Briefing: Proposed changes to UK data protection and digital information laws

24 Aug 2022

One of the final acts of the Boris Johnson Government before the Parliamentary summer recess was to publish the Data Protection and Digital Information Bill. It remains to be seen whether further changes will be proposed by the next prime minister, but the Bill builds on a number of earlier consultations. If enacted, the Bill will make various changes to UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, amongst other matters. This briefing by Mills & Reeve explains the issues.

Goodbye DPOs, DPIAs and ROPAs, hello SRIs, AHRPs and Appropriate Records?
If passed in its current form, the Bill would:

Replace the requirement to appoint a Data Protection Officer with a requirement to appoint a Senior Responsible Individual. Unlike a DPO, the SRI must be part of the organisation’s “senior management”. Broadly, the requirement to appoint an SRI would apply to controllers and processors that are public bodies or that carry out “processing of personal data which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals”. The proposed duties of an SRI are similar to, but less prescriptive than, those of a DPO.
Replace the requirement to undertake Data Protection Impact Assessments with a similar but not identical “Assessment of High Risk Processing” (for example, the requirement to consult the DPO is removed, as is the potential requirement to consult data subjects).
Replace the requirement to keep “Records of Processing Activity” with similar but not identical “Appropriate Records”. For example, the Appropriate Records must include an assessment of whether the processing is necessary for the relevant purposes, but there is no longer an express requirement for the assessment to include “proportionality” of the processing.

Other significant changes to UK GDPR and ICO replaced by Information Commission
The Bill also contains measures that would:

Change the framework for cross-border transfers of personal data. Whilst there are some similarities with the current regime, there are also differences such as a new “data protection test” that forms part of the framework for making regulations to determine whether the Government will make regulations approving transfers of data to a third country. The test focuses on checking that the standard in the other country is not “materially lower” than the standard of protection under UK legislation. Data transfers pursuant to appropriate safeguards such as “standard contractual clauses” would also be subject to a data protection test and a more risk-focused approach.
Reformulate the framework for automated decision-making, for example with provisions focused on significant decisions made without “meaningful human involvement”.
More narrowly define when an individual is “identifiable” and broaden the definition of when personal data is pseudonymised.
Introduce a new lawful ground for processing in the shape of “recognised legitimate interests”. This applies in specified and limited scenarios, for example where processing is necessary for the purposes of detecting, investigating or preventing crime. The ground does not require the legitimate interests balancing test to be conducted, but “fairness” of processing would still need to be considered.
Make various changes relating to processing for the purposes of research, archiving in the public interest and for statistical purposes. The changes are intended to make some of the compliance requirements for such processing less onerous, for example by broadening the scope of consent for processing for the purposes of scientific research, subject to certain conditions.
Introduce provisions specifying that certain types of processing will be regarded as automatically compatible with the original purpose (provided other principles are met, including lawful processing). The Bill sets out the factors that must be considered when determining whether the new purpose is compatible with the original one. The Bill also lists the types of processing that are potentially compatible, including for example the detection, investigation and prevention of crime.
Remove the requirement for controllers and processors not established in the UK to appoint UK representatives.
Replace the office of the Information Commissioner with a new corporate body, the Information Commission, which will take over the Commissioner’s powers and duties. Wider enforcement powers are introduced, such as the requirement on individuals to answer questions at interview, subject to certain safeguards.

The Bill also makes changes to a range of other areas, such as in relation to information sharing for law enforcement purposes, the transition to an electronic only register of births and deaths and the abolition of the Surveillance Camera Commissioner.

The Bill also gives the Secretary of State power to amend or repeal provisions in primary legislation (including UK GDPR) under regulations that are consequential on provisions in the Bill (a so-called Henry VIII clause).

Data subject rights requests and obligatory complaints procedures
Changes that the Bill contains in this area include:

Replacing the “manifestly unfounded” test for refusing a data subject’s rights request with a “vexatious or excessive” test. The Bill gives examples of when this might apply, including requests that are “intended to cause distress”, “are not made in good faith” or “are an abuse of process”.
Where a controller “reasonably requires” further information in order to identify information or processing activities to which a request under Article 15 relates, the time period starting with the day of the request until the information is received does not count towards the “applicable time period” for the response.
Obliging controllers to implement and comply with complaints handling procedures, whilst enabling the Information Commissioner to refuse to handle a complaint if the complainant has not used the controller’s complaints procedure.

Changes to the Privacy and Electronic Communications Regulations 2003
The Bill would:

Broaden the circumstances in which cookies or similar technologies can be placed on a user’s device without their consent, for specified purposes which the Government considers are low risk to people’s privacy (installing software updates that are necessary for security of the device, for example).
Extend the “soft-opt in” to direct marketing emails sent for solely charitable, political or other “non-commercial” objectives, subject to certain conditions.
Update the enforcement regime under PECR so that it mirrors UK GDPR, for example by permitting fines of up to £17.5m/4% of global turnover in some circumstances.
A duty on communications providers who have reasonable grounds for suspecting a breach of PECR might be occurring to report suspicious activity to the Commissioner (£1k fixed penalty for failure to comply).
Enable the Government to pass regulations to prevent devices, software etc from being supplied if they do not meet certain requirements; the Government’s intention is that this will in future enable them to ensure that user cookie consent preferences are effectively recognised.

Smart data, data sharing, trust services and information standards
The Bill includes measures to:

Establish a UK legislative framework for providers of digital verification services, (services intended to enable people to prove who they are or something about themselves in a secure way).
Provide a broader framework to require sharing of customer and business data, with the intention of promoting the provision of innovative services to customers and businesses, such as by enabling authorised data intermediaries to assist with automatic account switching and account management.
Supplement the framework that supports electronic “trust services” to support electronic transactions (for example, electronic signatures and seals, electronic delivery services and website authentication). For example, by permitting the recognition of products from providers established outside the UK, and the recognition of overseas standards.
Widen the provisions of the Digital Economy Act 2017 to enable sharing of information by specified public authorities to improve the delivery of public services to businesses and charities.
Clarify that information standards for health and adult social care in England (under the Health and Social Care Act 2012) includes standards relating to certain information technology and IT services, as well as to make further provision in relation to such standards. The Bill also clarifies which public bodies information standards may apply to. The Secretary of State is also given compliance powers in relation to relevant IT providers, as well as for accreditation of IT and IT services.

Concluding thoughts
The detail of the Bill is complex and requires further analysis. There are also various provisions in the Bill enabling further regulations to be made and/or guidance to be issued, which will need to be considered in due course.

If the Bill is enacted in this format, organisations that are subject to more than one data protection regime will need to consider how compliance will be managed (for example if there is an obligation to appoint both an SRI under UK GDPR and a DPO under EU GDPR).
The 2021 EU Commission adequacy decisions in respect of the UK have a maximum duration of four years, with the Commission expected to start considering the renewal process in 2024. As regards data transfers from the EEA to the UK, the Commission will need to consider whether any changes to the UK data protection regime impact on its adequacy assessment, leaving aside the possibility of an individual or regulator bringing a challenge before the Court of Justice of the European Union.

It will be interesting to see whether the measures in the Bill evolve further once the new prime minister’s administration is in place.