Less than three months following the European Commission’s Adequacy Decision1 concerning the protection of personal data by the UK under the EU General Data Protection Regulation (“GDPR”), the UK launched a proposal2 for significant reform of the national data protection regime. Following a period of regulatory uncertainty, businesses are seeing important steps towards clarity in the form of the draft Data Protection and Digital Information Bill3. The bill aims to “boost British business, protect consumers and seize the benefits of Brexit”4 through several changes to the current regime.
Summary of Changes Introduced by the Bill5
Data Protection Obligations. With respect to businesses’ core data protection obligations, the bill seeks to:
- Amend the definition of “personal data” to clarify that data is “identifiable” where the business: can identify an individual from the data by reasonable means; or knows, or must reasonably know, that another person is likely to obtain the data and could identify an individual by reasonable means.
- Introduce the concept of “recognised” legitimate interest as a new lawful basis for processing. Recognised legitimate interests would include, among others, safeguarding national or public security, protecting children or vulnerable adults, and detecting, investigating or preventing crime or apprehending or prosecuting offenders.
- Amend the threshold for charging a reasonable fee or refusing a data subject request from “manifestly unfounded or excessive” to “vexatious or excessive.” The bill also prescribes factors and examples to guide organisations in identifying vexatious or excessive requests, such as requests intended to cause distress, made in bad faith or abusive of process.
- Allow automated decision-making in a broader range of circumstances, subject to safeguards such as notifying data subjects and allowing them to make representations, obtain human intervention and contest such decisions. The narrow consent, contract or law-based provisions which currently permit such processing would only apply to sensitive data.
- Simplify the use of personal data for scientific research purposes by:
- defining processes for “scientific research” and “statistical purposes”;
- allowing broad consent to an area of scientific research where it is not possible to identify specific research purposes at collection;
- disapplying notice requirements for the reuse of personal data collected from third-party sources where notification entails a “disproportionate effort” (accompanied by a non-exhaustive list of examples); and
- consolidating and supplementing the safeguards required for processing personal data for research, archiving, and statistical purposes.
- Amend the responsibilities of data controllers and processors by:
- replacing the obligation to implement “appropriate technical and organisational measures” with the implementation of “appropriate measures, including technical and organisational measures” for greater flexibility around risk management controls;
- removing the requirement for representatives for controllers outside the UK;
- replacing the requirement to appoint a data protection officer with the appointment of a “senior responsible individual” to manage or suitably delegate management of data protection risks;
- replacing the current requirement to maintain a record of processing activities with an “appropriate record of personal data,” subject to seemingly less restrictive content requirements and guidance on what might constitute an “appropriate” record; and
- replacing the current requirement to conduct a data protection impact assessment (“DPIA”) with an “assessment of high-risk processing” as well as amending the detailed requirements around DPIAs, including by making any prior consultation with the commissioner optional.
- Revise the approach to issuing adequacy regulations to include a risk-based data protection test that takes into account specific aspects of the legislative regime of the country assessed, such as respect for the rule of law and human rights and individuals’ options for redress, among others. The bill also requires businesses to act “reasonably and proportionately” and to take into account all circumstances of the transfer when conducting a transfer risk assessment.
Introduce a new statutory framework setting out the strategic objectives and duties of the Information Commissioner’s Office (“ICO”) against which the regulator is expected to prioritize its activities and resources, evaluate its performance, and be held accountable by its stakeholders.
The bill also seeks to change the ICO’s governance model from the current “corporation sole” to a governance board model and to introduce a more proportionate approach to the regulator’s complaints handling responsibilities.
- Mandate wider industry involvement in “smart data” initiatives as an extension to the right to portability of customer data to third-party providers.
Digital Information Provisions.
The bill also introduces revised provisions related to digital verification services (“DVS”) and digital information which seek to:
- Create a regulatory framework for the provision of “trusted” online digital identity verification services in the UK. The framework establishes a “trust mark” and register for certified DVS providers, and an information gateway enabling government-held personal data (including biometrics) to be shared with private, trusted providers for DVS purposes.
Revise electronic marketing rules, including:
- extending permissible uses of cookies without express consent for certain “low-risk” purposes;
- enhancing ICO enforcement powers, particularly in respect of nuisance calls;
- extending the “soft opt-in” rule (allowing marketing of similar products or services to existing customers without consent) to non-commercial promotions, such as charity fundraising or political campaigning for democratic engagement purposes; and
- creating a new obligation for public electronic communication network and service providers to report “suspicious activity” relating to unlawful direct marketing to the ICO.
- Extend the scope of permissible data sharing for the purposes of improving the delivery of public services6 to individuals to cover public services to businesses.
- Revise the eIDAS Regulation7, setting out the rules for trusted services relating to electronic signatures, electronic seals, timestamps, electronic delivery services, and website authentication. The revisions provide for conformity assessment reports issued by EU accreditation bodies to trusted service providers to be recognized in the UK and to be used to grant providers “qualified” status under the regulation.
- Reform the process of registering births and deaths by replacing the current paper-based system with electronic registration requirements.
- Extend IT and information standards applicable to the health and social care sector to IT providers handling patient data, particularly regarding system interoperability and data sharing.
Revise specific aspects of biometric, CCTV, and DNA database regulation, including:
- simplifying the oversight framework for enforcement authorities’ use of biometrics and surveillance cameras — this may take the form of transferring the oversight functions of the Biometrics and Surveillance Camera Commissioner to the Investigatory Powers Commissioner.
- abolishing the office of Surveillance Camera Commissioner and removing the requirement for a Surveillance Camera Code.
- extending the scope of the powers of the Forensic Information Databases Strategy Board to also include oversight of the national fingerprint database.
What Can Organisations Do to Prepare?
The UK’s draft Data Protection and Digital Information Bill provides valuable insight into the direction in which the UK government8 might take the renewed national data regime. Below are some preliminary steps which organisations can take proactively to prepare for upcoming reforms.
These steps may be of particular importance to global organisations with both UK- and EU-based operations. However, they are designed to help all businesses impacted by the upcoming reforms to hit the ground running from an operational perspective in the face of change.
Re-evaluate the organisation’s strategic approach to maintaining data protection compliance in the UK. Businesses with operations in, or targeting, the UK market may begin to consider whether to: (a) continue to operate EU-centric compliance processes implemented against GDPR requirements; or (b) reap the benefits of a lighter compliance burden by designing and implementing new process workflows in the UK.
The decision will ultimately be based upon a cost-risk-benefit analysis performed by the business on a case-by-case basis that will factor in aspects such as the scope of their market presence, their current approach to global compliance, and their unique strategic goals and challenges.
Formulate a pragmatic data transfer strategy factoring in the organisation’s transfer requirements and the potential impact of reform on applicable transfer rules. An important, recurrent concern surrounding the bill is the impact that a divergence from the EU GDPR may have on the EU’s adequacy decisions for the UK. While the decisions are expected to last until 20259 and reforms are seen as compatible with continued adequacy by the government10, “the risk that the EU revokes its adequacy decision increases.”11
Conversely, organisations seeking to transfer data out of the UK might benefit from a wider range of adequate destination options under the new adequacy assessment procedure. Businesses may find it helpful to monitor whether the procedure will indeed “add more countries to those deemed adequate”12 (currently 40), and to factor adequacy outcomes into their decisions about how and, most importantly, where to process personal datasets originating in the UK.
- Continue to monitor regulatory developments within both the UK and the EU. With its second reading postponed13, the bill remains in the early stages of its legislative journey to royal assent. Monitoring the evolution of the bill and its impact on UK adequacy in particular will be instrumental to organisations in the process of (re)shaping their data protection compliance strategy in Europe going forward.
1 https://commission.europa.eu/system/files/2021-06/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_ regulation_en.pdf
12 https://researchbriefings.files.parliament.uk/documents/CBP-9606/CBP-9606.pdf13 https://hansard.parliament.uk/commons/2022-09-05/debates/FB4997E6-14A2-4F25-9472-E2EE7F00778A/BusinessStatement
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.