proposed by the bill. According to the UK government’s estimate, the loss of the European Union’s adequacy finding would have an estimated trade value of between £190-460 million in one-time costs and an annual cost of between £210-410 million in lost exports. revenue.

The question at the moment is whether, by taking a few steps away from the EU data protection regime, the UK is taking a giant step away from EU adequacy.

Impact

Despite the wide range of proposals contained in the bill, these amendments seek to amend rather than replace the UK GDPR and the Data Protection Act 2018. Businesses should welcome a number of these proposals, which shift the needle from the current data protection regime to a commercial and pragmatic approach.

The bill is still in its early stages and much of its future will depend on the priorities of the next UK Prime Minister. However, businesses must prepare for a reformed regulatory landscape, as the UK takes its first step to regaining control of its post-Brexit data protection regime.

Read on for our analysis of the main changes.

Personal data

The current definition of “personal data” under UK data protection law is aligned with the EU GDPR and applies to any information relating to an identified or identifiable natural person.

The bill aims to modify this definition, introducing a subjective element from the point of view of the controller, processor or recipient(s) as to whether the information is personal or anonymous data. Personal data would be limited to information that:

  • relates to an individual”identifiable […] by the controller or processor by reasonable means at the time of processing“; Where
  • where the controller or processor”knows, or reasonably should know, that another person will or is likely to obtain the information as a result of the processing, and that the person will be or is likely to be identifiable […] by that person by reasonable means at the time of the processing.”

While this definition increases certainty for controllers and processors as to whether information is personal data, it could reduce the circumstances in which information is protected as personal data if the bill is passed.

For example, the current definition arguably covers personal data if it is identifiable to a single person, and may include personal data that later becomes identifiable once the processing has taken place. This information would not be included in the definition of personal data as defined. in the bill.

International data transfers

The bill encourages a risk-based assessment of the impact of international data transfers, which would see organizations assess the data protection risks involved in those transfers and make decisions about appropriate mitigation measures. This is arguably in contradiction with the decisions of some EU regulators, such as the Austrian DSB, which have opposed to a risk-based approach.

In addition, the Bill proposes that future UK adequacy decisions (allowing transfers of personal data from the UK to third countries determined by the UK to be “adequate”) can be made on a different test than EU GDPR. The bill would implement a new “data protection test” for the Secretary of State to review, requiring a “not materially inferior” level of protection in the recipient country, in place of the GDPR’s requirement of the EU for an adequate level of protection (interpreted as essential parity).

The UK would likely seek to grant adequacy status to the US under such a test, a move that will prove controversial in relation to the UK’s adequacy status with the Union. European. Onward transfers of European personal data from the UK to the US have been touted as a major impediment to the EU’s initial finding on adequacy for the UK, and any changes to data transfers between the UK and the US would likely call the UK’s European suitability into question once again.

Subject Access Requests

One of the most significant changes for controllers and consumers concerns the bill’s attempt to overhaul the Data Subject Access Request (DSAR) regime. The current regime, based on the EU GDPR, requires data controllers to respond to DSARs in all cases except where the requests are “manifestly unfounded”. The bill aims to allow organizations to refuse to respond to DSARs that are “vexatious or excessive” or to charge a fee for doing so.

Controllers will welcome this change, which means they will no longer have to respond to DSARs intended to cause distress, made in bad faith, or which constitute an “abuse of process” as “vexatious”.

Cookies

The bill could overhaul the current regime on the use of cookies and tracking technologies, often a compliance issue for organisations.

In particular, the bill proposes to expand the types of cookies that can be placed on users’ devices without their consent. The current regime only allows this for “strictly necessary” cookies related to the operation of a website. However, the bill seeks to allow organizations to place cookies on users’ devices to gather statistical information and improve their services, without users’ consent.

The bill also seeks to give the Secretary of State the authority to implement browser-level consent for cookies on all websites visited by a user. Although this approach has been considered by EU policymakers in the past, it has not been adopted as an EU-mandated approach, which requires individual websites to provide users with the ability to consent to the use of cookies.

In addition, organizations will potentially face higher fines for breaches of the Privacy and Electronic Communications Regulations, as the bill proposes maximum penalties for UK GDPR compliant breaches, rather than the current maximum fine of £500,000.

Legitimate interests

The bill aims to remove the legitimate interests balancing assessment required when controllers rely on legitimate interests as a legal basis for processing personal data. Instead, the UK government intends to whitelist certain legitimate interests, such as processing necessary in the public interest, national security, public safety and defence, emergencies, protection of persons vulnerable and democratic engagement.

To understand the full impact on data controllers, we will have to wait until the full list is published: it remains to be seen whether the balance test will continue to be required for most commercial processing activities.

Responsibility

The Bill moves away from the UK’s GDPR requirements for mandatory Data Protection Officers (DPOs), in favor of a “primary responsible person” who will be responsible for data protection risks or who will delegate this task to suitably qualified persons.

Additionally, the requirement for a UK representative where companies operate outside the UK but are still subject to the extraterritorial provisions of the UK GDPR should be removed.

In another attempt to reduce the burden on businesses, the bill also removes the requirement for data protection impact assessments, replacing it with the requirement for a high-risk processing assessment, to reflect a more flexible and risk-based approach.

The ICO

The bill aims to reform the ICO, recreating the regulator as a legal entity with the new title of “Information Commission”.

The Information Commission will have new functions, including promoting innovation and competition and taking into account the need to safeguard public and national security. The Information Commission will also be subject to new reporting requirements.

Research data and data reuse

The bill also aims to clarify the language of the UK GDPR to help researchers use personal data, allowing the re-use of personal data for the purposes of longer-term research studies.

The bill proposes new definitions for “scientific research”, “historical research” and “statistical purposes” in addition to allowing consent to be given to a field of scientific research where it is not possible to fully identify the purposes for which the personal data is to be processed.

Enterprise data and open data

As well as reforming the UK data protection regime, the bill also aims to encourage data sharing between businesses and introduce powers to enable ‘intelligent data systems’ in UK markets, intended to facilitate the secure sharing of data with authorized third parties upon request. of the consumer.