On 18 July 2022, the UK government introduced the new Data Protection and Digital Information Bill (Bill).
What is the Bill?
The new Data Protection and Digital Information Bill contains the government’s proposals to reform the UK’s data protection regime. The Bill quickly follows the government’s publication in June of its response to its consultation on the Data Reform Bill carried out in Autumn 2021. The publication of the Bill in the final week before parliament’s summer recess reflects the political importance of data reform to this government.
While the proposals in the Bill are not a radical divergence from the existing UK and EU data protection frameworks, they demonstrate the UK Government’s ambition to ease data compliance burdens on businesses and improve data sharing practices.
The Bill clarifies that the UK government will not be proceeding with all reforms proposed in the consultation. Of the proposed reforms being taken forward, the six notable changes include:
- Definitions: the definition of “personal data” has been refined to reflect a more subjective approach to the question of whether data should be classed as personal data or anonymous, depending on whether the information is identifiable by the controller or processor by reasonable means at the time of processing. This potentially narrows the information to which data protection law applies.
- Accountability: a more flexible approach to accountability and governance has been proposed to allow businesses to demonstrate compliance with UK data protection laws while removing some of the existing burdensome obligations. For example, it is proposed that the current obligations for organisations to have an independent data protection officer, conduct data protection impact assessments and maintain records of processing activities will be replaced with complementary measures under organisations’ own, tailored privacy management programmes.
- Data Subject Access Requests (DSARs): a reform likely to be welcomed by many businesses is the ability for businesses to refuse to comply with DSARs, which are deemed ‘vexatious or excessive’. This replaces the current exception for ‘manifestly unfounded or excessive’ DSARs.
- E-Privacy Consents: the Bill indicates that the UK Government is looking to move to an opt-out model in relation to cookie consent. The changes include allowing businesses to place ‘non-intrusive’ cookies on a user’s device without consent in certain circumstances, such as using web analytics. Importantly, however, it has been proposed that fines for e-Privacy breaches will be increased significantly to align with the fining powers available under the UK GDPR.
- International Data Transfers: there is a focus on the importance of removing unnecessary barriers to data flows, which takes the form of the UK Government following a risk-based approach to future adequacy decisions. The current GDPR adequacy assessment criteria is replaced by a ‘data protection test’, which requires a standard of ‘not materially lower than’ the standard of protection afforded to a data subject in the UK.
- Legitimate Interests: in response to the challenges faced by businesses when conducting legitimate interest assessments (LIAs), the Bill will introduce an exhaustive list of data processing activities for which businesses can rely on legitimate interests as their legal basis without having to conduct a LIA. The current list mainly focuses on processing activities in the public interest, such as preventing crime and emergencies. For processing activities not listed, businesses will still need to do a LIA.
The Bill’s impact assessment confirms the government’s view that reform of UK legislation on personal data is “compatible with the EU maintaining free flow of personal data from Europe” however, the final text will determine whether the UK’s adequacy status will be affected.
A loss of adequacy for the UK would create a significant administrative burden for organisations. The Bill’s impact assessment estimates the annual benefit to trade brought about by these amendments would be between £80 million and £160m, and the estimated impact of adequacy with the EU being discontinued "on top of these measures" is between £190m and £460m in one-off costs for the implementation of standard contractual clauses, with an annual cost of between £210m and £410m in lost export revenue.
We will continue to provide updates on the progress of the Bill as it makes its way through parliament in September 2022.
Please do not hesitate to contact Joeseph Fitzgibbon, Associate in our data protection team, if you require any advice or guidance on this matter.