Take two: What's new in the Latest UK Data Protection and Digital Information Bill?
After a rather stop start journey, a new Data Protection and Digital Information (No. 2) Bill (the "Bill") was introduced to Parliament on 8 March 2023 by the Department for Science, Innovation and Technology ("DSIT"). If enacted, the Bill will make changes to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. The previous Data Protection and Digital Information Bill (the "Previous Bill") has been withdrawn.
The reforms in the Bill are intended to make data protection legislation simpler for businesses to understand and implement. In line with the UK Government's key priority to drive innovation and build success in the life sciences industry, the reforms are also intended to address concerns raised during the consultation process that UK scientists are stifled by "overcautious, unclear EU-derived rules" that are impeding their ability to "get-on with life-enhancing and life-saving research". The Government reports that British businesses generally are set to save £4.7 billion from the proposed reforms.
Although the Government states that the Bill is "a new system of data protection", it still retains the fundamental obligations, structure and principles of the UK GDPR and will even still retain the "UK GDPR" name. Businesses that are already compliant with the UK GDPR will not be required to make any changes as a result of the Bill. Instead, it makes certain clarifications and specific carve outs to the existing regime and attempts to tackle some of the issues that can arise, based on five years of experience of the GDPR in practice.
The Bill makes targeted changes to the Previous Bill (summarised here) that aid clarification and provide a degree more flexibility. We have summarised the key changes compared to the last version of the Bill below.
Some of the key changes, which are advantageous for the life sciences industry, that were proposed under the Previous Bill have also been retained under the Bill:
- Consent – the concept of consent has been broadened by the Bill so that it can include scientific research purposes that were not fully identified when seeking the original consent from the data subject. This will help researchers and clinical trial sponsors when drafting informed consent forms and also allow for a broader use of data where consent has been used as the legal ground for processing.
- Purpose limitation principle – personal data may be re-used for another purpose that is "compatible with the purposes for which the personal data are initially collected". The Bill sets out some specific examples of when a new purpose will be compatible with the original purpose, including for the purposes of scientific research. This will be invaluable in allowing for secondary use of data thus expanding the opportunities for innovative research in the UK.
- Privacy notice exemption – the Bill makes it less onerous to comply with transparency obligations where processing personal data for scientific research. This means that privacy notices do not need to be provided, even when data is obtained directly from data subjects, where it is impossible or requires disproportionate effort. There are a certain number of situations where it is particularly difficult to provide data subjects with privacy notices, including where the controller never receives the applicable personal data, and this will ease that burden, in particular for clinical trial sponsors.
- Anonymisation – the Bill clarifies that when an individual is not identifiable in the hands of the controller, processor or others who are reasonably likely to receive the information, it is not considered personal data. This is a clearer position than under the UK GDPR, and will assist companies in properly anonymising data so that it is no longer subject to data protection restrictions.
- AI and automated decision making – the Bill loosens the restriction on automated decision making so that it is now a restriction subject to specific safeguards, rather than a general prohibition unless exemptions apply as was previously the case under the UK GDPR. The Bill now only restricts automated decision-making where it involves the processing of special category data.
What we knew and what's changed
Issue | Position under Previous Bill | What's changed under the Bill? |
Scientific research | A new definition of "scientific research" was introduced under the Previous Bill, which would include anything that "could reasonably be described as scientific".
| The Bill now goes one step further, proposing that "scientific research" covers "processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity" (emphasis added). The explicit acknowledgment that scientific research can be for commercial purposes (and not just non-commercial research such as that carried out by universities) will be welcomed by research businesses in the life sciences sector. While there are benefits to the loosening of barriers around sharing scientific research data, the new definition for scientific research is still open-ended. There are still questions as to see how this broader definition will apply to privately-funded technological development in practice. The Bill additionally clarifies that research into public health only constitutes "scientific research" if it is in the public interest. This largely reflects existing ICO guidance on this topic, so is not surprising. |
Legitimate interests | The Previous Bill proposed that businesses could rely on legitimate interests without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are "recognised". These "recognised" legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement. | The Bill maintains the general position proposed under the Previous Bill, but also includes examples of when legitimate interests could be suitable. These examples are not part of the "recognised" list of legitimate interests and a balancing test will still be required but they are intended to guide businesses to understand when legitimate interests might be appropriate. These examples track the recitals of the UK GDPR and include:
|
Record keeping | The Previous Bill maintained the existing position that records of processing are required, except for small organisations that do not carry out high risk processing. The Previous Bill did streamline the contents of such records. | Under the Bill, any controller or processor would be exempt from the duty to keep records of processing unless they are carrying out high risk processing activities. This reflects the reality of how organisations run their privacy programs, by focusing their resources on the highest risk activities. |
Direct marketing | The Previous Bill provided for non-commercial organisations to rely on soft opt-in for direct marketing purposes, if they have obtained contact details from an individual expressing interest. | The Bill introduces new obligations on providers of electronic communications networks. Specifically, these providers would be required to notify the ICO of "any reasonable grounds" they have for suspecting that a person is contravening or has contravened the direct marketing rules. Any failure to do so could result in penalties for non-compliance. What constitutes "reasonable grounds" for suspicion will be detailed in ICO guidance, but for the time being the explanatory notes that accompany the Bill confirm that providers will not be expected to intercept or examine the content of communications in order to comply. Whilst this provision itself will only apply to electronic communication service providers, it is likely to increase the ICO's awareness of non-compliant direct marketing communications, which in turn could result in more enforcement action being taken in relation to direct marketing breaches. |
Automated decision making and AI | The Previous Bill clarified that its proposed restrictions on automated decision-making under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without "meaningful human involvement". | In a new provision, the Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision. It is unclear whether the intention is that the presence of profiling could indicate that there has been minimal (as opposed to meaningful) human involvement. Alternatively, it seems this provision may be intended to clarify when profiling should itself be considered an automated decision that is subject to the Article 22 restrictions. |
Record keeping | The Previous Bill maintained the existing position that records of processing are required, except for small organisations that do not carry out high risk processing. The Previous Bill did streamline the contents of such records. | Under the Bill, any controller or processor would be exempt from the duty to keep records of processing unless they are carrying out high risk processing activities. This reflects the reality of how organisations run their privacy programs, by focusing their resources on the highest risk activities. |
International transfers | The Previous Bill introduced a new approach to the test for adequacy and when carrying out a transfer impact assessment. The threshold for this new "data protection test" was whether a jurisdiction offered protection that was "materially lower" than under the UK GDPR. The Previous Bill did not affect the UK's transfer safeguards, namely the International Data Transfer Agreement and the UK Addendum.
| The Bill does not propose significant changes to the international transfers regime. In fact, the Bill makes clear that alternative transfer mechanisms lawfully entered into before this Bill would take effect will continue to be valid. The "data protection test" to apply is the same as in the Previous Bill. With many companies having already gone through the process of updating their contractual provisions around international transfers, this consistency should provide reassurance that further remediation requirements are unlikely. |
Cookies and PECR | The Previous Bill proposed an increase in potential fines for breaches of PECR to the same amounts as the UK GDPR. It also proposed that consent would not be required for online trackers placed: (i) for the purposes of collecting statistical information in order to bring improvements; (ii) for the installation of necessary security updates to a device; and (iii) to locate an individual in an emergency. | The Bill does not include any changes to the Previous Bill's proposals on cookies. However, DSIT have committed to continue to engage with businesses over these provisions. We will have to wait and see what this looks like as the Bill progresses through Parliament. |
ICO reforms | The Previous Bill proposed a restructuring the regulator, to move away from a single Information Commissioner and instead the establish an independent board and chief executive. The Previous Bill also saw new statutory frameworks for the ICO's objectives as well as the appointment of experts when publishing guidance. | There are no operative changes under the Bill as far as the ICO reforms are concerned, but the proposals still leave questions about whether the appointment process will be sufficiently independent from the government, which could threaten the UK's adequacy status as far as the EU is concerned. |
When announcing the Bill, Michelle Donelan, Secretary of State for DSIT stated: "I can promise you here today, Conference, that [data protection legislation] will be simpler and clearer for businesses to navigate". The intention is obviously to reduce the administrative burden and arguably the Bill would achieve this. However, this doesn't take away the requirement for organisations to be able to understand how they process personal data and safeguard their internal and external personal data flows.
The main question is still whether the divergence from EU law will have an impact on the UK's adequacy status. The word from DSIT is that it will in fact do the opposite and will instead instil wider international confidence in how the UK handles personal data, but only time will tell as more opinions on the Bill emerge.