On 8 March the UK Government published a new Data Protection and Digital Information Bill (No. 2) (“New Bill”). This is a different Bill from the one that was introduced into Parliament last summer, the Data Protection and Digital Information Bill (“Original Bill”).
Although the New Bill has been introduced separately into Parliament, the proposals in the New Bill are substantially the same as the Original Bill.
Therefore, the proposals for UK data protection reform in the Original Bill summarised in our article (here) remain largely the same. For example, the New Bill contains the same proposals regarding data protection officers/senior responsible individuals, data protection impact assessments/assessment of high risk processing, removal of the UK representative requirement under Article 27 of the UK GDPR, amongst others. You can read more about these proposals in our article here.
One of the Government’s key objectives with the New Bill is to reduce perceived burdens on UK organisations. In the UK Government’s press release accompanying the New Bill, it stated the New Bill would “cut down pointless paperwork” and move “away from the ‘one-size-fits-all’ approach of European Union’s GDPR”, as well as “reduce annoying cookie pops-up”.
Some of the proposals in the Bill may benefit UK organisations by reducing or removing certain requirements under the UK GDPR. However, for UK organisations that also offer goods or service to individuals in the EU, they will still need to comply with the relevant requirements under the EU GDPR. Therefore, for multi-national organisations based in the UK, or UK organisations that want to expand internationally, any deviation from the EU GDPR baseline with the hope of reducing red tape may be more of a red herring.
Once the Bill is finalised multi-national organisations will likely weigh up the benefit, cost and practical impact of adopting a different approach for the UK compared to the approach they take for their EU operations or personal data of EU individuals.
What does this mean for the UK’s adequacy decision?
The EU will be paying close attention to these proposals and whether these impact the European Commission’s adequacy decision for the UK, which at present allows for the transfer of personal data between the EU and UK.
There is a serious risk that too many changes to the UK data protection regime could negatively impact the UK going forward by jeopardising its future adequacy from an EU GDPR perspective.
What has changed in the New Bill compared to the Original Bill?
We have summarised key differences between the Original Bill and the New Bill below:
- Scientific Research Definition: The Original Bill proposed adding a definition of scientific research, which largely mirrored existing wording in the recitals to the UK GDPR. In the New Bill, a further clarification has been added to this new definition of scientific research to state that it applies whether the research is carried out for commercial or non-commercial activity.
- Legitimate Interest Examples: The New Bill includes an additional Article 6(9) which lists examples of processing that can be considered necessary for the purposes of a legitimate interests. These examples include:
- (a) processing necessary for the purposes of direct marketing;
- (b) intra group transmission of personal data (whether personal data of clients, employees or other individuals) necessary for internal administrative purposes; and
- (c) processing necessary for the purposes of ensuring the security of network and information systems.
This list reflects the position set out in recitals 47, 48 and 49 of the UK GDPR, although this proposal would make these examples part of the UK GDPR itself under Article 6. It is important to note that a legitimate interests assessment is still required for the legitimate interests listed above.
- Records of Processing only required for high-risk processing: The Original Bill proposed replacing the record of processing requirement under Article 30 with a new requirement under a new Article 30A.
The new Bill has narrowed the obligation to maintain such a record of processing so that it only applies to controllers or processors carrying our processing which is likely to result in a “high risk” to the rights and freedoms of individuals, taking into account the nature, scope and purposes of the processing (Article 30A(1)).
This reflects the proposals for senior responsible individuals as a replacement for data protection offer requirements (Article 27A(1)(b)) and assessment of high risk processing as a replacement to data protection impact assessment requirements (Article 35), which also focus on “high risk” processing rather than the thresholds under the EU GDPR and current UK GDPR.
The exception to the record of processing requirement if the controller or processor employs less than 250 employees has been removed in the New Bill, as the threshold for having a record of processing under the new Article 30A would be higher and only apply to processing likely to result in a high risk.
The key question is what amounts to “high risk” processing for these purposes. In the New Bill, there is a new requirement on the Information Commissioner to publish a document containing examples of types of processing which the Information Commissioner considers are likely to result in a high risk to the rights and freedoms of individuals for the purposes of Articles 27A (senior responsible individuals), 30A (records of processing) and 35 (assessment of high risk processing).
- Automated Decision Making: The New Bill introduces an addition in Article 22A(2), which states when considering whether there is meaningful human involvement in taking a decision, a person must consider, amongst other things, the extent to which the decision is reached by means of profiling. The Secretary of State can also provide by regulations for cases where there is, or is not, to be meaningful human involvement in the taking of a decision for the purposes of Article 22A.
- International Data Transfers: The transitional provisions in Part 2 of Schedule 7 of the New Bill regarding data transfers have been updated. These updates permit transfers of personal data from the UK using existing methods that are permissible at present under the UK GDPR. However, these updated transitional provisions apply where:
- The data transfer is made under arrangements entered into before the changes to Article 46 of the UK GDPR under Schedule 5 of the New Bill come into force;
- Safeguards are provided as required under paragraphs 2 or 3 of Article 46 of the UK GDPR (standard data protection clauses, such as the UK Addendum or UK International Data Transfer Agreement) or paragraph 9 of Schedule 21 of the Data Protection Act;
- If the data transfer had been made immediately before the changes to Article 46 of the UK GDPR came into force, the transfer would have satisfied the condition in Article 46(1) of the UK GDPR relating to data subjects’ rights and legal remedies, and the requirement of the last sentence of Article 44 of the UK GDPR regarding the level of protection not being undermined.
The New Bill was introduced into Parliament on 8 March 2023, and will need to progress through both the House Commons and House of Lords before being finalised and receiving Royal Assent.
We will provide further updates of any significant changes to the New Bill as it progresses through this process.