In March 2023, the UK government resumed its proposed reform of UK data protection laws with the introduction to Parliament of the Data Protection and Digital Information (No. 2) Bill, a replacement to its earlier reform bill.
The earlier version was published in July 2022 (under Prime Minister Boris Johnson), but was then put on ice by the government following the appointment of Liz Truss as Prime Minister in order to allow time for ministers to re-examine its scope. In a speech given at the annual Conservative Party conference in October 2022, Science, Innovation and Technology Secretary Michelle Donelan announced that the UK would be “replacing GDPR” with a “business and consumer-friendly, British data protection system”. And in her statement accompanying publication of the Bill, she wrote that the proposed new laws will “release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy”.
Whilst talk of replacing GDPR may have sounded radical, the changes set out in the Bill are not a wholesale rejection and replacement of GDPR but a series of targeted reforms to the existing framework. These can broadly be grouped into changes that are intended to provide greater certainty to organisations that process UK personal data by clarifying aspects of the existing framework, changes that are intended to reduce requirements that are perceived by the government (and by some businesses) as burdensome, and changes that meet the government’s pro-business, pro-innovation agenda.
ChatGPT vs GDPR – what AI chatbots mean for data privacy — While OpenAI’s ChatGPT is taking the large language model space by storm, there is much to consider when it comes to data privacy.
The Bill is currently making its way through Parliament, and has recently undergone detailed examination as part of the Committee stage. The House of Commons Public Bill Committee took evidence from a range of experts and interest groups from outside Parliament, including current UK Information Commissioner John Edwards. The range of views received by the Committee was mixed, with some speaking positively about the changes and others raising privacy concerns. Others felt that the reduction in red tape, such as the removal of data protection impact assessments, could lead to a lowering of data protection standards in the UK, compromising the adequacy decision with the European Union and reducing protection for data subjects.
There has been a general concern raised in commentary on the Bill that proposed divergence from EU GDPR would jeopardise the decision on adequacy, and that if adequacy is lost, the benefits of any changes under the Bill would be outweighed by additional costs to companies operating internationally. However, fear of the UK losing adequacy under the GDPR as a result of these changes was not shared by a number of the experts that gave evidence to the Committee — notably including John Edwards, who believes that there is nothing in the Bill that would put the adequacy decision at risk, or that there is a realistic prospect of the European Commission reviewing the adequacy decision negatively.
Creating certainty
A number of the proposed areas of reform are intended by the government to provide greater certainty for businesses processing personal data in compliance with UK data protection law.
Updated definition of personal data
The government proposes updating the definition of personal data to specify what is meant by identification of an individual ‘directly or indirectly’ and information ‘relating to’ an identifiable living individual. Similarly, it is proposed to include an updated definition of pseudonymisation. To an extent these changes codify existing guidance from the Information Commissioner’s Office (ICO), but business will nevertheless likely welcome them, especially in respect of indirect identification which can be a complex determination.
Recognised legitimate interests
Many businesses rely on the ‘legitimate interests’ basis set out in the UK GDPR as the legal basis for their processing. The government is proposing to include some examples of processing that may be considered as necessary for the purposes of a legitimate interest. This includes processing for direct marketing, intra-group transmissions of data, and processing to ensure security of network and information systems. Whilst the list is indicative only and controllers will still have to ensure that the legitimate interest is not outweighed by individuals’ rights and freedoms, businesses will likely find this helpful.
Additionally, the government intends to introduce a new legal basis for processing that is for a ‘recognised legitimate interest’. The legitimate interests that will fall within the scope of this legal basis are listed in a proposed new Annex to the UK GDPR, and include processing that is necessary for detecting, investigating or preventing crime (which would cover economic crimes such as fraud, money laundering or terrorist financing). This may be useful to businesses with obligations to carry out KYC or financial checks on their customers. A key difference between this new legal basis and the current legitimate interests basis is that businesses relying on one of the recognised legitimate interests will only need to ensure that their processing falls within one of the listed activities – they would not also be required to perform the balancing test described above for ‘ordinary’ legitimate interests.
Why fraud is getting more sophisticated — Exploring why fraud is getting more sophisticated, and how organisations can prevent it.
International data transfers
The rules governing cross-border transfers of personal data have become notoriously complex, with a fair degree of uncertainty in recent times following a series of well-publicised legal challenges to the adequacy of measures used to ensure personal data is safeguarded once transferred. The government wants to create a clearer and more stable framework for international transfers and proposes achieving this by:
- Introducing a risk-based approach to data transfers so that standardised data transfer agreements can be used to send data to a third country provided that, acting reasonably and proportionately, they consider the standard of data protection provided would not be materially lower than the standard under UK data protection law.
- Changing the adequacy rules so that international transfers can be authorised by the Secretary of State if the standard of data protection in the country is not ‘materially lower’ than the standard under UK data protection law. The current approach (and the approach under the EU GDPR) is that protection must be of an ‘adequate level’, which means an equivalent level of protection.
Many businesses are likely to welcome a simpler and clearer set of rules for international transfers. For businesses that also transfer personal data that is subject to EU GDPR, they will, of course, still be required to comply with the EU GDPR framework for international transfers, so the practical benefits of these changes may be of lower impact if those businesses choose to follow the (higher) EU GDPR framework for all of their international transfers.
Reducing burden
The Department for Science, Innovation and Technology (DSIT) believes that “the existing European version of GDPR takes a highly prescriptive, top-down approach to data protection regulation, which can limit organisations’ flexibility to manage risks and places disproportionate burdens on small businesses”. A number of the proposed reforms fall into the category of areas where the government intends to reduce the burden for businesses processing under UK GDPR.
Fewer records of processing
Under the proposed reforms, records will only be required to be kept for processing that is likely to result in a high risk to the rights and freedoms of individuals. There is no such distinction under the current UK GDPR, which requires records of all processing (subject to some limited exemptions). Businesses that process personal data that is subject to EU GDPR will still need to comply with the more extensive record-keeping requirements and so the practical benefit of this change remains to be seen.
No more DPIAs
The UK government is proposing to replace data protection impact assessments (DPIAs) with an ‘assessment’ of high-risk processing. Although the new process appears intended to be lighter-touch than for DPIAs, in practice it may be little more than a change in name. A related key change under the new rules is that businesses would no longer have to consult with data subjects on the intended high-risk processing (which they are currently required to do where appropriate), and prior consultation with the Information Commissioner (which is required where there is high risk processing and measures cannot be taken to reduce the risk) would be optional and no longer mandatory.
Data Privacy Day 2023: keeping data secure and compliant — Delving into what organisations need to consider when it comes to keeping data secure and compliant with regulations.
No more DPOs
The UK government plans to remove the requirement for businesses to appoint data protection officers (DPOs). Instead, businesses that conduct high risk processing (and public bodies) will have to designate a member of the senior management to act as the ‘senior responsible individual’ (SRI). The SRI will be responsible for data protection compliance tasks but will not be required to have any particular expertise or knowledge of data protection law, unlike DPOs.
When the government consulted on its proposed reforms to UK data protection law in 2021, the majority of respondents disagreed with the proposal to remove the requirement to designate a DPO, mainly citing concerns that removal of the DPO requirement would result in a loss of data protection expertise and that the lack of independence could lead to a potential fall in trust and reassurance to data subjects. However, the government’s view is that the appointment of SRIs will ensure data protection is established at a senior level and embed an organisation-wide culture of data protection.
Data subject requests
The government is proposing to amend the exemption that businesses can use to charge a reasonable fee or refuse to respond to a request from a data subject to situations where a request is ‘vexatious or excessive’ rather than ‘manifestly unfounded or excessive’ under the current rules. Requests that are ‘vexatious’ would include those that are intended to cause distress, not made in good faith, or are an abuse of process. During the Committee stage, a proposal to amend the Bill to require the ICO to produce a code of practice on the terms ‘vexatious’ and ‘excessive’ was rejected, but the inclusion of ‘good faith’ and ‘abuse of process’ may become a matter for interpretation and the subject of future guidance from the ICO as to their meaning (which is potentially broad). For example, the inclusion of abuse of process may be relevant to businesses involved in disputes where access requests are made by data subjects as a means for obtaining early disclosure of information.
No UK representatives
Businesses that are subject to UK GDPR but not established in the UK will no longer be required to appoint a UK-based representative. The UK government believes that controllers and processors should be left to decide how to most effectively communicate with UK stakeholders (such as data subjects and the Information Commissioner), in order to meet their legal requirements under UK GDPR.
GDPR compliance: what organisations need to know — The EU GDPR remains one of the biggest changes to data protection compliance globally, and organisations must be prepared.
Encouraging technology innovation
The government wants these data protection reforms to help business innovate, in particular with “next generation” technologies, such as AI, and a number of these changes reflect that pro-innovation, pro-technology agenda.
Automated decision making
The government’s view is that the UK’s current data protection laws regarding automated decision-making make it difficult for businesses to responsibly deploy such capabilities due to complexity and a lack clarity. The government wants the reforms to enable the deployment of such AI technology, providing scope for innovation with appropriate safeguards in place.
Although changes in this regard may be welcomed by companies that use or intend to use AI technology for this purpose, the perceived weakening of individuals’ rights not to be subjected to automated decision-making, at a time when the use of technologies that enable this, such as AI, are becoming more widespread, has been met with some scepticism from data privacy advocates.
Under the current law, automated decision-making is not permitted unless three use cases apply. The proposed reforms will relax this regime so that businesses can use automated decision-making, but will need to ensure that certain ‘safeguards’ are in place when a ‘significant’ decision is made solely using automated processing. The rules will be stricter if automated processing is used to make significant decisions based on processing of special category data, which will only be permitted if one of two specified conditions is met.
Scientific research, including for technological development
In another of the pro-technology innovation changes, the government proposes to update UK GDPR so that references to processing for ‘scientific research purposes’ will be deemed to include any research that can reasonably be described as scientific, whether publicly or privately funded and whether conducted as a commercial or non-commercial activity. This would also include processing for technological development or demonstration purposes (as long as these activities can reasonably be described as scientific). This change will enable businesses to confidently further process personal data for scientific research purposes when that is commercial and/or in a technological field, and will provide greater certainty that they can rely on the related exemptions to various requirements of the UK GDPR when processing for these purposes.
In conjunction with this, it is proposed that the definition of consent will be amended to allow controllers to obtain consent for an area of scientific research even if the purposes for which the personal data are to be processed cannot be fully identified at the time of collection. Currently, consent is only valid if it is given for a specific purpose. This can be problematic for conducting research, which by its nature may change course over time within a general field of investigation. Under the proposed change, consent will be deemed to be for a specific purpose if it falls within the new definition of consent for scientific research purposes.
£54m in UK government funding announced for AI research — UK Technology Secretary Chloe Smith announced government investment totalling £54m towards building secure and trustworthy AI, at London Tech Week.
Further processing
UK GDPR currently limits processing only for specified purposes, and does not allow further processing that is incompatible with those purposes except in limited circumstances (for example, including for scientific research purposes as noted above). The government wants to provide businesses with greater certainty about how to decide whether further processing is compatible (which can be a complex analysis), and proposes achieving this by introducing a set of criteria for controllers to consider when making that assessment. This includes a list of conditions (set out in a new Annex to the UK GDPR) that would be considered compatible with the original purpose. The conditions include processing that is necessary for a controller to comply with its obligations in law and for detecting, investigating, or preventing crime (including fraud, money-laundering or terrorist financing), and the Secretary of State will be given the power to add further conditions to this list.
Finally, one of the proposed changes that has received a degree of attention is the plan to abolish the ICO and replace it with a new ‘Information Commission’. The Information Commissioner (currently John Edwards) will become the chair of the new Information Commission, which will be made up of a board of executive and non-executive members. Privacy campaigners in particular have criticised the proposal to give the Secretary of State powers to create a ‘designated statement’ of strategic priorities that the new Information Commission should have regard to; veto codes and guidance prepared by the new Information Commission; and to appoint board members, which they consider will erode the independence of the UK’s data protection regulator. When asked about this by the House of Commons Public Bill Committee, John Edwards was of the belief that this would not undermine the Information Commission’s independence or affect the way in which it discharges its enforcement functions.
What happens next?
The House of Commons Public Bill Committee gave detailed consideration to the Bill over eight sittings in May 2023, including taking oral evidence from experts during two of those. Following this, some mainly minor or technical amendments proposed by the government were agreed and an updated version of the Bill was published in June. The next step is for the Bill to progress to the Report stage, when Members of Parliament will have an opportunity to consider and vote on further amendments to the updated version of the Bill. It is anticipated that the data protection reforms proposed in the Bill will become effective at the earliest towards the end of 2023.
Written by Daniel Gallagher, senior associate, technology and data, and Emma Burnett, partner and head of data protection at law firm CMS UK.
Related:
How generative AI regulation is shaping up around the world — With generative AI developments heating up globally, we take a look at the regulation state of play for regions across the world.