The UK government has recently published proposals to amend UK data protection legislation with moves towards divergence from EU rules and regulation following the UK’s decision to leave the EU (“Brexit”). The Data Protection and Digital Information Bill (“DPDI Bill”) proposes to make significant changes to existing UK data protection legislation, including the UK General Data protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”). The proposals include some measures that will result in a significant divergence, particularly for companies operating on a pan-European basis. While some compliance obligations will be relaxed, most of the changes can best be described as “similar but different” in approach. It remains to be seen what the final text will look like when the bill is passed into law, with some of the more radical proposals already having been dropped from consideration. A crucial point of consideration for UK legislators when the DPDI Bill is making its way through the various stages of the legislative process in the Houses of Parliament will be whether this legislation remains sufficiently similar to the EU’s General Data Protection Regulation (“EU GDPR”) that the UK is able to retain its adequacy status for the purposes of exports of personal data from the EU to the UK by companies operating internationally.
A New Approach to Defining Personal Data
The DPDI Bill as drafted amends the definition of “personal data” so that it requires the data to be identifiable by the controller or processor (or any other person who is likely to obtain the data as a result of the processing) by reasonable means at the time of processing. This potentially limits the scope of what would qualify as personal data and should make it easier to create anonymized datasets, for research, analytics and other purposes, to which the UK GDPR would no longer apply.
Accountability – Somewhat Relaxed
The DPDI Bill proposes to relax key accountability obligations that apply under existing data protection law in the UK meaning that for some businesses there should be less stringent requirements (and less paperwork).
As drafted, overseas controllers caught by the extraterritorial scope of UK data protection legislation will no longer be required to appoint a UK representative as is currently the case under certain circumstances.
Similarly, Data Protection Officers (“DPOs”) are currently required for all controllers and processors where the processing is carried out by a public authority, is on a large scale or involves large amounts of special category data. In the UK, a Senior Responsible Individual (“SRI”) will now be required instead, who must be a part of the relevant organisation’s senior management. The EU GDPR and regulatory guidance currently requires that DPOs act independently of senior management and it remains to be seen how potential conflicts will ultimately be resolved.
The DPDI Bill includes similar requirements to the EU GDPR as regards records of processing activities, although there will be an exemption for all small and medium enterprises (“SMEs”) with fewer than 250 employees unless they engage in “high risk” processing, which is a slightly more lenient approach and will enable more SMEs to avoid this additional paperwork.
Data Protection Impact Assessments (“DPIAs”) would still be required for all “high risk” processing of personal data in relation to new technologies and must include: a summary of processing purposes; an assessment of necessity for achieving the purposes; an assessment of risks to individuals; and the controller’s mitigation proposals. However, the list of circumstances under which a DPIA must be carried out under the EU GDPR, such as when processing large scale special category data, will no longer apply in the UK. This may reduce the compliance obligations for UK-based businesses, although businesses operating in both the EU and UK, or UK businesses which are subject to the EU GDPR’s extra-territorial reach will need to continue to comply with the EU GDPR.
Cookies, Online Tracking and Marketing – Less Consent Required but Greater Fines
Similarly, the marketing opt-out exemption under the Privacy and Electronic Communications Regulations (“PECR”) (which allows businesses to send electronic marketing communications to customers without prior consent where the contact details were obtained in the context of a previous sale or provision of goods and services) has been expanded to apply to non-commercial organisations for charitable, political or other non-commercial objectives. At the same time, it is proposed that fines for breaches of PECR will be brought in line with those set out in the GDPR, i.e. £17.5 million or 4% of annual global turnover.
There is also a more radical proposal to give powers to the Secretary of State to issue regulations that would allow users to give or withhold blanket consent across all websites they visit through their browser settings. This solution was proposed by the EU Commission in 2017, as part of the discussions relating to the new e-Privacy Regulation, but were later dropped.
The combination of these measures could mean quite a complex balancing exercise for businesses operating online across the UK and EU and needing to comply with both regimes. Ultimately, it is likely that where a company is also caught by the European regime, it will still generally make sense to continue to ensure EU GDPR compliance across the board.
Similar but Different – Internal Data Processing and Management, and Responding to SARs
There are a few key recognizable requirements of the UK GDPR, which look similar as drafted in the DPDI Bill, but still represent a departure from the current UK and EU approaches.
The DPDI Bill proposes to relax the requirements for the balancing test for determining whether legitimate interests can be relied upon as a lawful ground for processing in certain areas. The balancing test would be replaced by a list of acceptable legitimate interests for which this balancing test is not required, which is set out in the text of the DPDI Bill at Annex I. This currently focuses on a relatively limited number of areas such as national security, preventing crime and safeguarding vulnerable individuals, but can be amended over time through secondary legislation.
The approach to automated decision making (“ADM”) is another area where the DPDI Bill looks to move away from the EU whilst retaining the essence of the existing law and simplifying the approach. Rather than the law stating that individuals must not be subject to decisions based solely on ADM where these decisions have legal or similarly significant effects (a prohibition with exceptions), use of ADM will generally be permitted, but with a positive right to human intervention. This may make it easier for controllers to make use of ADM, although the level of information that will need to be provided to data subjects in order that this remains lawful may go beyond current requirements.
The DPDI Bill also clarifies some of the requirements for responding to Subject Access Requests (“SARs”). This includes expanding the circumstances under which a SAR can be refused, amending the “manifestly unfounded or excessive” ground for refusal to “vexatious or excessive”. This could, include SARs which have been made with the intent of causing distress or as an abuse of process, which may be relevant in the context of wider litigation proceedings. A data controller will be able to take its own resources into account in taking decisions about whether a response can be refused, as well as any other material circumstances which may affect the fairness of the SAR. The DPDI Bill also proposes to make it easier for data controllers by clarifying that the clock does not continue to run while the respondent is waiting for the requestor to provide reasonably requested information, such as confirmation of their identity, or to pay fees, although this is already taken to be the case.
A Risk to Adequacy?
An area where the UK has sought to simplify the approach, but which might risk its position in respect of its EU adequacy status, is international transfers. There will now be a “data protection test” which will be met provided that data protection in a given third country is “not materially lower” than in the UK. This test will apply both when controllers are assessing transfer mechanisms for day-to-day international data transfers, and where the UK Secretary of State is assessing potential country-level adequacy decisions. This new “outcomes-based” approach, taking into account the overall standards of protection for data subjects, rather than a “point by point comparison” used by the EU, should help to simplify the approach for businesses. It remains to be seen whether the EU Commission will regard such an approach as providing adequate protections for data subjects in its overall assessment of the UK’s adequacy status. The existing decision on adequacy was published in June 2021 and will automatically cease to have effect unless renewed by the EU Commission in June 2025. However, this is an ongoing process for the EU meaning that changes to UK law at any time that may have a bearing on adequacy could result in the UK losing adequacy status before such time as a general review of the UK’s status is required. This is likely to be the one of the most politically controversial aspects of the DPDI Bill.
New Rights and Requirements
The DPDI Bill introduces a new right for data subjects to complain to controllers, who must acknowledge receipt within 30 days and then take appropriate steps to respond without undue delay. This provides for a sensible step before regulatory escalation.
Comment and Next Steps
Overall, despite its considerable length at 192 pages, the legislation does not provide for a radical new approach to data privacy in the UK. The proposed changes may reduce the regulatory burdens for SMEs operating solely in the UK. Businesses operating internationally will inevitably need to comply with two, largely similar, but increasingly diverging, sets of rules.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.