The U.K. released its draft data protection reform of its General Data Protection Regulation on March 8, 2023. The Data Protection and Digital Information (No. 2) Bill has therefore been introduced to Parliament.
The bill makes it easier for businesses to do cross-border business, by clarifying some key points regarding UK and GDPR interactions Notably, the bill would require businesses to conduct records of processing only when it is high-risk data, such as, for example, someone's health data. It would also clarify that profiling is subject to the same set of rules as automated decision-making when a "significant decision is taken about a person with no meaningful human involvement."
Regarding international data flows, the bill will use existing transfer mechanisms "if they are already compliant with current U.K. data laws," the release states.
The fundamental principles of the current U.K. GDPR, range of available data subject rights, core controller and processer obligations, and wider constitutional and regulatory environment for privacy would be unaffected by the proposals.
Organizations that are already compliant with the current U.K. GDPR will not have to make changes to comply with the proposed U.K. GDPR. However, proposed reforms will offer organizations the ability to make use of new compliance efficiencies.
Here are some of the impact that the bill is likely to have on key items, based on an analysis done by IAPP contributor.
- Definitions: Data will only be considered as personally identifiable by an organization other than the controller or processor if that other organization will, or is likely to, obtain the information as a result of its data processing. If the other organization does not have, or is not likely to obtain, such information, the data will be considered anonymous and out of scope of the bill.
- Legal bases: Proposals remove the need for organizations to balance their legitimate interests with the data subject’s rights and interests where the purpose for processing the data subject’s data is on the list of recognized legitimate interests. The current proposed list of recognized legitimate interests focuses on public interests, such as national security, defense, emergencies, preventing crime, safeguarding and democratic engagement. There is a procedure by which the government may add to this list in the future.
- The Proposal include a list of activities that may be regarded as in a data controller’s legitimate interest to process data. The activities are illustrative and non-exhaustive, and are moved from the recitals to the operative part of the U.K. GDPR. The activities are direct marketing, intraorganizational transmission of data and network and information systems security. Data controllers are still required to ensure their interests are not outweighed by the data subject’s rights and interests. Commentary in the Explanatory Notes clarifies any legitimate commercial activity can be a legitimate interest, provided the processing is necessary and the balancing test is carried out.
- Research: Proposals within the scope of scientific research include all activities that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity. Proposals exempt controllers from the requirement to provide notice where personal data has been collected directly from the data subject for research, archival or statistical purposes, and where providing such information would be impossible or require disproportionate effort.
- International transfers: Proposals set out the test for adequacy regulations, colloquially referred to as data bridges, as where the standard of protection in the third country is not "materially lower" than under the U.K. GDPR, when "taken as a whole" and assessed in a "holistic way," recognizing different legal and cultural approaches to protecting privacy. Organizations "acting reasonably and proportionately" must consider whether the standard of protection provided by the relevant transfer mechanism, e.g., standard contractual clauses, the third country’s laws and practices and the use of other safeguards would result in materially lower standards than that of those in the U.K. GDPR.
- Records and documentation: Proposals require records of processing only for organizations that carry out processing activities likely to result in "high risk to the rights and freedoms of data subjects." High risk will be determined by taking the nature, scope, context and purposes of the processing into account. Previously, proposals exempted organizations from record keeping requirements where fewer than 250 people are employed and where there is no high-risk processing. This is in addition to proposals clarifying the high risk threshold for data protection impact assessments.
- Privacy personnel: Proposals remove the requirement for controllers and processors not established in the U.K. to appoint a U.K. representative. Proposals replace requirements relating to the designation and roles of the data protection officer with provisions on the senior responsible individual. SRIs are only required for public bodies or where there is high risk processing. SRIs can combine their tasks with other roles in the organization and can delegate tasks.
- Data subject rights: Proposals replace the "manifestly unfounded or excessive" threshold for refusing data subject rights requests with a "vexatious or excessive" threshold. When deciding whether and how to respond to data subject rights requests, controllers may take into account their resources, whether the request was intended to cause distress, made in bad faith, or is an abuse of process.
- Cookies: Proposals expand the list of exemptions to when consent is required for placing cookies or similar tracking technologies on a user’s terminal equipment. Proposed exemptions include collecting statistical information about an information society service to make improvements, enabling the appearance or function of a website to reflect user preferences, installing necessary security updates to software on a device and identifying an individual's geolocation in an emergency. With the exception of identifying users in emergency, users must be provided with clear, comprehensive information and a simple means of opting out.
- Direct marketing: Proposals expand the ability to rely on opt-out consent to non-commercial organizations. Non-commercial organizations can send electronic marketing communications without prior consent for the purposes of furthering charitable, political or other non-commercial objectives, if the individual’s contact details were obtained in the course of the individual expressing interest or offering support to the objective.
- The proposals also create a duty on providers of public electronic communication services and networks to report suspicious activity relating to unlawful direct marketing to the ICO, with penalties for noncompliance and requirements for the ICO to publish guidance on what constitutes reasonable suspicion.
- Automated decision-making: Proposals define automated decision-making as involving "no meaningful human involvement" and requiring organizations making such decisions to disclose this to individuals, in addition to providing individuals the ability to challenge decisions by seeking human involvement. Proposals for the secretary of state include issuing regulations on whether a description of a decision is, or is not, to be regarded as having "a similarly significant effect" for the data subject, whether to make further provisions on the safeguards required for automated decision making and whether there is, or is not, meaningful human involvement in decision making.