On 8 March 2023, the UK government introduced the Data Protection and Digital Information (No 2) Bill. The Bill (which passed its second reading in the House of Commons on 17 April) is an amended version of the bill that was originally introduced in July 2022. Hailed by the Government as ‘modern laws for a data-driven era’ and ‘common sense-led’, the Bill aims to alleviate the burden for UK businesses (especially SMEs) of complying with the UK GDPR and UK Data Protection Act (2018), while maintaining high data protection standards.
International data transfers
Approval of transfers to third countries by the Secretary of State
The Bill introduces a new Article 45A to replace Article 45 of the UK GDPR and allows the Secretary of State to issue regulations under new Article 45B to recognise a third country as having the level of protection ‘not materially lower’ than that in the UK. The test for measuring a third country’s level of data protection under Article 45B is largely similar to the original Article 45(2). However, it omits the following criteria:
a) the assessment of national security law and the access of public authorities to personal data; and
b) the independence of the supervisory authority in a third country and the adequacy of their enforcement powers.
The Secretary of State is also empowered to issue urgent regulations if it considers it ‘desirable’ for such regulations to come into force without delay.
The Bill adds a new section to Article 49 on derogations, allowing the Government to issue regulations approving specific transfers to a third country that are necessary for ‘important reasons of public interest’. No examples are given but this may potentially allow for data transfers to public bodies of third countries.
Transferring personal data to third countries that apply lower levels of data protection could be construed as the UK no longer providing an adequate level of protection to EU personal data transferred to the UK. The UK’s adequacy decision from the EU specifically states that ‘the Secretary of State must take into account the exact same elements that the Commission is required to assess under Articles 45(2)(a) – (c) of Regulation (EU) 2016/679’. Moreover, the decision goes on to state that ‘when assessing the adequate level of protection of a third country, the relevant standard will be whether that third country in question ensures a level of protection ‘essentially equivalent’ to that guaranteed within the United Kingdom (emphasis added)’
If the UK approves transfers to a third country that has not obtained an adequacy decision from the European Commission, transfers to the UK and UK’s adequacy status may be at risk.
Data protection tests when using appropriate safeguards
When making transfers of personal data using either of the template agreements issued by the ICO (i.e., the International Data Transfer Agreement and the International Data Transfer Addendum to the EU SCCs), organisations must also apply a data protection test according to the changes to Article 46 of the UK GDPR.
Under such tests, lower levels of protection are acceptable if they are not ‘materially lower’ than the UK GDPR standard; organisations are permitted to take the nature and volume of personal data into account when carrying out the test. This is a simplified transfer impact assessment that may alleviate the assessment of transfers by organisations because, if they concern a small number of individuals or non-sensitive personal data, the transfer may proceed.
Lawful basis
The Bill seeks to clarify and simplify several of the legal bases under the UK GDPR. The legal basis of legitimate interests has always caused some confusion, particularly when it comes to weighing organisations’ interests against individuals’ rights and freedoms. Weighing those interests could at times be speculative and lack objectivity. In addition, public authorities were barred from relying on legitimate interests as a basis to process personal data, a change from their ability to do so under the Data Protection Directive. Research is another area that causes much debate, with conflicting views about whether for-profit organisations or only academia can conduct scientific research and what is considered a compatible purpose.
Recognised Legitimate interests
Lawful processing will now include processing for ‘recognised legitimate interests’, which are set out in Annex 1 and/or any other interests that the Secretary of State may add (or take away) so long as the Secretary of State has regard to individuals’ rights and freedoms and to special protections needed by children. Annex I currently includes disclosures to public bodies who assert that they need personal data to fulfil a public interest task; disclosures for national or public security or defence purposes; emergencies; prevention or detection of crime; safeguarding vulnerable individuals; and several categories of processing by elected representatives or candidates for political office. If processing falls into any of the categories listed in Annex 1, then the processing is exempt from the need to carry out a legitimate interest assessment (‘LIA’) since these forms of processing are automatically deemed to be within the interests or rights of the data subject. Organisations involved in such processing are likely to view the list, as well as the exemption on conducting an LIA, as a helpful start, and others will hope that the Secretary of State exercises its powers to create a longer list to include things like financial management and budgeting, and similar business as usual tasks.
The Bill also adds examples of processing that are in the controller’s legitimate interests. These include direct marketing, ensuring the security of network and information systems and intra-group transfers of personal data for administrative purposes.
Purposes compatible with the original purpose
The Bill amends the provisions of the UK GDPR on purpose limitation by adding a new Annex 2, which lists purposes deemed to be compatible with the original purpose. These compatible purposes include disclosures by public authorities when necessary for a task in the public interest not carried out in the performance of its tasks but where such disclosure is necessary to protect public security or is of national economic or financial interest; disclosures for protecting public security; emergency response; preventing or detecting crime; safeguarding vulnerable individuals; protecting vital interests; assessing or collecting taxes or duties; and complying with legal obligations.
To determine if any other or ‘new’ purposes of processing would be compatible with the original purpose, a controller will need to take into account (a) any link between the original purpose and the new purpose; (b) the context in which it was collected and any relationship between the individual and the controller; (c) the nature of the data, including whether it is special category or a criminal conviction or offence data; (d) possible consequences of the intended processing; and (e) appropriate safeguards such as encryption or pseudonymisation.
In relation to processing based on consent, the Bill follows ICO guidance – namely, that if consent is the lawful basis, the processing purpose is limited to that for which consent was obtained and there are no compatible processing purposes. Only a new consent will work, unless one the existing UK GDPR derogations applies.
Scientific research
The Bill proposes a definition for scientific research that covers research whether publicly or privately funded and whether carried out as a commercial or non-commercial activity, so long as it can reasonably be described as scientific. Good news for commercial research organisations, consumer-related research and organisations involved in the development of pharmaceuticals and medical devices since it is often such organisations that sponsor scientific research. The Bill clarifies that scientific research can extend to technological developments or applied research but only where such research can ‘reasonably be described as scientific’ and if a study relates to public health it is conducted in the public interest. What qualifies as research ‘reasonably described as scientific’, however, is still open to debate and it is unclear if it would cover technological or further product development that may not necessarily meet a public interest test. Factors related to what could be deemed scientific would be helpful rather than a potentially subjective standard of ‘reasonably described’, and the draft begs the question about who would reasonably describe research as being scientific or not. In other words, will this be a self-regulatory model? Will it have to meet some form of ethical research standards? Or will it be for the ICO, in its changed form, to decide?
Obtaining consent for scientific research has also caused organisations difficulty and the Bill seeks to remedy that by making it clear when consent for scientific research is legally obtained. The Bill clarifies that where consent does not meet UK GDPR standards, such consent will still be treated as legitimately obtained if it meets four requirements: (a) it is for the purpose of scientific research; (b) at the time obtained it was not possible to fully identify all of the processing purposes; (c) such consent is consistent with recognised ethical standard; and (d) a person is given the chance to limit the scope of their consent to processing for part of the research.
While consent to participation in research is often specific enough to meet UK GDPR standards, researchers often wish to re-use data as further research topics arise, topics which may not have been known at the time of the original research when consent was obtained. Where the new research is not compatible with the original research, another privacy notice is required. The obligation, particularly where data is pseudonymised often makes it impossible to meet this obligation and to use the same data for the new research purpose. The Bill is an improvement because where researchers seek to use data for further research (scientific, historical or statistical purposes) not anticipated at the time of collection, where it would be either impossible or involve disproportionate effort, the obligation to provide a privacy notice to individuals is removed.. Whether the effort will be deemed disproportionate will depend on factors such as the number of individuals, the age of the personal data and the application of appropriate safeguards to the processing. However, this exemption is limited to personal data collected directly from individuals. Where data was collected indirectly so long as the controller makes such processing known through publicly available means, the exemption still applies.
The Bill also clarifies the meaning of other types of research, such as historical research, which will include genealogical research, and research for statistical purposes, which is limited to aggregate results that are not personal data and are not then used to make decisions about the individuals to whom the data relates.
Data subject rights
Exemptions
The Bill amends the rules about when a controller can refuse to act on a data subject rights request or charge a reasonable fee for responding to such a request. Currently, a controller can refuse to act or charge a reasonable fee if the request is ‘manifestly unfounded or excessive’. The Bill amends this to a request that is ’excessive or vexatious’. Taking the ordinary meaning of the words, one could be forgiven for thinking that there is little practical difference between a ‘manifestly unfounded’ and a ‘vexatious’ request. However, the Bill goes on to propose guidance and examples on the meaning of an ’excessive or vexatious’ request.
One factor that controllers will be able to consider when deciding if a request is ’excessive or vexatious’ is the resources available to them. This is not a something that the current legislation expressly permits, but the ICO does include it in its guidance as one factor a controller can consider when deciding if a request is excessive. If the Bill puts this guidance from the ICO on a statutory footing, this would be good news for small and medium sized businesses who often find responding to such requests as disproportionately burdensome on their resources.
One example in the Bill of a vexatious request is one that is an ‘abuse of process’. This could provide an opportunity for controllers to refuse to act on a request where the data subject’s rights are being used as a litigation tactic for early disclosure; something that many controllers feel is an abuse of process. The other two examples of a vexatious request are those that are ‘intended to cause distress’ and those that are ‘not made in good faith’. Reliance on either of these will require the controller to demonstrate the data subject’s motivation for making the request—not something that is easy to prove. Any well-advised data subject will avoid saying or writing anything that could be construed as ill intentioned.
Timing
The Bill introduces two scenarios where a controller can delay starting the clock on its time to respond to a data subject request. One is where the controller has requested additional information from the data subject to fulfil the request (which includes information necessary to confirm the data subject’s identity). In this case, the start of the clock may be delayed until the requested information is received. The second is where the controller is entitled to charge a fee for fulfilling the request. In this case, the start of the clock may be delayed until the controller has received the fee. Although this rule features in the ICO’s guidance on data subject rights, it does not have legal standing. Personally, we think the change makes logical sense and is one of many examples where the government is making clarificatory changes to the UK GDPR.
Right to complain
The Bill gives data subjects a right to complain to a controller if they consider the controller has infringed the UK GDPR or DPA and the controller will have obligations to deal with such requests in a certain way and within certain periods. Although data subjects, in practice, tend to make complaints to the controller prior to going to the ICO, this new provision will mean that controllers will have more policies and procedures to implement—something the government was trying to reduce.
Data Protection Officer (‘DPO’)
The duty to appoint a DPO in certain circumstances will be replaced with a duty to appoint a ‘senior responsible individual’ (‘SRI’). The SRI’s minimum responsibilities/tasks are substantially the same as those of the DPO but there are a few differences. For example, the SRI’s role responsibilities explicitly include dealing with personal data breaches and complaints (the latter complementing the additional right that data subjects have to complain).
Additionally, the threshold for mandatory appointment of an SRI differs from that which applies to the mandatory appointment of a DPO under the UK GDPR. The Bill requires an SRI to be appointed by any controllers or processors that are (i) public bodies; or (ii) processing personal data that is likely to result in a high risk to the rights and freedoms of individuals. By contrast, the UK GDPR requires a DPO to be appointed wherever a controller or processor’s primary activities entail the regular and systematic monitoring of individuals or processing of special category data, in each case on a large scale. Arguably, the threshold for appointing an SRI captures a broader set of processing activities than those that apply to the appointment of a DPO (the DPO threshold being limited to specific named processing activities, whereas the SRI threshold is not limited to those activities). The SRI benefits from substantially the same protections as a DPO, for example the right not to be penalised or dismissed from their role. However, one nuance is that, whereas the DPO is required to report to the highest level of management within the organisation, an SRI is required to be part of the senior management team.
The Bill requires the SRI either to discharge their responsibilities personally or to secure their performance by a suitably qualified delegate. This is no different, in practice, to the position with a DPO, who is also entitled to delegate responsibility (to internal or external resource)—and in practice often does so.
Data Protection Impact Assessments (‘DPIAs’)
The notion of DPIAs will be replaced with an Assessment of High Risk Processing (‘AHRP’), which is narrower in scope. AHRPs are required wherever controllers conduct any ’high risk processing’ activities. The information required to be documented is not as extensive as the information required to be included in a DPIA. AHRPs must summarise (i) the purposes of processing; (ii) an assessment of the necessity or otherwise of the processing and the risks that apply to individuals; and (iii) how the controller aims to mitigate any such risks.
Automated decision-making (‘ADM’)
The Bill removes Article 12 of the UK GDPR (the one that regulates automated decision-making) and replaces it with a new Article 12A, which will tighten the regulation of ADM in some ways but relax it in others.
The Bill proposes reducing the types of automated decisions that are regulated. If the decision uses special categories of personal data, the rule will be the same as the current Article 12: the controller must obtain the data subject’s explicit consent, or it must be in the public interest. However, where the decision does not involve special categories of personal data, the Bill proposes banning ADM that relies on a recognised legitimate interest (see above). All other types of automated decisions will not be specifically regulated and will be free to proceed as if it were any other processing activity. The effect of this is that a controller will be able to make automated decisions about data subjects based on the controller’s legitimate interests (so long as these do not fall within the recognised legitimate interests), subject to the legitimate interest outweighing the risk to the rights of the data subject.
However, the Bill also amends the definition of an automated decision such that a decision will only fall outside the scope of the automated decision rules if there is ‘meaningful’ human involvement in the decision. Currently, if there is some (even minimal) human involvement, the decision cannot be an automated decision because it is not ‘based solely on automated processing’. This will make it more difficult to bypass the automated decision rules by merely having some minor human involvement in the decision-making.
Like the current regime, the Bill retains the obligation on controllers to ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place when conducting all ADM (whether regulated or not). These safeguards mirror those already set out in Article 22 UK GDPR but an additional provision in the Bill does give the Secretary of State the power to add to, vary or omit any of these safeguards. Any controllers currently conducting ADM will already have implemented these safeguards and any controllers who, by virtue of the Bill’s amendment, can start conducting ADM (e.g., because they will do so based on their legitimate interests), will need to make sure to implement these safeguards prior to commencing any such decision-making.
Duty to keep records
The UK government proposes narrowing the obligation to keep records of processing in Article 30 UK GDPR to only those controllers or processors that are involved in high-risk processing. ‘High-risk processing’ is determined by reference to the nature, scope, context and purposes of the processing. Recital 75 of the UK GDPR lists examples of the processing that may pose risk to individuals:
- Processing of special categories of personal data
- Profiling, analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
- Processing personal data of vulnerable individuals, including children
- Processing of large amounts of personal data on a large scale.
The controllers and processors are permitted to consider resources available to them when assessing the risk of their processing.
The new requirement lists the minimum records controllers and processors must keep, and it is a reduced list. It does not require a description of the categories of data subjects or the categories of personal data, unless they are special categories of personal data or criminal records. What is new is the requirement to keep records of where the personal data is located, including where outside of the UK. However, there is no requirement to document what appropriate safeguards are in place for transfers outside the UK.
Similarly, processors are not required to list categories of processing on behalf of controllers, but only the name of each controller the processor acts on behalf of and the location of the personal data. Since the above requirements set out the minimum, organisations that are subject to the EU GDPR may choose to continue keeping full records as required under Article 30 EU GDPR.
Prognosis
The Bill has now gone through its second reading in the House of Commons. The readings brought questions about the wide-ranging powers provided to Secretary of State to approve codes of practice, the ICO’s independence, the potential for individuals’ rights to be watered down as well as concerns about whether the changes would adversely affect the UK’s adequacy decision from the EU.
The government maintains that it has been in contact with the EU and firmly believes the Bill will not affect the adequacy of data transfers from the EU to the UK. The EU has not, however, made any public statements. At the time the European Commission issued the UK’s adequacy decision, a sunset clause was included, which means it will expire in 2025. The Commission also stated that it would monitor the legal situation in the UK and could intervene at any point if the UK changes the level of protection, as contained in the Bill. The loss of adequacy is a risk to any organisation that does business with the EU where there is an exchange of personal data. The Bill, however, would ease the regulatory burden on many small organisations, including charities. Therefore, while there may be some domestic benefits for larger, multi-national companies or for companies that offer goods and services to the EU, continuing to follow the EU GDPR standards will most likely remain their business as usual, making the changes to the UK GDPR potentially irrelevant.
The prognosis for the Bill is then a mixed bag—offering some benefit to many small organisations that do not do business outside the UK; for others, the Bill is unlikely to bring any change since they will still need to adhere to the EU GDPR.
Cynthia O’Donoghue, Partner, Reed Smith
Philip Thomas, Partner, Reed Smith
Aselle Ibraimova, Counsel, Reed Smith
Sarah O’Brien, Senior Associate, Reed Smith