Articles

The Data Protection and Digital Information Bill: Evolution not Revolution

Picture of Joe Bryon-Edmond

By Joe Bryon-Edmond

16 May 2023 | 4 minute read

The Data Protection and Digital Information Bill (the Bill) was initially proposed in order to reduce the compliance burden on organisations by updating and simplifying the UK's data protection framework. The Bill was first introduced on 18 July 2022; however, the parliamentary review of the Bill was put on hold following the introduction of Liz Truss as Prime Minister.

Recently, fresh proposals for the Bill have been touted and the Bill was re-introduced to the UK government on 8 March 2023. Whilst this is technically a new version, named the Data Protection and Digital Information (No.2) Bill, the majority of the Bill remains the same, with only limited material changes to the overall text.

Whilst we cannot say for certain what the Bill will look like when it is finally approved, there are certain aspects of it which are generally understood to be key, and which are unlikely to change. It is worth organisations taking note of these points now since they will warrant consideration once the Bill is finalised.

Cookies and tracking technologies

The Bill seeks to introduce a change to current cookie legislation which will permit organisations to place analytics cookies (which gather statistical information on the user e.g. Google Analytics) on users’ devices without their consent, where such information is to be used with a view to improving the service provided by that organisation (such as the functionality of the organisation’s website). At present only “strictly necessary” cookies can be placed on devices without consent. Users will still need to be given the opportunity to object to such cookies / opt out of the use of such cookies.

Currently cookies can be a compliance headache for organisations. This change is intended to allow organisations to make use of greater volumes of analytical data collected via their website to benefit both their businesses and their customers.

Direct marketing

The new Bill brings the maximum fine for direct marketing in line with the UK GDPR, increasing it from the current £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher). Our understanding is that the government intends to crack down on nuisance calls and texts in particular.

Any marketing activities carried out by an organisation should be considered in light of this going forwards as it is a clear indication of the approach the government is looking to adopt in respect of unsolicited marketing in the long term.

International data transfers

Proposals made in the Bill indicate that organisations will be permitted to take a risk-based approach when assessing the impact of transferring personal data internationally, as well as permitting the Department for Digital, Culture, Media and Sport (DCMS) to make new adequacy decisions on behalf of the UK, utilising the same risk-based approach. The intention is to simplify the process surrounding international data transfers, which in turn could incentivise international trade between the UK and other territories.

When the Bill was announced it was made clear that the DCMS would be prioritising an adequacy decision for the US (Privacy Shield 2.0), along with other jurisdictions such as Australia and Singapore.

Helpfully, given the time invested by organisations in ensuring compliance to date, the new version of the Bill confirms that any transfer mechanisms lawfully entered into before the Bill takes effect will still be valid under the new regime, provided they are compliant with the current UK data protection legislation.

Cookies and tracking technologies

The Bill seeks to introduce a change to current cookie legislation which will permit organisations to place analytics cookies (which gather statistical information on the user e.g. Google Analytics) on users’ devices without their consent, where such information is to be used with a view to improving the service provided by that organisation (such as the functionality of the organisation’s website). At present only “strictly necessary” cookies can be placed on devices without consent. Users will still need to be given the opportunity to object to such cookies / opt out of the use of such cookies.

Currently cookies can be a compliance headache for organisations. This change is intended to allow organisations to make use of greater volumes of analytical data collected via their website to benefit both their businesses and their customers.

Direct marketing

The new Bill brings the maximum fine for direct marketing in line with the UK GDPR, increasing it from the current £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher). Our understanding is that the government intends to crack down on nuisance calls and texts in particular.

Any marketing activities carried out by an organisation should be considered in light of this going forwards as it is a clear indication of the approach the government is looking to adopt in respect of unsolicited marketing in the long term.

International data transfers

Proposals made in the Bill indicate that organisations will be permitted to take a risk-based approach when assessing the impact of transferring personal data internationally, as well as permitting the Department for Digital, Culture, Media and Sport (DCMS) to make new adequacy decisions on behalf of the UK, utilising the same risk-based approach. The intention is to simplify the process surrounding international data transfers, which in turn could incentivise international trade between the UK and other territories.

When the Bill was announced it was made clear that the DCMS would be prioritising an adequacy decision for the US (Privacy Shield 2.0), along with other jurisdictions such as Australia and Singapore.

Helpfully, given the time invested by organisations in ensuring compliance to date, the new version of the Bill confirms that any transfer mechanisms lawfully entered into before the Bill takes effect will still be valid under the new regime, provided they are compliant with the current UK data protection legislation.

Data subject access requests

The Bill provides for amendments to the grounds on which organisations will be able to refuse to respond to, or charge fees for responding to data subject access requests (DSARs) in their entirety, where it is determined that such requests are "vexatious or excessive". This would replace the current threshold of "manifestly unfounded". Additionally, the Bill includes examples of what would amount to a "vexatious" and "excessive" DSAR. Currently, however, there is not sufficient detail for organisations to clearly understand when a DSAR meets this threshold, and we expect further guidance to be issued by the Information Commissioner's Office (ICO) once the Bill has been passed.

The hope is that the Bill will make dealing with DSARs more manageable for organisations in the future, however based on the current draft it is difficult to determine whether, in practice, the burden on businesses associated with responding to DSARs (which in our experience can be time and cost intensive) will be reduced.

Accountability framework

Several changes have been proposed under the Bill in an attempt by the government to reduce certain administrative burdens on organisations in complying with the UK GDPR. These changes include:

  • Replacing the requirement for organisations to have a Data Protection Officer (DPO) (where relevant) with an individual responsible for management of that organisation's privacy framework. The appointment will only be required where processing is carried out by a public authority, or where an organisation carries out high-risk processing. The senior responsible individual(s) will need to be part of the organisation’s senior management.
  • Removing the need for data protection impact assessments (DPIAs) and allowing organisations to assess privacy risks in their own way unless high risk processing is likely. The ICO is expected to publish a list of the kind of processing that will be deemed to be high risk and simplifies aspects of the assessment process where an assessment is required.
  • Removing the formal requirement for organisations to maintain records of processing. In practice organisations will likely find it useful to maintain this in some guise.
  • Raising the threshold requiring organisations to report data breaches to the ICO.

The Bill also seeks to introduce a requirement for organisations to maintain "privacy management programmes", which is something that organisations have not previously had to have. However, the government has said that in most instances if an organisation is already complying with its obligations under the UK GDPR, the organisation will not need to make any changes to comply with the Bill.

Legitimate interests

The lawful basis of legitimate interests is to be reformed under the Bill, with a recognised "white-list" of legitimate interests being provided by the government which, when relied on, would not require a legitimate interest assessment to be carried out (e.g. processing necessary in the public interest or for safeguarding vulnerable individuals).

The new version of the Bill also examples of processing that may be deemed to be in the legitimate interests of an organisation, this includes processing for the purposes of direct marketing (it remains to be seen how this would interplay with PECR) and intra-group sharing of personal data for administrative purposes. Organisations will, however, still be required to ensure its interests are not outweighed by the data subject's rights and interests when conducting such processing which will mean carrying out legitimate interest assessments for the majority of their processing activities which rely on legitimate interests as a lawful basis.

Technical changes

In addition to the points raised above, there are some more technical changes being proposed in the Bill, such as an amendment to the definition of "personal data" which, if implemented, could be beneficial to organisations by making it easier to achieve anonymisation. There is also a proposal to reform the Information Commissioner's Office by renaming it the "Information Commission" and providing it with new duties such as safeguarding public and national security.

Make sure your organisation is prepared

It is worth noting that the changes proposed in the Bill are not huge departures from the UK GDPR in its current form. Departing too far from the position in the European GDPR runs the risk of the UK losing its EU adequacy status, which would dramatically impact the flow of data between the UK and Europe.

It is not clear how much of the Bill, as we have seen it, will come to fruition when it is brought back for parliamentary review, however it is highly likely that it will bring about changes to the data protection landscape and organisations need to be ready for when that happens.

We will provide further guidance on the status of the Bill when it is available. If you have any questions, please get in touch with our Privacy team.

Key contacts

Related

View all