- Digital Hub
UK Data Reform is back: Data Protection and Digital Information Bill (no2) is laid to Parliament
22 March 2023
The story so far
In July 2022 the Data Protection and Digital Information Bill (the original Bill) was introduced into Parliament and we finally got sight of the UK Government’s intended direction for data protection post Brexit. Please see our blog here on the key areas of reform and implications for issues such as EU adequacy.
The original Bill was then withdrawn in September 2022, as the government transitioned to the policy priorities of new Prime Minister Liz Truss, and then Rishi Sunak. The new Digital, Culture, Media and Sport (DCMS) Secretary of State, Michele Donelan, announced that the government was seeking go further in its reform of GDPR and a period of consultation opened with stakeholders; a series of meetings as opposed to a fresh formal consultation (which had already taken place in 2021 under the banner, Data: a New Direction). This stakeholder consultation involved a Business Advisory Group including the Data and Marketing Association, the Advertising Association, Which? TechUK and other stakeholders.
The policy responsibility for data protection also moved to the newly formed Department for Science, Innovation and Technology (DSIT) in February 2023. The DSIT announced its 5 priorities for 2023, which unsurprisingly include: “Deliver key legislative and regulatory reforms to drive competition and promote innovation, including the Data Protection and Digital Information Bill, the Digital Markets, Competition and Consumer Bill and our pro-innovation approach to regulating AI”.
Where are we now?
A new Data Protection and Digital Information Bill (no2) (the new Bill) was laid in Parliament on 8 March and the UK reform process is now clearly back in play. The new Bill also comes with a new set of explanatory notes but sadly no official Keeling schedule at this stage (which would present the Bill in the form of redline changes to the UK General Data Protection Regulation, Data Protection Act 2018 and the Privacy and Electronic Communications 2003).
The DSIT press release made the impressive claim that the new Bill would now enable £4.7Bn of savings over the next 10 years. This is a significant figure and no doubt the economic analysis behind it will be subjected to some scrutiny as the new Bill passes through Parliament, particularly as many multi-national companies may not seek to amend their data protection compliance programs if their global programme is centred on EU GDPR. The message from DSIT continues to recognise that EU GDPR compliance will support UK GDPR compliance.
We can expect the new Bill to have its second reading in the next few weeks and looking at the passage of the previous Data Protection Act 2018 the process to Royal Assent may last up to a year. It is also worth noting that a general election is expected in late 2024, so the new Bill will need to be passed before then.
Consideration should also be given to the wider context into which the new Bill arrives. Data protection reforms are underway in countries such as Australia, Canada and India and the UK framework that is created by this new Bill will be viewed in that context, as well as in comparison with EU GDPR.
What has changed?
In this blog we take a look at how the new Bill has changed and some of the likely implications. The headline is that most of the original Bill has been retained and there are a relatively small number of changes.
Here are the most notable changes in new Bill:
- Legitimate Interest. The most significant change is probably the clarification added regarding legitimate interests. Recital 47 of the GDPR has always contained the clarification that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. The new Bill adds a non-exhaustive list of scenarios where organisations may rely on the legitimate interests lawful basis, including for the purposes of i) direct marketing, ii) transferring data within the organisation for administrative purposes, and iii) ensuring the security of network and information systems. It is important to note that the necessity and balancing tests will still need to be met.
This change elevates the clarification regarding direct marketing from the recital onto the face of the law. This is something the trade body, the Data and Marketing Association, publicly called for. They felt the recital did not give enough confidence to those companies that wanted to use legitimate interests in certain scenarios. Legitimate interests and direct marketing purposes were also the subject of the recent Experian judgment by the First-tier Tribunal, with Experian winning their appeal in relation to a number of grounds, though the ICO has now appealed to the Upper Tribunal.
The Explanatory Notes also clarify that controllers may rely on Article 6(1)(f) to process personal data for other legitimate activities, if the processing is necessary and the balancing test is carried out. This appears to be an indication that controllers can consider other legitimate commercial activities as well. It seems likely that this has been added to try to avoid the uncertainty that exists in the EU, where there is still some uncertainty about whether purely commercial interests can be legitimate interests, and a case from the Netherlands has been referred to the Court of Justice of the EU (CJEU). Also see our previous article on EU caselaw and enforcement actions.
- Research. As with legitimate interest, the original Bill moved some elements from the GDPR recitals into the primary legislation, for greater clarity. The new Bill retains the non-exhaustive list of scientific research types, such as applied or fundamental research or innovative research into technological development but also adds firmer language confirming that research may constitute “scientific research” “whether carried out as a commercial or non-commercial activity”. There is now likely to be a significant debate about the breadth of the clarified definition and how companies can benefit (particularly in areas such as AI research and development) as well as any risks to individuals’ privacy that could flows from this.
- Records of processing activities. Under the new Bill, the record keeping requirement now only bites when the personal data processing is likely to result in a high risk to the rights and freedoms of individuals. This is most likely to be of benefit to UK SMEs who don’t have establishments in the EU.
- Automated decision-making. There is a further clarification added to the provisions in the original Bill (that replaced Article 22 and moved from prohibitions to conditions). The new Bill now clarifies: “When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling”. This appears to be an additional safeguard to ensure that human involvement is effective in practice and doesn’t continue to amplify existing risks with the data driven decision making.
The Secretary of State can also now add further scenarios where there is (or isn’t) meaningful human involvement. Our previous blog noted the number of areas where the Secretary of State will be able to amend or add to the UK GDPR via secondary legislation and this may add to the debate about the government’s “Henry VIII” powers (ie clauses in a bill that enable ministers to amend or repeal provisions in an Act of Parliament using secondary legislation, potentially shifting power to the executive), particularly on areas related to AI.
- Existing safeguards for international transfers. Though not a major concern (most practitioners had assumed it would be the case) but the new Bill now makes clear that that existing safeguards for international data transfers will still be lawful once the new Bill becomes law and takes effect. This will include standard clauses (ie the UK’s Addendum to the EU standard contractual clauses and the UK’s International Data Transfer Agreement).
Further implications for adequacy
In our previous blog, we considered the implications for adequacy and concluded that the original Bill did not create a strong risk to the UK’s adequacy status with respect to the EU. That said, we considered that there would be areas where the EU may look closely, such as the independence of the ICO and the changes on international transfers. The new Bill doesn’t change this analysis and DSIT officials speaking recently at the IAPP 2023 UK conference continued to maintain their position that adequacy could be maintained and that they had remained engaged with the European Commission, updating them about their work.
Next up: AI reform
The data protection community is also awaiting the announcement of the government’s long-trailed AI white paper, which should be published in the coming weeks. This will have some important intersections with the new Bill, not least whether the changes to the UK GDPR Article 22 provision on automated decision making (replacing a broad prohibition with the need to meet certain conditions including regarding human intervention) will create the right balance of protections for use of AI.