On 8 March 2023 the UK government introduced a new Data Protection and Digital Information Bill. This follows the introduction of a Bill last summer which was withdrawn for further consultation and now the slightly revised Bill has been re-introduced.
The Bill aims to tread a careful line between the UK having its data laws post-Brexit, while at the same time not going so far as to irritate the EU into withdrawing the UK’s adequacy status when it comes up for review in June 2025.
The objectives of the Bill:
- To be more business-friendly and less difficult and costly to implement than the GDPR
- To reduce the paperwork involved with compliance
- To clarify aspects of the current law
Despite the UK’s wish to have its own data laws, the Bill does not depart in material respects from the GDPR. In fact, some critics of the Bill have said that the focus on merely clarifying rules, rather than making substantive changes, means the Bill is largely redundant. Others have said that the Bill actually makes some real practical improvements to the GDPR and that perhaps the EU or others will want to follow.
Some of the main changes are as follows:
Subject access requests
The Bill amends the exemption so that you can refuse to respond to a DSAR or charge a fee if a DSAR is ‘vexatious or excessive’. This exemption will allow more DSARs to be refused than the existing exemption of ‘manifestly unfounded or excessive’.
A request may be vexatious if it is not made in good faith, or is an abuse of process. For example, where a DSAR is (as is often the case in HR related claims) motivated not by privacy concerns, but as a pre-litigation disclosure exercise, or has a “mixed motive”, it may be more open to challenge and refusal than at present under the GDPR.
The Bill creates a new lawful ground for processing personal data, allowing you to process personal data where necessary for a “recognised legitimate interest” – i.e. processing that meets a condition in a new Annex 1 to the UK GDPR. This includes conditions such as preventing crime, civil emergencies, and safeguarding vulnerable individuals.
While these may not be useful for day to day business, the Bill also sets out examples of activities which will fall within the “legitimate interest” condition. These include processing for direct marketing, intra-group transfers, and for network security. This is helpful clarification, but is likely the case in any event under the GDPR.
The Bill modifies the terminology in the GDPR by replacing the requirement to implement “appropriate technical and organisational measures” (or TOMs) with “appropriate measures, including technical and organisational measures”. So, this is potentially broader than the GDPR.
Removal of the requirement to appoint a representative
Controllers and processors who are outside the UK but who must comply with the UK GDPR because of the extra-territoriality provisions will no longer be required to appoint a UK based representative.
Senior responsible individual
The Bill replaces the requirement to appoint a Data Protection Officer (DPO) but introduces a new requirement to designate a “senior responsible individual” who must be part of the organisation’s “senior management”.
To reduce red-tape, the Bill provides that a controller or processor is exempt from the duty to keep records, unless they are carrying out “high risk” processing activities. The ICO is to publish guidance with examples of the types of processing which the ICO considers are likely to result in a high risk.
Automated decision-making and AI
In respect of the rules relating to automated decision making (which can be important for AI technologies) the Bill clarifies that a decision based solely on automated processing is one which there has been no “meaningful human involvement” in the taking of the decision. When considering whether there is meaningful human involvement in the taking of a decision, you must consider, among other things, the extent to which the decision is reached by means of profiling. Further regulation is to be expected to define when there has been meaningful human involvement in a decision.
PECR – Privacy and Electronic Communications Regulations 2003
There are also some updates to the rules on cookies. To reduce the need for some cookie consents, you can implement cookies for statistical purposes, or for functionality, or to update software without the need for consent.
Meanwhile, fines for nuisance calls and texts are increased from the current £0.5m to be in line with GDPR, i.e. up to either 4% of global turnover or 17.5 million GBP, whichever is greater.
It seems likely that the new Bill will come into force during the course of this year.
Broadly speaking, most UK businesses will be able simply to continue with their current level of compliance without significant change, but for some there will be opportunities to take advantage of following the somewhat more business-friendly amended rules.
However, one complexity is that many businesses are also subject to the EU GDPR as a result of the extra-territoriality provisions. They will need to be able to demonstrate compliance with both (slightly diverging) regimes.