Data Protection and Digital Information (no. 2) Bill

UK data protection reform, take 2.

The UK Government introduced the Data Protection and Digital Information (no. 2) Bill to Parliament on 8 March 2023 ("DPDI No.2"), withdrawing its previous Data Protection and Digital Information Bill ("DPDI No.1"). In October 2022, Michelle Donelan, now Secretary of State for the Department of Science, Innovation and Technology (DSIT), had trailered "a truly bespoke, British system of data protection", leaving us wondering (for a time) if we were to wave "goodbye" to the UK GDPR. As it transpires, DPDI No.2 is a modest uplift to DPDI No.1 and, overall, the package of reforms is not a dramatic departure from the UK GDPR, the framework of which is also to be retained. This briefing looks at the recent changes.

Now Reading

What happened to DPDI No.1?

DPDI No.1, introduced to Parliament in July 2022, embodied most of the proposals set out in the Government's response to feedback to its consultation, "Data: a new direction". DPDI No.1 was put on hold when Liz Truss was appointed as PM in September 2022 and, the following month, Michelle Donelan announced a re-think of the bill and a further consultation with business:

…we will be replacing GDPR with our own business and consumer-friendly, British data protection system

In the months that followed, we heard little of the Bill until responsibility for it was passed from the Department for Culture, Media and Sport to the newly created DSIT, shortly after which DPDI No.2 was introduced to the Commons. Even though DPDI No.1 has been simultaneously withdrawn, the reforms from DPDI No.1 have been carried over into DPDI No.2, but some of them have been tweaked (as described in section 2 below).

The key data protection reforms introduced by DPDI No.1

In very broad terms, from a data protection perspective (other parts of the Bill introduce new provisions around data access and digital verification services, which are not covered here) DPDI No. 1 set out:

a more subjective test for identifiability as part of the definition of "personal data", which would likely narrow the scope of data caught by the UK GDPR
a white list of "recognised" legitimate interests (as a legal basis for processing) to include various public interest purposes for which no balancing test (i.e. the data controller's legitimate interests versus the rights and interests of the data subject) would be required
a partial relaxation of the principle whereby data cannot be processed for further purposes that are incompatible with the original specified purpose(s)
a simplification of the rules around processing for research purposes
a revised threshold for refusing or charging for data subject access requests from "manifestly unfounded or excessive" to "vexatious or excessive"
a narrowing of the restrictions on decisions made solely based on automated decision-making while bolstering rights for the data subject around such decision-making
various measures intended to reduce the administrative burden on businesses, such as limiting reporting duties, replacing mandatory DPOs with "senior responsible individuals" (required for public authorities and organisations engaged in high-risk processing only), and removing the requirement for in-scope entities to appoint a UK representative if they are not established in the UK
in relation to international transfers, a new "data protection test" for assessing adequacy in the context of the Secretary of State making adequacy regulations and exporters assessing the adequacy of safeguards such as standard contractual clauses. The test is that the standard of protection in the recipient territory is not "materially lower" than that in the UK
removing the consent requirement for further specified types of non-intrusive cookies
increasing the maximum fines under PECR to align them with the fines under the UK GDPR
reforming the ICO.

What are the additional changes proposed in DPDI No.2?

Relatively few. With the exception of the first of the changes outlined below, most can be categorised as "clarificatory" in nature, as opposed to a significant change in direction or step forward:

Reducing administrative burden for businesses: the requirement for record-keeping (along with the requirements for risk assessments and to appoint senior responsible individuals) will be restricted to high risk processing activities. High risk will be determined by taking into account the nature, scope, context and purposes of the processing. The previous exemption from record-keeping requirements, which was limited to organisations with fewer than 250 employees (absent any high risk processing), has been removed.
Additional identified legitimate interests: as well as the "recognised" legitimate interests list, DPDI No.2 sets out a non-exhaustive list of activities which may be considered a legitimate interest. These include direct marketing, intra-organisational transmission of data necessary for administrative purposes and maintenance and security of networks and information systems. All legitimate interests beyond those on the "recognised" list will still require a balancing test.
Scientific research: DPDI No.2 clarifies that the definition of scientific research includes research carried out as a commercial activity but specifies that research into public health will only count as scientific research if it is in the public interest. DPDI No. 2 also includes an illustrative and non-exhaustive list of types of scientific research, previously contained in the recitals and now moved to the operative parts of the UK GDPR, such as applied or fundamental research or innovative research into technological development.
International transfers: there's helpful clarification that organisations will not have to re-paper (thank goodness!) existing transfer mechanisms validly put in place prior to the new legislation coming into force in the light of the new "data protection test". Once DPDI No.2 is in force, new transfer arrangements will need to be assessed with reference to the new test.
Automated decision-making: DPDI No. 2 clarifies that profiling is only subject to the requirements of Article 22 when a significant decision is made without meaningful human involvement.

What now?

DPDI No.2's second reading is yet to be scheduled but is expected to take place in the coming weeks and the new legislation is anticipated to come into effect during this year. DSIT are not expecting significant changes to the Bill.

DPDI No.2 may be a bit of a damp squib after October's rhetoric, but on a more positive note:

The expectation remains that organisations already compliant with the current UK GDPR will not be forced to make changes to comply with the proposed UK GDPR and, indeed, these proposed reforms may offer some of them the opportunity to make use of new compliance efficiencies.

Albeit that the benefit to those organisations which are subject both to the EU GDPR and the UK GDPR (seeking to take a uniform approach) is likely to be limited, at least there seems little scope for conflict between the two regimes if organisations choose to follow EU GDPR as the “gold standard”.
The risk of these reforms impacting the UK's adequacy seems slim. One area of change which it is thought could attract the EU's attention is the reform to the ICO and a perceived lack of independence (although this is not an issue, according to John Edwards!).