UK Government proposes key changes to the UK GDPR
Other Author George Frake, Trainee Solicitor
The UK Government has relaunched its efforts to reform the UK's data protection regime, with the Data Protection and Digital Information Bill (No. 2) (the "Bill") being introduced to Parliament on Wednesday 8 March. The Bill supersedes a previous version that was originally published in July 2022 (see our previous legal update).
The Bill provides organisations with greater flexibility over the use of personal data, while reducing the burden of complying with UK data protection laws. The Bill does not comprise an extensive overhaul of the UK's data protection laws, but rather a set of clarifications and adjustments to provide organisations with greater flexibility over the use of personal data, while reducing the burden of complying with UK data protection laws. Businesses that already comply with the UK's existing data protection laws will not be required to take additional steps to comply with the Bill. However, some businesses might decide to take advantage of the changes proposed in the Bill to streamline their data protection compliance in the UK.
For businesses that operate throughout the EU, some benefits of the reforms aimed at reducing the administrative burden of UK data protection compliance will be more limited due to their presence within the EU. Those business will still need to, for example, nominate a data protection officer and be unable to benefit from the relaxation of certain recordkeeping rules set out below.
The Bill's key areas of consideration are very similar to those identified in the previous version:
1. Reducing barriers to responsible innovation
The Bill introduces statutory definitions for the processing of personal data for "scientific research", "historical research" and/or "statistical surveys". These definitions, along with amendments to the definition of "consent" under Article 4 of the UK GDPR, act to reduce the legal requirements for the use of personal data in respect of various forms of research.
Further, where the purpose for processing the data of a data subject is one of the "recognised legitimate interest", such as processing being necessary for the detection, investigation or prevention of crime, an organisation will not need to balance that recognised legitimate interest with the rights and interests of the data subject. The Bill also provides the Secretary of State with the power to create, vary and/or omit further recognised legitimate interests in the future.
The Bill also sets out a non-exhaustive list of examples of other legitimate interests, including direct marketing, intra-group transmission of personal data and/or ensuring the security of network and information systems. However, organisations will still be required to carry out a legitimate interest assessment for such processing.
2. Mitigating burdens on businesses and improving outcomes for people
Organisations will only be required to maintain records of processing where they carry out processing activities that are likely to result in a "high risk to the rights and freedoms of individuals". Such risk(s) shall be determined with reference to the "nature, scope, context and purposes of the processing", with some high risk examples being organisations that process special category data on a large scale (e.g. medical insurance companies), or use innovative technologies to process large volumes of personal data (e.g. public facial recognition cameras).
The role of data protection officer has been replaced with a senior responsible individual (the "SRI"). Organisations will only be required to appoint an SRI where the controller/processor is a public body (except for courts or tribunals acting in their judicial capacity), or where the controller/processor carries out processing that likely represents a high risk to individuals. The SRI will be responsible for data protection risks within their organisation, unless they delegate that task to suitably-skilled individuals. The SRI must be part of an organisation's senior management, but can continue their other roles within the organisation alongside their duties as the SRI.
Data controllers and processors not established in the UK will also no longer be required to appoint a representative under Article 27 of the UK GDPR.
3. Reducing barriers to data flows
The Bill establishes a new test for making adequacy regulations (also known as "data bridges") by the Secretary of State. The Secretary of State will be required to take a holistic approach to the test with a more outcomes-based focus and consider if the standards of protection provided for data subjects by that third country/organisation are not "materially lower" than the UK standard. In practice, this means that the Secretary of State will be empowered to recognise more countries as providing an adequate level of data protection.
The proposals align with the UK Government's strategy to expand the coverage of its data bridges (e.g. to the USA, Australia, DIFC and Singapore), which will allow organisations to perform international data transfers more efficiently and to a greater number of jurisdictions.
4. Reform of the Information Commissioner's Office ("ICO")
In an effort to modernise the ICO, a new Information Commission (the "Commission") will be established. The Commission will replace the ICO, and the Bill transfers the ICO's existing roles and responsibilities over to the Commission.
5. Fines for direct marketing increased and changes to cookie rules
The Bill will increase the limit of fines for breaches of direct marketing rules (such as through nuisance calls and texts) under the Privacy and Electronic Communications Regulations ("PECR"). The fine limit will be raised from £500,000 to £17,500,000 or, in the case of an undertaking, 4% of the undertaking's total annual worldwide turnover – whichever is higher.
Finally, the Bill further amends the PECR by broadening the list of exemptions to when consent is required for placing cookies on a user's terminal equipment. Such exemptions include, for example:
- collecting statistical information about an information society service in order to make improvements;
- enabling the appearance or function of a website to reflect the user's preference(s);
- installing software updates that are necessary to ensure the security of the terminal equipment; and
- ascertaining the location of an individual in an emergency.
Barring the exemption for identifying an individual's geolocation in an emergency, users must be provided with clear, comprehensive information on the storage of (and access to) information stored in their terminal equipment, along with an option to opt-out.