Data Protection – UK Government relaunches reform proposals

UK government relaunched its data protection reform proposals last week after a six month pause. In this article, Joanna Boag-Thomson and Alison White summarise key points and concerns with the proposals.

16 March 2023

The UK's current data protection regime – found in the UK GDPR and the Data Protection Act 2018 – reflects the provisions of the EU regime. However, the UK Government has long viewed the ability to make amendments to the current regime as a clear Brexit benefit. Rather than undertaking a wholescale reworking of the regime, the Government, mindful of the need to keep data flowing and ensure the UK regime is seen by the EU as "adequate", has targeted its reforms in areas where it perceives it can ensure business efficiencies and incentivise growth. 

In September 2021, the Department for Digital, Culture, Media and Sports (DCMS) announced plans to reform the UK's data protection laws. Following completion of a consultation process, in July 2022, a new bill was introduced to Parliament called the Data Protection and Digital Information Bill. This Bill was due for a second reading in Parliament in September, but following the changes of Prime Minister (and responsible Secretary of State) this was postponed. 

Technology and innovation is seen as a key focus for growing the UK economy and last month the Prime Minister announced that there would be a reshuffle of responsibilities amongst departments and the creation of new departments, including the Department for Science, Innovation and Technology (now known as DSIT). Into the department moved, amongst other things, responsibility for data protection however, the new Secretary of State for DSIT – Michelle Donelan – already had responsibility for this area as the Secretary of State in DCMS. 

Data reform remains on the agenda, and last week a new Data Protection and Digital Information (No. 2) Bill was laid before Parliament. It replaces the one published in July 2022. The changes between the two bills result from a number of further consultations that the Government has taken behind closed doors and reflection on previous concerns raised however, the new Bill is very similar to that put forward in July last year.  

The Government has listened to concerns around the need to comply with two different regimes (ie EU GDPR and UK GDPR) and they have been very keen to stress that compliance with EU GDPR will also mean compliance for UK GDPR purposes, i.e. there should be no additional compliance costs from these changes.  

The proposals in the Bill do not radically change the fundamental elements of the current UK regime however, some of the more notable aspects of the Bill are as follows: 

  • Clarification of the "legitimate interests" purpose – there will be a list of recognised legitimate interests where no further assessment needs to be made. Current suggestions for the list include national security, preventing crime, safeguarding and democratic engagement. There will be a procedure to add to the list where appropriate. 
  • The new Bill also makes provision for activities which may be regarded as within a data controller's legitimate interest such as direct marketing or intra-group transfers. The question of whether a commercial interest can ever be a legitimate interest is one that is currently being considered by the European Court of Justice under the EU GDPR. There still needs to be a balancing of the data controller's rights against the data subject's rights and interests, but in principle, a commercial interest can be a legitimate interest for these purposes.
  • Removal of the need for most organisations to keep Records of Processing. Only those organisations that carry out processing activities likely to result in "high risk to the rights and freedoms of data subjects" will need to keep such records. Similarly, the scope of when a Data Protection Impact Assessments (DPIA) is required and the information to be provided is restricted. 
  • Removal of the requirement to designate data protection officers, or DPOs. The role has been renamed Senior Responsible Individual, or SRI, and will be someone appointed from senior management of an organisation who is not required to function independently from the organisation's decision-making, as a DPO does. The need for organisations based outside of the UK but subject to the UK GDPR to appoint a UK representative will also be removed.
  • The ability to charge a reasonable fee for certain Data Subject Access Requests where the requests are vexatious or excessive, or else to refuse the request. These changes are intended to give greater scope for controllers in dealing with such requests.

The provisions around the use of personal data for research purposes have been clarified. The scope of what is covered by "scientific research" is "any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity". 

  • Again examples of what would fall within scientific research are provided - moving wording from the Recitals of the UK GDPR to the operative parts. A further clarification is that research into public health is only scientific research if it is in the public interest. 
  • The Bill also seeks to remove what the Government referred to as "unnecessary barriers to cross-border data flows", through promoting adequacy, or in UK terms "data bridges", where the standard of protection in the third country is not "materially lower" than under the UK GDPR, when "taken as a whole". Again the, detail is given of the types of provisions which the UK government can take into account in making this assessment.

Free flow of personal data between the UK and EU/EEA is crucial in terms of trade ,and in June 2021, the EU Commission ruled that the UK offers an "essentially equivalent" data protection to that of the EU, and therefore has "adequacy" status. The UK's adequacy status is up for full review by the EU in 2025, and despite the Government's assurances, there remain concerns that the UK's plans will allow data protection to diverge too greatly from the EU for the UK to be able to maintain adequacy. The Bill has just begun its parliamentary process, so we are unlikely to see any new provisions in force before the end of 2023, and there is a long way to go and much discussion yet to be had before a final version is in force. We will keep you updated as the Bill progresses.

If you have any questions regarding any of the above, please do not hesitate to contact Joanna Boag-Thomson, Partner, Media and Technology or Alison White, Consultant, Information Management