UK's new data bill

Data protection: All change again

The UK’s data protection regime that came about following the introduction of the General Data Protection Regulation (GDPR), and the subsequent new Data Protection Act (DPA), is around five years old now. However, the government is introducing legislation, via the Data Protection and Digital Information Bill (DPDI), to reform it.

The bill is the culmination of a reform programme which began with a public consultation back in autumn 2021; a bill was first introduced in July 2022 but it never got off the ground. 

A rethink

Kevin Modiri, a partner and solicitor at Nelsons, an East Midlands law firm, notes that the earlier version of the bill was put on hold after Liz Truss was appointed as prime minister. He says that at the Conservative Party conference in October 2022, science, innovation and technology secretary Michelle Donelan announced that “the UK would be replacing the GDPR. Ministers took time to reflect and came up with a No.2 bill in which they have made some targeted reforms”. Importantly, he adds that the bill “is not a replacement of the GDPR but a refinement to allow greater certainty for individuals along with a clarification of certain aspects of the existing framework”.

And for Jeanette Burgess, head of regulatory & compliance at Leeds-based Walker Morris, it appears that the government is seeking to capitalise on post-Brexit freedoms to make changes to the current data protection regime. She says: “According to the new bill’s explanatory notes, some elements of the GDPR and DPA create barriers, uncertainty and unnecessary burdens for businesses and consumers.”

She continues: “In its announcement of the new bill, the government described it as a ‘common-sense-led’ UK version of the EU’s GDPR. The intention is to update and simplify the UK’s data protection framework, reducing burdens on organisations while maintaining high data protection standards.”

And Modiri thinks the same and comments that “the bill seeks to bring in a less burdensome and more flexible regime which will become easier and inexpensive to implement”. He thinks that the bill offers a particular benefit to smaller and medium-sized enterprises and there will also be a financial advantage as “the new laws are expected to save the UK economy £4.7 billion and boost data protection standards so that businesses can continue trading freely with global partners, which includes the EU”.

Proposed changes

So, what are the changes that the bill proposes?

To begin with, Modiri explains that “the new DPDI bill has been described as largely the same as its predecessor, but contains a number of provisions which are to be expected to simplify UK data laws”.

One of the key changes that he picks out is an update to the definition of personal data “to specify what is meant by the identification of an individual ‘directly or indirectly’ and information relating to an identifiable living individual”.

Then there are changes to the ‘legitimate interests’ definitions in the GDPR used as the legal basis for data processing. Here Modiri points out that “there is a proposal to include some examples of processing that may be considered as necessary for the purposes of a legitimate interest such as for direct marketing, intra-group transmissions of data and processing to ensure security of network and information systems”.

Beyond that is a proposed new legal basis for processing which is for a ‘recognised legitimate interest’. The key difference between this and the current legitimate interests basis is that businesses relying on one of the recognised legitimate interests will only need to ensure that their processing falls within one of the listed activities. 

And there is to be, as Modiri puts it, “a clearer and more stable framework for international transfers with a risk-based approach to data transfers and changing the adequacy rules”. He says that “this will allow businesses to have a simpler and clearer set of rules for international transfers”.

Overall, though, Burgess thinks that the bill doesn’t radically change the data protection regime. She says that this means that “organisations will still need to make sure that they only process personal data where they have a lawful basis to do so and that data protection principles are complied with”.

That said, she lists changes introduced by the bill that could help businesses reduce costs. In particular, she says that “under the proposed new regime, the obligation to maintain records of data processing will only apply to organisations that carry out high-risk processing activities”.

Further, the role of the data protection officer will be replaced with that of the senior responsible individual (SRI). On this Burgess says that “organisations will only need to appoint an SRI where they are a public authority or otherwise are engaged in high-risk processing. As the name implies, the SRI must be a senior person in the organisation but can carry out this role in addition to other functions”. Interestingly, Modiri notes that “there will be no requirement for that individual to have any particular data protection expertise. Rather, that individual can seek advice and outsource functions to organisations as they see fit”.

And in a move to speed up certain business processes, the bill proposes a ‘digital verification services trust framework’ with providers of digital verification services being accredited and listed on a DVS register. Burgess explains that ‘verification services’ means “services provided at an individual’s request that involves ascertaining or verifying a fact about the individual from information provided by another source”.

In essence, this means that once an individual has created a digital identity, they may be able to re-use it to assert their identity (or something else about themselves). Burgess is thinking here about an individual’s age or address with the ability to share certain facts rather than a whole document.

And there are changes to rules around the use of artificial intelligence (AI) – a concern for Burgess. She explains that under the UK GDPR as it currently stands, “solely automated decisions (including profiling) that produce ‘legal or similarly significant’ effects on data subjects may only be carried out where it’s necessary for entering into or performing a contract between a controller and a data subject, it’s required or authorised by law or the data subject has given their explicit consent”.

As she reads it, the bill amends the law so that automated decision making is not restricted to these circumstances which might make it easier for organisations to use AI in some situations, for instance when screening job applications. However, Burgess points out that “a ‘significant decision’ based entirely or partly on special category data which covers, for example, race, religion, sexual orientation, etc, may not be taken based solely on automated processing unless certain conditions are met”.

There is one other change that Burgess wants to highlight: the rules around website cookies which are to be relaxed as part of the drive to cut ‘red tape’. This means that “a website operator would be able to place certain types of cookies, including statistical and location cookies without the need for obtaining the current ‘pop-up’ consents”.

More cost?

It should be said that while the government seeks to ease the burden on UK firms, those with operations in the EU will still need to comply with the EU GDPR, and so, as Burgess notes, “it may be cheaper for them to continue to follow the current regime in the interests of consistency - to the extent that is possible under the new bill. If they choose to adopt separate compliance programmes for their EU and UK operations, that is likely to increase, rather than reduce, costs”.

Modiri holds a similar view saying that “those doing business solely in the UK, who do not have expansion plans to EU, may find it easier to comply only with UK laws once the bill is finalised; any multinationals may choose to do the same in relation to their UK-only data processing activities which may reduce costs”.

Data protection trials

One of the biggest data protection bugbears for organisation can be dealing with data subject access requests (DSARs).

DSARs can be a significant burden, and while this right is maintained under the proposed new regime, there are new protections for organisations. Modiri says that “there will be a proposed amendment to the exemption that businesses can use to charge a reasonable fee or refuse to respond to a request that is vexatious or excessive”.

This change not only has the potential to reduce paperwork and costs, but can help guard against disgruntled individuals seeking to weaponise their data. However, Burgess cautions that “it will be the data controller’s responsibility to prove that a request is vexatious or excessive. As the bill is currently drafted, it is anticipated that there will be debate on a case-by-case basis as to whether the threshold has been met”.

New penalties proposed 

Of course, for legislation to be effective it needs to be able to wave a stick at offenders. Currently, there is a disconnect between harsh penalties for pure data protection breaches and those for infractions of electronic marketing under the Privacy and Electronic Communications Regulation (PECR). 

The bill proposes changes that Modiri approves of because they seek to “align the fines for nuisance calls and texts under PECR with those under the UK GDPR”. 

Currently PECR breaches can lead to action from the Information Commissioner’s Office including criminal prosecution, non-criminal enforcement, audit and imposition of monetary penalties of up to £500,000. The bill increases the level of fines for nuisance calls and texts to up to 4% of global turnover or £17.5m, whichever is greater.

But even with higher penalties, Burgess does wonder how effective they will be as a deterrent as that will depend on how stringent the level of enforcement is in practice. The government, in her view, is clearly aware of this as the bill proposes certain changes concerning the Information Commissioner’s role: “A statement of strategic priorities is proposed to set out the government’s data protection priorities to which the commissioner must have regard. It remains to be seen whether this will have any effect on the type and level of enforcement imposed, under the PECR or otherwise.” She thinks, however, that many still expect to see the Information Commissioner taking a proportionate approach, reserving the highest penalties for the most severe incidents of non-compliance.

Summary

The bill is not in finalised form yet, however it does highlight the main areas of planned reform. The changes introduced are not radical, however data protection is a serious matter and organisations should ensure they fully understand the implications of the current law and the proposed changes.