UK Data Protection and Digital Information Bill introduced into Parliament
Browse this blog post
I previously trailed the reforms in my earlier blog for the A&O Digital Hub back in June - The UK and global data protection landscape – seeing the bigger picture and navigating the maze. Since that blog, on 17 June the Government issued its response to the 2021 consultation - Data: a New Direction. This has also set out the underlying policy position and rationale for the changes and why certain proposals have not been taken forward.
Whilst the Bill can be characterised as evolution, there are still many changes businesses will need to consider ahead of the new provisions coming into effect. Multi-national businesses will welcome the additional flexibility and support for innovation but will also want the new UK requirements on accountability to be interoperable with their global data protection governance based on EU GDPR. Businesses may also want to consider what impact certain changes will have in practice – for example the change to allow a test of vexatious data subject access requests is cited as a burden reducing measure, but businesses will need to consider how much difference this will make in their own context.
There will also be an important debate in Parliament on how these changes impact on the protections provided to the public and whether the reforms continue to maintain a high standard of data protection in the UK. There will also be significant debate about the Bill’s provisions that allow the Secretary of State to make further provisions by regulations, which would be subject to less scrutiny than future primary legislation.
There are too many provisions in the Bill to summarise in full here but this blog highlights key changes that businesses should start to consider.
The key areas of reform
Reducing barriers to responsible innovation
Automated decision making - The most significant reform under this banner is the change to Article 22 of the UK GDPR, on automated decision making. This has been an important area of discussion – businesses see significant opportunities to improve the delivery of services and products through AI and algorithms, and there are risks from discrimination, bias and other harms from their deployment. The Bill removes some aspects of Article 22, and simplifies and clarifies other existing provisions.
The general prohibition has now been removed and instead there are conditions to be met for decisions involving special category data. The prohibition is then replaced with a series of safeguards that must be in place. The measures include conditions such as enabling the data subject to make representations and obtain human intervention about automated decisions.
Research - Other changes to support innovation and research have also been introduced. These include clarifying the definition of research, clarifying the test for anonymisation and allowing for a broader approach to consent and research. The changes will also allow for the “disproportionate effort” provision already in UK GDPR to be used when directly collecting personal data for research purposes.
Legitimate interest - There are also important changes as to how the legitimate interest can be applied, removing the need for a balancing test in certain circumstances, though the necessity test remains. This is currently limited to a narrow list in the Bill, as concerns were raised during consultation. This includes areas such as child safeguarding. Provisions would allow the Secretary of State to add more categories. As it stands, this will mainly be of interest to the public sector.
Reducing burdens on businesses and delivering better outcomes for people
Accountability - Another key headline for businesses is around the reform to accountability requirements. The Bill removes the requirements for data protection impact assessments, mandatory data protection officers and records of processing. The new accountability regime that replaces these provisions creates new requirements around assessment of high risk processing, assigning senior responsibility within organisations and streamlined record keeping. These new provisions have greater flexibility; allowing businesses to make decisions on how to apply accountability related to scale and risk of their own operation.
Data subject rights - The other key area to consider is the change of test for refusing and charging for data subject requests, including access. The ‘manifestly unfounded and excessive’ test in UK GDPR is now replaced by ‘vexatious and excessive’. The concept of vexatious requests is well established in UK law, including the Freedom of Information Act. The intention is to give controllers greater confidence in refusing requests that genuinely abuse the rights provided, particularly access. This could include when requests are made related to employment disputes. The Bill also helpfully includes non-exhaustive criteria to determine whether a request is vexatious or excessive. The Bill also provides further clarification of when time periods for compliance with a request can be extended.
Representative - There is also an important change for businesses offering services to the UK from third countries - the Bill removes the requirement for representatives for controllers outside the UK.
Boosting trade and reducing barriers to data flows
The Bill introduces amendments to the international transfer provisions in Part V of UK GDPR. The changes introduce a more proportionate and risk-based approach. These changes seek to address some of the disproportionate impacts from the CJEU’s Schrems II judgment, whilst maintaining effective safeguards.
A new ‘data protection test’ is set out in relation to transfers of personal data to a third country. This moves away from the adequacy test to consider whether data protection in the third country is ‘not materially lower’ than that under the UK GDPR. The test focuses on looking at protection as a whole and allows for greater flexibility when assessing a third country eg judicial or non-judicial redress for data subjects is now considered. Where the Secretary of State has not provided regulations (ie the UK GDPR’s equivalent of the EU GDPR adequacy decision) and a controller or processor applies safeguards to enable international transfers instead (eg contractual clauses) the focus is now on the controller or processor acting ‘reasonably and proportionately’ when considering whether the data protection test is met.
Delivering better public services
These changes of are of less interest to businesses, but contain some important reforms to better enable data sharing between public bodies under the Digital Economy Act 2015. There are also reforms that will enable businesses providing services on behalf of public bodies to rely on the lawful basis under Article 6(1)(e) of the UK GDPR.
Reform of the Information Commissioner’s Office
Structure - Modernisation of the regulator forms an important component of the reforms, to bring the ICO’s governance in line with other significant economic regulators eg Ofcom. This means a move away from the corporation sole model - to an Information Commission, with a statutory board, chair and CEO.
The changes place greater focus on regulatory engagement, including input into ICO guidance and codes, via panels and impact assessments for the most important outputs.
Government input - There will be greater direction from Government, intended to create a more consistent and certain approach. The Bill provides the ICO with a new principal objective and duties including the desirability of promoting innovation. The Secretary of State may also designate a statement of strategic priorities and the ICO must have regard to it (rather than be bound to follow it). The statement must be laid in Parliament, to provide another point of accountability. The Bill also adds a provision for Secretary of State approval for statutory ICO Codes of Practice.
Additional powers - Under the Bill the ICO gains further powers to compel technical reports, drawing inspiration from the power the Irish Data Protection Commission already has in the Irish Data Protection Act. A new power also allows the ICO to issue interview notices when it suspects failings. Changes will also be introduced to bring the fine threshold under PECR (currently £500,000) in line with GDPR, to address concerns about nuisance calls and marketing.
Complaints - The ICO’s discretion to refuse certain complaints is also enhanced, with the Bill making it clear that the ICO can refuse a complaint if the controller has not yet received one. Controllers are given 45 days to consider a complaint first. The Bill adds further requirements for controllers to facilitate the making of complaints. This will create a greater focus on the policies and procedures that controllers have in place and how they link to customer service.
The ICO will of course play a vital role in supporting the new Bill with new guidance and tools. The ICO’s new corporate strategy ICO25 was published on July 14 and is important reading alongside the reforms.
It is also relevant to note that the Bill is not solely focused on data protection and contains important new legislation to enable a new digital identity framework. This is a topic that intersects with data protection.
These reforms have been keenly awaited by many businesses and sectors with digital business models. The UK digital identity system has fallen behind many countries and there is a significant opportunity to refresh the UK approach – enabling a trusted and federated market, supported by Government datasets and a trust framework. The Bill sets in place the key statutory building blocks to make this happen.
This includes a requirement for the Secretary of State for DCMS to prepare and publish the Digital Verification Services Trust Framework, which will be the underpinning component of the new system, alongside a register and system of certification for those organisations who play a key role in applying the framework.
It will be important to track amendments during the Bill’s passage through Parliament – we wait to see detailed position of the opposition parties for instance.
Timing of implementation will also be a key question. The Government will announce this later.
There is also now a practical question of navigating between three pieces of legislation – the UK GDPR, the Data Protection Act 2018 and the new Data Protection and Digital Information Act. Practitioners had hoped for greater consolidation to help with the navigation challenge and it will be important that DCMS and the ICO provide the relevant resources to help with this.
Over the coming weeks and months the Data Protection team at A&O will provide further analysis on the implications in podcasts and blogs.