The Data Protection and Digital Information Bill: the details

The Data Protection and Digital Information (No.2) Bill (the Bill) is reaching the end of its passage through Parliament and is now at Committee Stage in the House of Lords. It could receive Royal Assent this year, following which the implementation timetable will be known.

If the Bill becomes law, it will update the UK’s data protection framework by making changes to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003. It will apply to any business that processes the personal data of UK residents, no matter its location.

Key provisions

The Bill retains much of the UK GDPR but makes changes in a number of areas. Some key changes introduced by the Bill include:

1. clarifying (and likely restricting) when data is “personal data”;
2. clarifying that “legitimate interests” can be used as a lawful basis for direct marketing, and removing the “balancing test” for some important public interest matters;
3. clarifying the regime applicable to automated decision making;
4. potentially making international data transfers out of the UK easier by changing the requirement for an “adequacy decision” to an “approved transfer”, the new test being whether the standard of protection in the receiving jurisdiction is not materially lower than the UK regime;
5. widening the circumstances under which a controller can refuse to, or charge for a response to a Data Subject Access Request (i.e. if it is “vexatious or excessive”, as compared to the GDPR’s “manifestly unfounded or excessive”);
6. replacing the requirement to have a Data Protection Officer with the more limited requirement to have a “Senior Responsible Individual” in place for high-risk processing;
7. removing the requirement to have a UK representative in place for controllers with no presence in the UK;
8. restricting the obligation to have records of processing in place only to high-risk processing;
9. widening the grounds under which a controller can process personal data for a new purpose;
10. renaming the ICO the “Information Commission” (IC), and enhancing its duties;
11. raising the enforcement powers of the new IC under PECR to match GDPR levels;
12. extending the “soft opt-in” marketing permission regime under PECR to political parties (just in time for the General Election, perhaps?) and non-commercial organisations;
13. introducing an obligation on telcos to notify the IC if they have reason to suspect contravention of PECR by a user of their network; and
14. introducing a framework for the provision of digital verification services in the UK, including a register of organisations providing digital verification services, a trust mark for use by registered organisations and an information gateway for the public.

What will the Bill mean for businesses?

Businesses which already comply with the UK GDPR should not face any greater burden in complying with the Bill (apart from telcos in relation to reporting certain PECR breaches by users), although note that the Bill does introduce a number of areas where business may wish to take advantage of the new flexibility.

Businesses which operate in both the EU and the UK may find it simpler to carry on complying with the EU’s GDPR regime, unless they are able to adopt the less burdensome UK requirements in relation to their UK operations only.

Finally, what about the UK’s adequacy decision granted by the EU? This decision is relied on to allow personal data transfers from the EU to the UK. Clearly the EU Commission will be very interested in any changes to the UK’s data protection regime, and, to the extent that such changes weaken the regime, the changes may endanger the UK’s adequacy decision. However, maintaining the adequacy decision is clearly a key interest for the UK – we need only to look at the years of struggle between the US and the EU to agree a legally valid data transfer mechanism to see how important our adequacy decision is. It is to be hoped that the Bill will not provide any material risk to the UK’s “adequate” status.

If you have questions about the Data Protection and Digital Information Bill, please contact Dan Tozer.