In September 2021, the government launched the consultation “Data: A New Direction” which outlined its plans to create a pro-growth and innovation-friendly data protection regime as part of the broader National Data Strategy.
This consultation informed the new Data Protection and Digital Information Bill which is currently working its way through parliament. Although no specific date has been provided for when this Bill will become law, most recent suggestions is that this will be towards the middle of 2024.
The Data Protection and Digital Information Bill will lead to changes to the following legislation:
- UK General Data Protection Regulation
- UK Data Protection Act 2018
- Privacy and Electronic Communications Regulations
In particular it includes the following proposed changes:
- Further guidance on the definition of personal data and clarification of definitions in other areas.
- Introduces a new role of Senior Responsible Individual instead of a Data Protection Officer.
- Introduces a new “recognised legitimate interest” lawful basis listing specific areas that are seen as justifiable legitimate interests for processing personal data and generally clarifying situations in which legitimate interests may apply.
- Removes the idea of a “manifestly unfounded” data subject request and replaces it with the concept of “vexatious” requests and clarifies when the legal professional privilege exemption may apply.
- Strengthens wording around the right to complain to the data controller and not just the ICO and introduces expectations on organisations to have clear processes for handling Data Protection complaints and acknowledging these within 30 days.
- Removes the requirement for a UK representative for overseas organisations.
- Limits the requirement for a record of processing activities to just those organisations carrying out high risk processing.
- Introduces more flexibility around current approaches to assessing risks to personal data (no longer a need for a Data Protection Impact Assessment specifically).
- Updates enforcement powers of the ICO to include interview notices, increased fines for breaching the Privacy and Electronic Communications Regulations amongst other areas.
- Revises the approach to which cookies are allowed without opt-in consent including for statistical cookies.
- Provides more clarity on consent requirements for charities marketing to their supporters.
Potentially there may still be changes to this Bill as it continues to be debated in parliament, but the above are the main expected changes.
For more information on any of these areas, please read below or get in touch.
UK General Data Protection Regulation – Changes
The proposed changes to the UK GDPR are documented below:
Definitions
- Some minor changes to definitions to personal data (considering directly vs indirectly identifiable individuals and pseudonymisation) amongst other areas
Roles
- Data Protection Officer role replaced with that of a Senior Responsible Individual. Although the roles are similar, the SRI must be a senior manager
Lawful basis for processing
- Introduction of a new “recognised legitimate interest” lawful basis allowing processing of personal data for defined legitimate purposes such as national security, emergencies, crime, safeguarding and democratic engagement
- Clarifying where legitimate interests may apply more generally for marketing, IT Security and intra-group data sharing
- Further clarity on “compatible purposes” where personal data may be used in a way that is compatible with the reasons for which it was originally collected e.g. for stastics, research, archiving, public security etc.
- More detail on processing for research, archiving and statistical purposes
Rights of data subjects
- Removes the idea of “manifestly unfounded” requests and replaces it with “vexatious” requests and provides guidance on when data subject requests may be considered vexatious
- More detail provided on the circumstances in which organisations may be able to delay responding to requests
- Makes it clear that data subjects have the right to complain to the organisation (data controller) as well as the Information Commissioner’s Office
International Data
- Removes the requirement for non-UK organisations to have a UK representative where processing UK residents data
Records
- Records of Processing will now only be required for organisations carrying out high risk processing
- No specific requirement for a Data Protection Impact Assessment, but more general need to carry out an assessment of high risk processing
- Removal of requirement to report continued high risks to the ICO prior to processing
In addition to these changes, there is also more clarity and guidance in the following areas:
- Safeguards when carrying out automated individual decision making i.e., when making significant decisions about individuals without any human intervention.
- Further guidance on what “Data Protection Tests” may need to be applied to international transfers as part of transfer risk assessments.
UK Data Protection Act 2018 – Changes
The changes proposed to the UK General Data Protection Regulation detailed above, are mirrored in the proposed changes to the UK Data Protection Act. However, there are a few other areas worth highlighting in addition to the above including:
Identifiable individuals
- Further guidance on what makes someone “identifiable” and what we mean by “reasonable means” taken to identify someone.
Consent
- Further guidance on what “consent” means in the context of processing data for law enforcement reasons.
Legal professional privilege
- Guidance on when you can apply the legal professional privilege exemption e.g. in terms of not releasing information for a subject access request.
ICO Powers
- Introduction of a new enforcement mechanism – “Interview notices” to allow the ICO to interview organisations around specific investigations.
Complaints
- Expectation for organisations to have clear processes for handling Data Protection complaints, ensuring these are acknowledged within 30 days and dealt with without undue delay.
Privacy and Electronic Communications Regulations – Changes
The Privacy and Electronic Communications Regulations (PECR) sit alongside Data Protection laws and gives people specific privacy rights in relation to electronic communications. In particular it provides rules on:
- marketing calls, emails, texts and faxes
- cookies (and similar technologies)
- keeping communications services secure
- customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings
The Data Protection and Digital Information Bill proposes a number of changes to PECR, including in the following areas:
Cookies and similar technologies
PECR currently dictates the need for clear information on how cookies are used and the need for consent for the majority of cookies used (apart from those that are strictly necessary).
The proposed changes, provide a number of areas where cookies and similar technologies may be used without consent. This includes where providing an information society service and cookies are needed to:
- Collect information for statistical purposes about how the service is used with a view to making improvements to the service
- Collect information for statistical purposes about how a website that provides services is used with a view to making improvements to the website
- Enable the way the website appears or functions when displayed on, or accessed by the user’s equipment, to adapt to their preferences
- To enhance the appearance or functionality of a website when displayed on, or accessed by a user’s equipment.
The above is on the proviso that the user is given clear information about the use of these cookies, has a simple way of objecting to this and the data is not shared more widely (unless to support improvements).
It also describes other situations where consent may not be required in relation to software updates and IT Security. These are allowed, if the user has been effectively informed, given the chance to object and are allowed to disable or postpone updates and remove or disable the software. It also describes emergency situations where consent would not be required e.g., to geolocate an individual who has requested emergency assistance.
The proposed changes go on to describe other circumstances where this storage or access may be appropriate in relation to protecting information, ensuring appropriate security, to prevent/detect fraud, to prevent/detect technical faults, to authenticate the user and to maintain a record of selections or information put into a website by a user.
It also clarifies that there is the potential for users to demonstrate their consent or objection via controls on the internet browser or use of other app or programme to signify consent or an objection.
Direct Marketing
- The proposed changes provide more information on marketing for charitable, political or other non-commercial objectives. It specifies that electronic marketing can be carried out without consent to those individuals who have expressed an interest in supporting the specific objectives of the organisation and who were given a way of refusing the use of this data in this way when their data was collected and subsequently.
- It also imposes obligations upon public electronic communications services to inform the ICO of contraventions of direct marketing regulations, with a potential fine for those who do not do this.
PECR Enforcement Powers
- One of the key proposed changes to PECR is to update its enforcement powers to bring in line with the Data Protection Act including increasing potential fines from £500,000 to £17,500,000 or 4% of the organisation’s annual worldwide turnover – whichever is higher.