The Data Protection and Digital Information (No. 2) Bill was introduced to Parliament on 8 March 2023 and has since progressed to its third reading. It’s a second version of the Bill that the Government is hoping will reform data protection law in the UK to make compliance easier and cheaper for businesses and charities.
What is our current data protection system?
Data protection laws determine how individuals’ personal data (ie information about them from which they may be identified, either on its own or in conjunction with other data held) can be used. The laws aim to protect people’s privacy and to grant them other rights in relation to their personal information. For example, the right to have their data processed (eg used and stored) in a fair, specified manner, and the right to access data that an organisation holds about them and to request that it be amended or deleted.
These laws are primarily contained in two key pieces of legislation: the Data Protection Act 2018 and the UK General Data Protection Regulation (the UK GDPR). These are sometimes referred to collectively as ‘GDPR’.
For more information, read Data protection.
How significantly is the Bill likely to change data protection law?
The Bill is supposed to represent a significant revision of our current data protection regime. However, the degree of change is likely to be tempered by the desire to maintain the EU’s ‘adequacy decision’ regarding the UK. This is the EU’s formal acknowledgement that the UK’s data protection regime is sufficient in comparison to its own, so that personal data may be transferred from the UK to the EU (eg between businesses in each location) without the need for additional safeguards to be put into place. Currently, the UK GDPR closely resembles the EU GDPR, upon which it is based. If UK data protection rules were to diverge too strongly (and offer less protection), the EU may withdraw its adequacy decision. This would require UK businesses transferring data to the EU to meet more costly and time-consuming hurdles to do so (ie they would need to have a safeguard, like an International Data Transfer Agreement (IDTA), in place).
Which changes might the Bill introduce?
The Bill contains a significant number of proposed changes, some more sizeable than others. These include:
‘Legitimate interest’ will be easier to rely on
One of the ‘lawful bases’ that an organisation can rely on in order to legally process personal data is that of legitimate interest. Legitimate interest can be relied on when data processing is necessary for the legitimate interests of the organisation controlling the processing (ie the data controller) or of a third party (eg customers or members of the public).
Currently, as part of the process of relying on a legitimate interest, a data controller must carry out a balancing test to weigh up their interests in the processing against the potential effects on the rights of data subjects (ie the individuals to whom the data relates). Under the new Bill, the balancing test would not need to be carried out for a specified list of recognised legitimate interests (eg national security, emergencies, and safeguarding).
This change would help to remove some of the uncertainty involved in the balancing test and the time and money invested in it.
A lower threshold for refusing data subject rights requests
Data subjects have the right to make various requests related to their personal data. For example, Data subject access requests (DSARs). Organisations who receive these requests are currently allowed to refuse them if they are ‘manifestly unfounded’.
The Bill proposes that this threshold for refusal change to ‘vexatious or excessive’. This theoretically lower threshold may make it easier for organisations to refuse barrages of requests made in an attempt to hassle or distract the organisation, as does happen.
Considering proportionality when choosing safeguards for international transfers of personal data
Currently, a transfer of personal data from the UK into a country that is not covered by an adequacy regulation (the UK’s equivalent of EU adequacy decisions) must have an appropriate safeguard in place, set out within a transfer mechanism like an IDTA.
The Bill proposes that, in such situations, the required safeguards are determined using the new ‘data protection test’. This test uses risk-based decision making and establishes whether the standard of data protection in another country is ‘not materially lower’ than that in the UK. Safeguards should be chosen based on this test and on what is assessed to be reasonable and proportionate.
This change may allow for less onerous and comprehensive safeguard options in appropriate situations, for example, where personal data and the location it is being transferred to are both lower risk.
New exemptions to the requirement for cookie consent
The Bill plans to introduce a list of exemptions to the requirement for consent, which can be relied on if users are also provided with a ‘simple means of objecting’. The list may, for example, include:
- installing necessary security updates
- collecting information about a website’s or service’s use for statistical purposes, with the intention of making improvements
The requirement to carry out a DPIA will change
Data Protection Impact Assessments (DPIAs) must currently be carried out before processing is undertaken which is likely to result in a high risk to individuals. A DPIA analyses risks, ways of managing them, and the purposes of the processing. If it identifies high risks that cannot be mitigated, the data controller must consult with the Information Commissioner’s Office (ICO) before starting processing.
The Bill would remove the requirement that a DPIA be carried out and replace it with the requirement that an ‘assessment of high-risk processing’ be carried out. This will need to contain similar information to a DPIA, but the exact format required is less specific. A DPIA could still be used, as it could constitute an assessment of high-risk processing, or a simpler document based on an organisation’s existing internal processes could be used. Further, the requirement to consult the ICO is to become a voluntary option.
What do these changes mean for businesses?
If the Bill is passed, organisations that process personal data will need to comply with the new laws once they come into force. However, it’s unlikely that organisations that are compliant with the UK’s existing data protection regime (ie the GDPR) will need to make many, if any, changes to become compliant. The aim of the Bill is to make compliance easier, so extra hurdles are unlikely. Perhaps some paperwork will need updating to, for example, reflect different terms. The new Bill will hopefully still offer data subjects adequate protection whilst making data protection compliance more efficient and cost-effective.