On 8 March 2023, the UK Government published the long-awaited second version of its Data Protection and Digital Information Bill. Hailed the “common-sense-led UK version of the EU’s GDPR”, the Bill intends to boost trade, reduce unnecessary barriers to data flows and acknowledges the need to maintain data adequacy with EU. The Government estimates that the reforms will unlock £4.7 billion in savings for the UK economy over the next ten years.
The original Bill, which was first introduced in July 2022, was paused in September 2022 to allow ministers to “engage in a co-design process with businesses leaders and data experts” according to the newly created Department for Science, Innovation and Technology (DSIT).
The vast majority of the updated Bill remains the same as the previous Bill published in July. The changes range from minor text amendments to updates on data processing reporting and clarity on whether existing international transfer mechanisms will still be valid. Upon publication of the Bill, the Government Press Release was confident that the Bill would maintain EU data adequacy.
The updated Bill, presented to Parliament by the Government for its first reading on 8 March 2023, is only at the beginning of the legislative process. Dates for further readings are yet to be set. Please watch out for future issues from us as additional information becomes available regarding the legislative process. Take a look at our previous Article on the first version of the Bill, which discusses the removal of the requirement for a Data Protection Officer (“DPO”), replacing the position with a Senior Responsible Individual (SRI), which remains in the updated Bill.
In this article, we will give a whistle-stop tour of some of the changes to UK data protection law if the Bill is passed in its current form. Firstly, we will look at the Bill’s approach to reporting requirements, which would significantly reduce the paperwork organisations need to complete to demonstrate compliance. We will then look at how the Bill makes it easier for commercial organisations to process data for research purposes and briefly explain the impact on international transfer mechanisms. Finally, we will explain the broadening of the ‘legitimate interests’ basis for processing personal data.
Reduced Reporting Requirements
Under the existing legislative framework, businesses with over 250 employees are required to keep written records of all data processing activities. If a business has less than 250 employees, this requirement does not apply unless:
‘the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data… or personal data referring to criminal convictions…’.
Article 30(5) UK GDPR
Clause 15 of the updated Bill introduces a new Article 30A into the UK GDPR, which removes the duty on business to keep appropriate records of processing unless “they are carrying out high risk processing activities”. Organisations must assess risk with reference to ‘the nature, scope and context of the processing’. The updated Bill provides that the Information Commissioner must publish a document with the types of processing the Commissioner considers are likely to result in a high risk to the rights and freedoms of individuals.
How will this affect businesses? Although the proposal largely reflects current practices by the majority of business, where resources are focused on reporting on the highest risk activities, it would reduce the amount of compliance demonstrating paperwork and create some time savings. However, before businesses across the UK avail themselves of the reduced reporting requirements, they should remain alive to their continuing obligations to respond to data subject requests and data breaches in the future. If a business has not documented what type of personal data they have, where it is stored and who it is shared with, they may run into problems down the line.
Update on the definition of “scientific research”
The DSIT claims that current UK data protection law does not provide enough clarity on when and how personal data can be processed for research purposes, hindering vital research efforts.
Clause 2 of the Bill amends Article 4 of the UK GDPR by expanding the definition of “processing of personal data for the purposes of scientific research”. Under the original Bill, the definition of “scientific research” was any processing which could “reasonably be described as scientific”. The updated Bill goes one-step further, covering processing “publically or privately funded and whether carried out as a commercial or non-commercial activity”. This appears to give clarity to the commercial sector that they may utilise the provisions in the UK GDPR relating to research, provided the processing meets the ‘reasonably be described as scientific’ test. The Bill sets out that this applies to processing for the purposes of technologic development or demonstration, fundamental or applied research. It also clarifies that research into public health only qualifies as scientific research if it is in the ‘public interest’. This clarification is not surprising as it broadly reflects the current ICO position on this area.
The DSIT says that this will “reduce paperwork and legal costs for researchers, and will encourage more scientific research in the commercial sector”. It remains to be seen how the open-ended nature of the updated definition will apply to technological development for commercial purposes in practice.
International Data Transfers
The DSIT’s position is that the new Bill allows businesses to continue using existing international data transfer mechanisms to share personal data overseas “if they are already compliant with current UK data laws”. The Bill sets out that alternative transfer mechanisms lawfully entered into before the coming into force of this Bill, will remain valid under the new framework. Therefore, UK businesses would not need to pay for, or complete, new checks to demonstrate compliance with the new GDPR framework. The new Bill does not propose major amendments to the international data transfer regime, a welcome clarification to uncertainty under the previous iteration of the Bill.
The updated Bill aims to simplify reliance on legitimate interest as a lawful basis by clarifying when organisations do not need to actively undertake a documented legitimate interest test, where the purpose of the data processing is on the list of ‘recognised legitimate interests’. These ‘recognised’ interests are limited and include processing for public and national security, preventing crime, defence and emergencies. Therefore the circumstances where organisations do not require to complete a documented legitimate interest test do appear to be fairly limited.
Nonetheless the Government is aiming to broaden the circumstances in which organisations can rely on the ‘legitimate interest’ basis and the new Bill goes further than the original, setting out a list of examples of processing that may be considered necessary for the purposes of ‘legitimate interests’. The illustrative and non-exhaustive list of examples include processing that is necessary for the purposes of direct marketing, intra-group transmission of data where that is necessary for internal administrative purposes and security of networks and information systems. In these circumstances, to rely on this basis, data controllers must still ensure that their interests are balanced and do not outweigh the rights, freedoms and interests of individuals. The Explanatory Notes of the updated Bill confirms that any legitimate commercial processing activity can be considered a legitimate interest, provided the balancing test is carried out and the processing itself is necessary. This proposal is unsurprising given that ICO guidance already recognises that “as long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest”. Albeit, it is worth bearing in mind that this is an area of data protection law presently attracting live discussion as we expect that the ICO may appeal the First Tier Tribunal Experian decision which established legitimate interest is suitable for Experian’s marketing activity. Therefore, perhaps this area of the law is not quite settled yet.
The second version of the Bill only makes a few substantive changes to the original, particularly on record keeping, scientific research, legitimate interests and clarifying international transfers. Overall, the Bill represents clarity and scope on the definitions of ‘scientific research’ and ‘legitimate interests’ and ushers in welcomed relaxation of data processing reporting. The draft Data Protection and Digital Information (No.2) Bill is only at the start of the legislative process. A date is yet to be fixed for the second reading stage, which is expected to be within the next few weeks. Following this, interest groups and experts will be asked to comment and give evidence on the Bill and parliamentarians will be given the opportunity to propose amendments.