The UK data protection framework is set to change. These changes will be relevant for organisations in the UK as well as organisations outside of the UK that offer goods or services to data subjects in the UK or monitor their behaviour.
From a practical perspective many of the proposed changes are focused on reducing certain obligations, particularly record keeping obligations such as records of processing or data protection impact assessments. However, it is important to note that most of the existing obligations under the UK General Data Protection Regulation (“UK GDPR”) will remain largely the same.
The proposals are not a wholesale replacement of the UK GDPR but rather an incremental shift away from, in the UK Government’s view, perceived “box ticking” exercises and unnecessary administrative burdens.
Some of the proposals may also provide additional flexibility for organisations, such as making it easier to refuse to comply with data subject requests in certain circumstances, and expanding the types of cookies where positive consent is not required.
However, the UK Government did not move forward with all the proposals in its original consultation. For example, the UK Government has stated it does not intend to proceed with proposals to amend the threshold for when a personal data breach is required to be notified to the data protection authority.
In summary the proposals broadly: (a) reduce certain administrative or documentation requirements; (b) add flexibility or clarification in relation to responding to data subject requests; (c) expand the circumstances where consent is not required for certain cookies or similar technologies; and (d) add flexibility or clarification to existing requirements such as reliance on legitimate interests, purpose limitation, definitions of personal data and research and statistical purposes.
Although there are also changes to provisions regarding data transfers, the current requirements regarding data transfers from the UK remain largely the same although the Secretary of State will have more flexibility to approve transfers of personal data outside of the UK.
There are also various proposals for reform of the Information Commissioner’s Office (“ICO”) which based on some responses to the consultation could be viewed as impacting the ICO’s independence. This is something the European Commission will be watching closely in the context of the continued validity of the UK’s existing adequacy decision.
The UK Government has proposed changes to the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations (“PECR”). This was formally announced in May 2022 via the Queen’s Speech which stated that the UK’s data protection regime would be reformed with a new “Data Reform Bill”. This is positioned as part of a series of legislative proposals intended to take advantage of the benefits of Brexit. This announcement followed the Department for Digital, Culture, Media and Sport’s consultation on data protection reforms (“Data: a new direction”) at the end of last year. The UK Government’s response to the consultation was published in June, and sets out the proposals the UK Government intends to proceed with.
The UK Government has now published the Bill, which has been rebranded as the Data Protection and Digital Information Bill (“DPDI Bill”).
A central theme in the consultation and the DPDI Bill reducing perceived burdens on organisations by removing or amending certain requirements under UK data protection laws. Although some of the changes may be helpful for UK organisations, for large multi-national companies that have already invested significant time and effort to comply with the EU GDPR and the UK GDPR, some of the proposals may not be as helpful in practice as they first appear.
From an efficiency and consistency perspective, although certain requirements in the UK GDPR may be removed or amended to reduce the existing obligations, larger organisations may still choose to comply with the relevant standard under the EU GDPR (mirrored in the UK GDPR at present) in some areas, for example data protection impact assessments and records of processing, rather than adopt a bespoke approach for the UK if there is only an incremental benefit. The UK Government stated in the consultation response that organisations that currently comply with the UK GDPR would not need to “significantly change their approach to be compliant with the new requirements, unless they wanted to take advantage of the additional flexibility that the new legislation will provide”.
However, some of the proposals regarding data subject requests and cookies may be beneficial more broadly and organisations will likely want to take advantage of these changes from a UK perspective.
We have summarised some of the key proposals below and the impact these may have on organisations in practice if the DPDI Bill is passed largely as published. However, the DPDI Bill will need to progress through the legislative process, and there will likely be changes to the DPDI Bill along the way.
Reducing Administrative or Documentation Requirements
Data Protection Officers
The UK Government announced in its consultation response that it planned to remove the requirement to designate a data protection officer. This requirement would be replaced by a new requirement to appoint a “senior responsible individual”.
The DPDI Bill therefore removes Articles 37 to 39 of the UK GDPR regarding data protection officers, and replaces them with a new concept of a “senior responsible individual” in Articles 27A to 27C.
The threshold for appointing a “senior responsible individual” is where the controller or processor is: (a) a public body; or (b) processing personal data (taking into account the nature, scope, context and purposes of processing) that is “likely to result in a high risk to the rights and freedoms of individuals”. This is a departure from the existing threshold for appointing a DPO, which include where the core activities of the controller or processor require regular and systematic monitoring of data subjects on a large scale.
Where the organisation is a controller, the tasks of the senior responsible individual are similar in many ways to the tasks of a DPO, and include monitoring compliance with data protection legislation, ensuring the controller develops and implements measures to ensure compliance with data protection legislation, organising training for employees, cooperating with the data protection authority and acting as a contact point for the data protection authority, amongst other tasks. These tasks can be delegated by the senior responsible individual to another person.
If the organisation is a processor, the tasks of the senior responsible individual are limited to monitoring compliance with Article 28 of the UK GDPR regarding contracts between controllers and processors, the new Article 30A record of processing requirement and Article 32 regarding security measures, as well as co-operating with the data protection authority and acting as a contact point for the data protection authority.
The UK Government’s consultation response stated that there is flexibility for organisations that “previously used a data protection officer to continue to do so, as long as there is appropriate oversight from the senior accountable individual”. In practice organisations that already have DPOs in place may still decide to retain this role, particularly where they are directly subject to the EU GDPR as well and require a DPO for those purposes.
Data Protection Impact Assessments and Consultation Requirements
In the consultation response the UK Government announced it would remove the requirement to conduct a data protection impact assessment, but that it would be replaced with a more flexible requirement to identify and manage risks.
Under the DPDI Bill, Article 35 of the UK GDPR is rebranded as an “assessment of high risk processing”. Although an assessment of the impact of the processing is required for high risk processing, the list of circumstances where a DPIA is required in Article 35(3) have been removed. In addition, the list of what the assessment needs to cover has been simplified and includes a summary of the purposes of the processing, an assessment of whether the processing is necessary for those purposes, and assessment of the risks to individuals and a description of how the controller proposes to mitigate those risks.
Therefore, this new requirement would apply in more limited circumstances and involve a “lighter touch” assessment than compared with the current obligation under the UK GDPR. However, the UK Government acknowledged in its consultation response that organisations may “wish to continue to use data protection impact assessments” and that “existing DPIAs would remain valid as a way of achieving the new requirement”. In practice, some larger organisations may decide for consistency and efficiency to maintain their current DPIA processes even if not strictly required under the UK GDPR, particularly if the EU GDPR also applies to the organisation.
In addition, the requirement to consult with the data protection authority under Article 36 of the UK GDPR has changed so that it is no longer mandatory. Under Article 36 of the UK GDPR if an assessment indicates the processing would result in a high risk in the absence of mitigating measures, the controller is required to consult with the ICO. However, the DPDI Bill modifies Article 36(1) of the UK GDPR so that it would no longer be mandatory to consult with the ICO in those circumstances, but would be optional.
Records of Processing
In the response to the consultation the UK Government stated it planned to proceed with removing the requirement to maintain a record of processing activities under Article 30 of the UK GDPR. However, the UK Government’s intention is that organisations would need to have personal data inventories instead.
The DPDI Bill removes Article 30 of the UK GDPR and replaces it with a similar obligation to maintain a record of processing under a new Article 30A. The list of information required to be maintained by a controller in such a record is similar to the information already required in an Article 30 record of processing. However, the name and contact details of the controller, representative and DPO are not required, and a description of the categories of data subjects and categories of personal data are not required.
The record of processing under the new Article 30A would need to include where the personal data is (including if personal data is outside of the UK), the purposes of the processing, who the data has been or is intended to be shared with, how long the controller intends to retain the personal data, whether there are any special categories of personal data and any criminal convictions and offences data. In addition, where possible the record must include information about how the personal data is secured.
Similar to the position under Article 30 of the UK GDPR, this new record of processing is not required if the controller or processor employs fewer than 250 individuals unless the controller or processor carries out processing likely to result in a “high” risk to the rights and freedoms of data subjects. This is a change from the current threshold where there is just a “risk” to the rights and freedoms of data subjects, which in practice will likely be beneficial to controllers and processors.
In practice if organisations have already invested significant time and effort in developing and maintaining an Article 30 record of processing, they may still decide to continue with that approach particularly if they are also directly subject to the EU GDPR as well.
The DPDI Bill removes the requirement to appoint a UK representative under Article 27 of the UK GDPR.
Currently under Article 27 of the UK GDPR, if a controller or processor is not established in the UK but is subject to the UK GDPR it is required to appoint a representative in the UK, unless an exemption applies. This would be the case if the controller or processor processes personal data of data subjects in the UK where the processing is related to offering goods or services to data subjects in the UK or monitoring the behaviour of data subjects in the UK.
The removal of this requirement will likely be a welcome change for organisations outside of the UK that are subject to the UK GDPR.
Data Subject Requests
Lower threshold for refusing to comply
The core data subject rights regarding privacy notice information, access, portability, rectification, restriction, erasure and objection will still remain in place under the UK GDPR going forward. However, the UK Government has proposed changes to data subject rights regarding automated decision making (please see below).
Although the majority of data subject rights remain unchanged, one of the key practical changes under the DPDI Bill is that data controllers may have greater flexibility to refuse to comply with certain data subject requests in the future. The DPDI Bill removes the current threshold of refusing to comply where the request is “manifestly unfounded or excessive”, and replaces this with a threshold of “vexatious or excessive”.
A new Article 12A introduces the concept of vexatious or excessive requests, and expressly lists examples of vexatious requests which include requests intended to cause distress, are not made in good faith, or are an abuse of process. There are also various factors a controller is required to take into account when determining if a request is vexatious or excessive, which includes the resources available to the controller as well as other factors.
If a request is vexatious or excessive a controller can charge a fee for dealing with the request or refuse to act on the request.
The current test of “manifestly unfounded or excessive” is a relatively high threshold to meet in practice, and the proposed lower threshold will likely be a positive change for organisations particularly in relation to certain data subject access requests made by data subjects in the context of other complaints or issues.
Clarification of time periods for response
The DPDI Bill clarifies that the one month period for responding to a data subject request starts from when the controller: (a) receives the request; (b) receives any information it has requested from the data subject to confirm their identity; or (c) if there is a fee charged because the request is vexatious or excessive, when the fee is paid. As under the UK GDPR, the time period for response can be extended by a further two months if the request is complex or because of the number of requests. This is in line with ICO guidance but would now be codified within the UK GDPR itself.
No additional fee introduced
In the consultation response the UK Government confirmed it would not move forward with proposals to introduce a cost limit or ceiling for responding to data subject requests, and it did not plan to re-introduce a nominal fee for processing data subject requests.
Therefore, the DPDI does not introduce additional fees for data subjects to exercise their data subject rights, which remain free of charge (with the exception of vexatious or excessive requests where the controller can charge a fee as mentioned above).
Automated Decision Making
The UK Government confirmed in its response to the consultation that it would not proceed with the complete removal of Article 22 of the UK GDPR regarding rights in relation to automated decision making and profiling. However, the UK Government stated it would “cast Article 22 as a right to specific safeguards, rather than a general prohibition on solely automated decision making”. The intention is that these reforms will “enable the deployment of AI-powered automated decision making, providing scope for innovation with appropriate safeguards in place”.
The DPDI Bill removes Article 22 but replaces it with new Articles 22A to 22C which:
- include restrictions on significant decisions based entirely or partly on special categories of personal data using solely automated processing. Similar to the current position under Article 22 of the UK GDPR, the circumstances where this is permissible are: (i) there is explicit consent from the data subject; (ii) it is necessary to enter into or perform a contract with the data subject; (iii) required by law; or (iv) the processing is necessary for the purposes of substantial public interest;
- for a significant decision taken by a controller and based entirely or partly on personal data and based solely on automated processing, there is not a general prohibition as is currently the case under Article 22 of the UK GDPR, but instead the controller must ensure there are safeguards for the data subject’s rights, freedoms and legitimate interest. These include providing the data subject with information about the decision, enabling the data subject to make representations about the decision, enabling the data subject to obtain human intervention, and contesting the decision.
Data Subject Complaints
The DPDI Bill intends to shift initial complaints by data subjects to the controller in the first instance, before the data subject complains to the ICO.
A new Section 164A of the Data Protection Act would allow data subjects to complain to the controller if the data subject considers there is an infringement of the UK GDPR in connection with their personal data. Controllers will be required to facilitate complaints by taking steps including providing a complaint form that can be completed electronically and by other means. The controller is required to acknowledge receipt of the complaint within 30 days from when the complaint is received. There is also a positive obligation on controllers to take appropriate steps to respond to the complaint and inform the complainant of the outcome without undue delay.
This is aimed at encouraging data subjects to resolve complaints first with the data controller before complaining to the ICO. A new Section 165A gives the ICO the discretion to refuse to act on a complaint from a data subject if: (a) the complaint has not been made to the controller; (b) a complaint has been made to the controller but the controller has not finished handling the complaint and a period of 45 days starting with the date the complaint was made has not expired; or (c) the complaint is vexatious or excessive.
In practice this is likely to mean an increase in the number of complaints controllers receive from data subjects in the first instance, but may helpfully reduce the engagement required with the ICO in relation to data subject complaints as data subjects will be encouraged to resolve the complaint first with the controller before involving the ICO. Although in practice the ICO already encourages data subjects to resolve complaints with the controller first, the ICO will be able to refuse to act on a complaint if the data subject has not engaged with the controller first.
Cookies – Expanding circumstances where consent is not required
The UK Government stated in its response to the consultation that it will legislate to permit certain cookies and similar technologies to be placed on a user’s device without the need for consent, although these would be a small number of non-intrusive purposes, such as audience measurement cookies.
Therefore, the DPDI Bill will amend PECR to expand the circumstances where consent is not required for placing cookies on user’s devices. In summary, these circumstances are where the cookies or similar technologies are used solely for:
(a) statistical purposes about how the service or website is used to make improvements to the service or website;
(b) enable the display of a website or function and to adapt the preferences of the user or enhance the appearance or functionality of the website;
(c) enabling software to be updated where the update is necessary to ensure the security of the device; and
(d) receiving communications where requested by the user in the event of an emergency to locate the user’s geographical position for emergency assistance.
In these circumstances the user must still be provided with clear and comprehensive information about the purposes and be given a simple means of objecting/opting out free of change.
The DPDI Bill also expands what are considered “strictly necessary” cookies or similar technologies which do not require consent, which include where the storage or access is strictly necessary:
(a) to protect information provided in connection with, or relating to, the provision of the service requested;
(b) ensuring the security of the device is not adversely affected by the provision of the service requested;
(c) preventing or detecting fraud in connection with the service requested;
(d) preventing or detecting technical faults with the service requested; or(e) if necessary for provision of the service requested, automatically authenticating the identity of the user; or maintaining a record of the selections made on a website, or information put into a website, by a user.
These changes will provide additional flexibility from a UK perspective and expand the circumstances where positive consent is not required.
In the longer term, the UK Government intends to legislate to remove the need for websites to display cookies banners to UK residents. However, at this stage the DPDI does not implement that approach. In response to the consultation, the UK Government stated in the long term it intends to move to an opt-out model for consent for cookies but only once the UK Government has assessed that there are widely available technical solutions that allow users to manage their cookies preferences.
Therefore, the DPDI Bill amends PECR to introduce a new regulation 6B that allows the Secretary of State to make statutory instruments to approve technologies which enable users to ensure any consent they wish to give, or any objection they wish to make, to an operator of a website for the purposes of the cookies rules under PECR are given or made automatically when visiting a website.
Although this is a longer term objective, it is important for organisations to be aware of the direction of travel regarding cookies consent from a UK perspective as this will have a practical impact on the approach to cookies banners and consent mechanisms going forward.
PECR enforcement in line with level of monetary penalties under the UK GDPR
The DPDI Bill brings the maximum level of monetary penalties under PECR for cookies and electronic direct marketing breaches in line with the maximum amounts for breaches under the UK GDPR. This means monetary penalties for breaches of cookies and electronic direct marketing rules under PECR would be subject to a maximum limit of £17,500,000 or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher. This is compared to the current maximum limit of £500,000.
Notification obligation for unlawful direct marketing
Under a new regulation 26A, providers of public electronic communications services or public electronic communications networks would be under an obligation to notify the ICO if the provider has reasonable grounds for suspecting a person is breaching or has breached direct marketing rules under PECR. The ICO would have the power to issue a fixed monetary penalty notice of £1,000 for failure to comply with this new notification obligation.
Additional Flexibility and Clarifications
Legitimate Interests – new “recognised legitimate interests”
The UK Government stated in its consultation response that it intended to pursue an “initially limited number of carefully defined processing activities” that would not require the balancing of interests test when relying on legitimate interests as a legal basis. This has been introduced in the DPDI Bill by adding a new processing condition in Article 6(1) of the UK GDPR where the processing is necessary for a “recognised legitimate interest”.
These recognised legitimate interests include:
(a) where the processing is necessary for a disclosure of personal data for the purposes of a task carried out in the public interest or exercise of official authority;
(b) safeguarding national security, protection public security or defence purposes;
(c) detecting, investigating or preventing crime, or apprehending or prosecuting offenders;
(d) safeguarding vulnerable individuals; and
(e) where the processing is carried out for democratic engagement by an elected representative or a person acting with the authority of such a representative.
Although these changes introduce additional flexibility, the scope is limited to the above recognised legitimate interests. The UK Government confirmed in the consultation response that it would not pursue the proposals for expanding this list to include “non-intrusive” uses of personal data for commercial purposes. Therefore, in practice organisations processing personal data on the basis of legitimate interests for commercial purposes, will still need to conduct legitimate interest assessments.
The DPDI Bill adds a list of circumstances where processing of personal data for a new purpose is compatible with the original purpose.
Under the DPDI Bill processing for a new purpose is compatible with the original purpose: (a) where the data subject has provided their consent for the new purpose; (b) for purposes of scientific or historical research, archiving in the public interest or statistical purposes; (c) the processing is carried out to ensure that the processing of personal data complies with the processing principles under Article 5(1) of the UK GDPR or demonstrating that it does; (d) the processing is necessary to safeguard an objective in Article 23(1)(c) to (j) (i.e. public security, prevention, investigation, detection or prosecution of criminal offences etc.); and (e) the processing meets a condition in a new list added in Annex 2 to the UK GDPR.
Annex 2 includes a list of circumstances where the processing is compatible with the original purpose and includes:
(a) where the processing is necessary for a disclosure of personal data for the purposes of a task carried out in the public interest or exercise of official authority;
(b) protecting public security;
(c) responding to an emergency;
(d) detecting, investigating or preventing crime, or apprehending or prosecuting offenders;
(e) protecting the vital interests of data subjects or another individual;
(f) safeguarding vulnerable individuals;
(g) assessment, collection or imposition of a tax or duty; and
(h) complying with a legal obligation of the controller.
The changes provide additional flexibility to controllers, although in practice the scope of this new list is relatively narrow.
Definitions of personal data and research
The DPDI Bill largely maintains the definition of personal data as we understand it, but adds clarification in a new Section 3A of the Data Protection Act regarding when information relates to an identifiable living individual. The UK Government stated in the consultation response that these changes regarding the concept of identification are to clarify that it is a relative test by the controller or processor using “reasonable means” or where the controller or processor knows or ought reasonably to know that another person will or is likely to be able to identify the individual using reasonable means.
There are also additional clarifications regarding the concept of scientific research, which largely mirror existing wording in the recitals to the UK GDPR.
These clarifications may be helpful in practice and reduce uncertainty for data controllers.
The DPDI Bill includes reforms of the data protection authority in the UK.
Under the DPDI Bill the office of the Information Commissioner would be abolished and replaced by a body corporate known as the “Information Commission”. The functions of the Information Commissioner will be transferred to the Information Commission. The Information Commission would be comprised of no less than 3 and no more than 14 members (the exact number to be determined by the Secretary of State). The Information Commission will have non-executive and executive members, with a non-executive member acting as a Chair and an executive member acting as the Chief Executive.
The Information Commission would also have a “principle objective” in carrying out its functions, which are to secure an appropriate level of protection of personal data having regard to the interests of data subjects, controllers and others and general public interest, as well as promoting public trust and confidence in the processing of personal data. The Information Commission would also be required to have regard to a list of factors that include the desirability of promoting innovation, competition, the importance of prevention, investigation, detection and prosecution of criminal offices, safeguarding public security and national security. In addition, the Secretary of State can designate a statement of strategic priorities for the Information Commission, and the Information Commission must have regard to those strategic priorities when carrying out its functions under data protection legislation.
These and other reforms of the ICO under the DPDI have raised concerns, as noted in the UK Government’s consultation response, of a potential risk to the ICO’s independence. This is likely an area the European Commission will be monitoring closely in relation to the UK’s adequacy decision given the importance of an independent supervisory authority as part of that adequacy decision.
The DPDI Bill is due for its second reading in the House of Commons when it returns on Monday 5 September, and the DPDI Bill will need to progress through both the House Commons and House of Lords before being finalised and receiving Royal Assent. There will likely be changes to the provisions of the DPDI Bill throughout that process. We will be tracking these developments and will provide updates of any significant changes to the DPDI Bill throughout the process.