The United Kingdom government has now introduced its legislative proposal to make changes to the UK privacy/data protection regime (which essentially consists of UK GDPR, the Data Protection Act 2018 and PECR [E-Privacy rules]) entitled the “Data Protection and Digital Information Bill” (“the Bill”). This article provides a snapshot of what we think organisations need to be aware of concerning some of the more significant data protection aspects of the Bill that might them.
What’s this all about?
In May this year the UK government announced as part of its legislative proposals to come that the UK’s data protection regime would be reformed through a Data Reform Bill. According to the UK government, some elements of the current data protection regime “create barriers, uncertainty and unnecessary burdens for businesses and consumers”. So, along with other reasons, changes are in order.
What are the proposed changes?
Highlights of the UK government’s response to the consultation and its proposed changes to the UK data protection regime include the following:
- Personal Data – the definition of personal data will be changed under the Bill with a new part that would limit the scope of personal data to: (i) where a living individual is identifiable by a data controller or data processor by “reasonable means” at the time of the processing in question; or, (ii) where the data controller or data processor knows or ought “reasonably” to know that, another person will or is likely to obtain the information as a result of the processing in question, and, the individual will be, or is likely to be identifiable by that person by “reasonable means” at the time of the processing. An individual will be identifiable by a person “by reasonable means” if the individual is identifiable by the person by any means that the person is reasonably likely to use. Whether a person is reasonably likely to use a means of identifying an individual is to be determined taking into account, among other things: (a) the time, effort and costs involved in identifying the individual by that means; and, (b) the technology and other resources available to the person;
- Purpose Limitation – the Bill sets out the conditions for determining whether the reuse of personal data (otherwise known as “further processing”) is permitted in compliance with the so-called “purpose limitation” principle outlined in Article 5(1)(b) of UK GDPR. In making the determination, a person must take into account, among other things: (a) any link between the original purpose and the new purpose; (b) the context in which the personal data was collected, including the relationship between the data subject and the controller; (c) the nature of the personal data, including whether it is a special category of personal data or personal data related to criminal convictions and offences; (d) the possible consequences of the intended processing for data subjects; (e) the existence of appropriate safeguards (for example, encryption or pseudonymisation). Changes also list the circumstances in which a purpose is to be treated as compatible with the controller’s original purpose. If one of these circumstances applies, the controller does not need to evaluate compatibility under the conditions set out above;
- Legitimate interests – this is one of the lawful bases under UK GDPR for processing personal data which in effect consists of a three-part test whereby data controllers must: identify a legitimate interest; and, demonstrate that the processing is necessary for the intended purpose and cannot be achieved through less intrusive means; and, weigh up whether their interests in processing personal data outweigh the rights of data subjects (sometimes called the “balancing test”). The Bill inserts a new Annex 1 into UK GDPR setting out the conditions for constituting a recognised legitimate interest for the purposes of a new sub-article to be added under Article 6(1) of UK GDPR, under which organisations will be able to process personal data without applying the balancing test, for example, where it is necessary for the purposes of detecting, investigating or preventing crime or apprehending or prosecuting offenders. The list of recognised legitimate interests only deals with purposes relating to the public interest or in the exercise of official authority, i.e. not general business purposes.
- Automated Decision-Making – under UK GDPR the conditions are set out under which so-called solely automated decisions, including profiling, that produce legal or similarly significant effects on individuals may be carried out. The Bill makes a number of changes that redefine and recast a number of aspects of automated decision-making, including introducing a definition of a decision based on solely automated processing as one that involves no “meaningful human involvement” and introducing the concept of a “significant decision” (one that produces a legal effect for an individuals, or it has a similarly significant effect for an individual);
- Data Protection Officers (“DPOs”) – the requirement to designate a DPO will be replaced with a requirement to appoint a suitable “senior responsible individual” to be responsible for data protection risks within their organisations or delegate that task to suitably skilled individuals. Data controllers or processors who carry out processing of personal data which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, will have to appoint a senior responsible individual. The senior responsible individual will have to be part of the organisation’s senior management. The tasks of the senior responsible individual are: (a) monitoring compliance by the controller with data protection legislation; (b) ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with data protection legislation; (c) informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under data protection legislation; (d) organising training for employees of the controller who carry out processing of personal data; (e) dealing with complaints made to the controller in connection with the processing of personal data; (f) dealing with personal data breaches; (g) co-operating with the UK regulator on behalf of the controller; (h) acting as the contact point for the UK regulator on issues relating to processing of personal data;
- Data Protection Representatives (“DPRs”) – there will no longer be a requirement to appoint a UK-based DPR;
- Data Protection Impact Assessment (“DPIAs”) – DPIAs will be replaced with “Assessments of high risk processing”. The data controller’s assessment of high risk processing will need to include a summary of the purposes of the processing, an assessment of whether the processing is necessary and the risks it poses to individuals, and, a description of how the controller intends to mitigate any risks;
- Record of Processing Activities – the current record-keeping requirements will be replaced with a requirement to maintain an “appropriate” record of personal data – an “appropriate” record includes factors such as the nature, scope and context of the processing; the risks their processing poses to individuals, and the resources available to a data controller or data processor. Where possible, the record must include information as to how the data controller or data processor will ensure that the data is secure. A controller or processor that employs fewer than 250 individuals is exempt from the duty to keep records, unless they are carrying out high risk processing activities;
- Subject Access Requests (“SARs”) – the current threshold for refusing or charging a reasonable fee for a SAR will be changed from “manifestly unfounded or excessive” to “vexatious or excessive”. Under the changes to be made to UK GDPR, in any proceedings where there is an issue as to whether a request is vexatious or excessive, it will be for the data controller to show that it is. Whether a request is vexatious or excessive will have to be determined having regard to the circumstances of the request, including: (a) the nature of the request; (b) the relationship between the data subject and the controller; (c) the resources available to the controller; (d) the extent to which the request repeats a previous request made by the data subject to the controller; (e) how long ago any previous request was made, and (f) whether the request overlaps with other requests made by the data subject to the controller. Examples of requests that may be vexatious include requests that: (a) are intended to cause distress; (b) are not made in good faith, or, (c) are an abuse of process. A provision has also been provided that allows response time to respond to a request to be paused to seek clarification on the information requested by an individual data if the data controller cannot “reasonably” proceed with responding to a request without this information – once the clarification is received, the response time will resume. The changes provide an example of a case in which a controller may “reasonably” require further information, namely where the controller processes a large amount of information concerning the data subject.” There is no re-introduction of a nominal fee for processing SARs;
- Data Security – the data security requirement to implement “appropriate technical and organisational measures” will be changed to with “appropriate measures, including technical and organisational measures” in order to give data controllers more flexibility in terms of the measures they put in place to demonstrate and manage risk;
- Cookies – generally-speaking, the current rule is that consent must be provided by a user for a cookie to be used (and the user has to be provided with clear and comprehensive information about the purposes of the processing), subject to certain exceptions such as where a cookie is “strictly necessary” for the provision of a service. The Bill introduces new exceptions to the consent requirement for certain purposes that are considered to present a low risk to people’s privacy, for example where technologies like cookies are used to collect information for statistical purposes aimed at improving the service provided. A user will however still have to be provided with an opportunity to object or opt out;
- Direct Marketing – currently, under PECR (E-Privacy rules), businesses can contact individuals with whom they have previously been in touch during a sale or transaction with further marketing material about similar or related products, provided that the individuals were given the opportunity to opt-out of such contact at the time they provided their details. This is known as the so-called “soft opt-in”, as it doesn’t require the customer’s explicit consent. The soft opt-in will now be extended to non-commercial organisations;
- International Data Transfers – the Bill provides for a risk-based approach for organisations to assess the impact of making data international transfers when using mechanisms like Standard Contractual Clauses and also for the UK government when making so-called “Adequacy Decision” assessments. Provision has also been made for a new government power for it to formally recognise new alternative transfer mechanisms, allowing for the creation of new UK mechanisms for transferring data overseas or recognising in UK law other international data transfer mechanisms;
- Complaints – data controllers will be required to facilitate the making of complaints by taking appropriate steps, which could take the form of a complaint form to be completed electronically, or other appropriate means. Data controllers will be required to acknowledge receipt of the complaint within a period of 30 days, beginning on the day the complaint is received. Data controllers will be required to, without undue delay, take appropriate steps to respond to the complaint from a data subject, and inform the complainant of the outcome of the complaint. Data controllers will be required to take appropriate steps to respond to the complaint includes making enquiries about the subject matter of the complaint to the extent appropriate, and informing the complainant about the progress of the complaint. The UK regulator will have new powers to refuse to act on certain data protection complaints. The UK regulator will have to issue guidance about responding to and refusing to act on complaints. The Bill provides for the possibility of a new reporting provision to require controllers to notify the UK regulator of the number of complaints made to them according to certain circumstances. The Bill also provides for a power for the UK regulator to refuse to act on certain complaints. The UK regulator will also have the power to compel witnesses to attend an interview and to compel the witness to answer questions;
- The Information Commissioner’s Office – there will be a new statutory framework for the UK regulator’s objectives and duties. The UK regulator will have a statutory board with a chair and chief executive. A new body corporate will be established, the “Information Commission”, to replace the ICO – the name of the Information Commissioner stays the same. The nature of the UK regulator’s role and responsibilities will however remain fundamentally unchanged; and,
- Breach Reporting Requirements – no changes have been made. Therefore, the obligation to notify, and deal with, data breaches remains the same.
The Bill was introduced to the House of Commons and given its First Reading on Monday 18 July – this stage is formal and takes place without any debate. Parliament will next consider the Bill at the Second Reading stage – the date for second reading has not yet been announced. There are not any expected dates for the Bill’s completion through the UK Parliamentary legislative pipeline at this stage.
What are the takeaways?
Organisations should keep track of the Bill’s progress in order to be able plan ahead for any changes that they may eventually need to make to their UK data protection compliance. Assuming that the changes will eventually be made (as possibly amended during the course of the Bill’s passage through the UK Parliament) it will be important to cross-check the changes made to UK GDPR and to the UK Data Protection Act 2018.
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The “Data Protection and Digital Information Bill” and the official Explanatory Notes to it can be found here https://bills.parliament.uk/bills/3322/publications.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|