On 18 July 2022, the UK government released a draft version of its statutory instrument to reform the UK data protection regime. The Data Protection and Digital Information Bill (aka the Data Reform Bill) puts the proposals which the UK government confirmed it would be taking forward in a previous consultation response (for more information and background, please see our client alert) into a draft legislative form.
For most organisations, these changes do not appear to present a significant departure from the current framework – the Data Reform Bill’s changes to reduce the compliance burden for organisations generally aim at clarifying existing obligations under UK data protection law, or aim at achieving the same objectives through different means. Most of the Data Reform Bill’s amendments to the UK data protection regime have been already covered at a high level in the consultation response, although the Data Reform Bill also includes several additional amendments.
Certain key changes under the Data Reform Bill are worth highlighting in further detail:
Changes to reduce the compliance burden of organisations
As set out in its consultation response, the UK government aims to reduce the compliance burdens on businesses by giving them the opportunity to protect personal data in the most proportionate and appropriate manner. To that effect, the Data Reform Bill proposed changes, including:
- Changes to existing requirements: the “privacy management programme” first identified in the consultation response modifies several obligations under the UK GDPR, including:
- Data protection officers (DPO) replaced with senior responsible individual (SRI): The trigger to appoint a SRI is broadly the same as the requirement to appoint a DPO; an organisation that is a public body or an organisation that conducts high risk / large scale data processing, which would be subject to the requirement to appoint a DPO under the current regime, is very likely to be subject to the requirement to appoint an SRI. Notable differences include a requirement for the SRI to be a part of the organisation’s senior management team, an ability for the SRI role to be split between two or more part-time individuals sharing the same role within senior management, and additional granularity regarding the SRI’s tasks. The requirement to appoint the SRI from an organisation’s internal management team may now mean that third party organisations offering outsourced DPO services can no longer offer their services in their current form. Additionally, although the UK data protection authority has indicated that the appointment of a DPO may be a mitigating factor in any enforcement analysis it is not clear whether such mitigation will be applied to organisations which have appointed SRIs.
- Records of processing activities (ROPAs) replaced by appropriate records of processing personal data (ARPs): ARPs are broadly similar to ROPAs, as the minimum information requirements for ARPs broadly mirror that of ROPAs and have been simplified. Processor ARPs in particular have been further simplified through the removal of the requirement to log categories of processing and data transfers, although it must still indicate where personal data is located. Flexibility is introduced as organisations should first take into account the nature, scope, context and purposes of processing, the risks presented by such processing and the resources it has available in order to allow it to tailor its ARPs accordingly.
- Impact assessments replaced by assessments of high risk processing: The proposed assessments of high risk processing are also broadly similar to data protection impact assessments under the GDPR; while the minimum information requirements are generally carried across, they have been simplified and appear to permit organisations further discretion in reducing the amount of granularity recorded in such assessments. Furthermore, in the event that such an assessment indicates that the data processing would result in a high risk to data subjects in the absence of mitigating measures, the requirement to consult the UK data protection authority has been made optional. Whether voluntary consultation will be taken into account as a mitigating factor in any future investigation or enforcement action, as suggested in the consultation, remains unclear. Regardless, as many organisations elect to not proceed with a consultation in practice, this change is unlikely to have a significant impact.
- Data protection officers (DPO) replaced with senior responsible individual (SRI): The trigger to appoint a SRI is broadly the same as the requirement to appoint a DPO; an organisation that is a public body or an organisation that conducts high risk / large scale data processing, which would be subject to the requirement to appoint a DPO under the current regime, is very likely to be subject to the requirement to appoint an SRI. Notable differences include a requirement for the SRI to be a part of the organisation’s senior management team, an ability for the SRI role to be split between two or more part-time individuals sharing the same role within senior management, and additional granularity regarding the SRI’s tasks. The requirement to appoint the SRI from an organisation’s internal management team may now mean that third party organisations offering outsourced DPO services can no longer offer their services in their current form. Additionally, although the UK data protection authority has indicated that the appointment of a DPO may be a mitigating factor in any enforcement analysis it is not clear whether such mitigation will be applied to organisations which have appointed SRIs.
- Removal of the requirement to appoint a UK representative: While the consultation response was silent on requirement to appoint a UK representative, the Data Reform Bill removes this requirement. Currently, organisations without a UK presence that offers goods or services to individuals in the UK or monitors the behaviour of individuals in the UK are generally required to appoint a representative in the UK. This may be a tacit acceptance of the existing challenges faced by data protection authorities to take enforcement action against non-domesticated parties – for example, the UK data protection authority recently levied a 7.5 million GBP fine on Clearview AI, a U.S. based organisation, and the practical enforcement of this fine raises this challenge. As with the proposed changes to DPOs above, this may also mean that third party organisations offering outsourced UK representative services can no longer offer their services as they stand.
- More flexibility in security measures: the Data Reform Bill generally provides more flexibility for organisations to implement appropriate security measures, as references to requirements for organisations to implement “appropriate technical and organisational measures” are replaced with a simplified requirement to implement “appropriate measures, including technical and organisational measures”. It is not clear whether contractual measures alone will suffice; at least in the context of data transfers, the EDPB has previously indicated that contractual measures alone will generally not be capable of providing adequate protection when transferring personal data to a third country.
- Exemptions for the legitimate interests balancing test: For certain processing purposes, the balancing test required to rely on legitimate interests is removed. The list of such processing purposes is limited – for most organisations, such purposes consists of responding to requests made in the public interest, safeguarding national security, public security and defence, responding to emergencies, detecting, investigating or preventing crime or to apprehend and prosecute offenders, or safeguarding a child or vulnerable adult. Some of these purposes appear to overlap with processing required to protect the vital interests of data subjects, which is a separate legal basis under the (UK) GDPR, and it is not clear whether these recognised legitimate interests should be relied on as a legal basis in lieu of vital interests. Regardless, this is unlikely to affect many organisations in practice as it is unlikely that common data processing activities (such as HR or direct marketing) will fall under these purposes. However, in its consultation response the UK government has indicated a possibility for this list to be expanded in the future, and the Data Reform Bill permits the Secretary of State to amend this list through future regulation(s).
- Additional hurdles for data subjects to exercise data subject rights (DSR) and make complaints: Currently, controllers may refuse to comply with a DSR under the UK GDPR when they are “manifestly unfounded or excessive”. The Data Reform Bill replaces this with “vexatious or excessive”; the onus is on the controller to show that it is so, and the Data Reform Bill provides examples: “vexatious or excessive” DSRs thus includes DSRs that are (i) intended to cause distress, (ii) not made in good faith, or (iii) an abuse of process. The Data Reform Bill also permits the UK data protection authority to refuse to act on a data subject’s complaint if such a complaint is similarly vexatious or excessive, or if the data subject has not first raised it with the relevant controller, and controllers must acknowledge receipt of a complaint within 30 days and progress the complaint without undue delay. The combined effect of these changes are thus mixed; organisations may find themselves with more options when strategising DSR responses, but may also have to deal with additional obligations when dealing with complaints.
- Easier to achieve anonymisation: The Data Reform Bill modifies the definition of personal data to information is identifiable by the controller or processor by “reasonable means” at the time of the processing, or where the controller or processor “knows, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing, and the living individual will be, or is likely to be, identifiable that person by reasonable means at the time of the processing”. This means that under the Data Reform Bill, whether information can be considered to be anonymised is a subjective standard; and it is up to the controller, processor, and persons that will or will likely receive the information to assess whether such information is identifiable. This will have the effect of making anonymisation easier to achieve, and as anonymised information is outside the scope of the GDPR, organisations may find themselves at liberty to use additional datasets without being subject to its obligations under the UK GDPR, as long as its anonymisation practices meet this subjective test.
- Further processing of personal data: The Data Reform Bill also permits organisations to permit further processing of personal data in limited circumstances. Such circumstances include when the further processing is carried out for research, archival and statistical (RAS) purposes, taxation purposes, and for several additional purposes that replicate the list of recognised legitimate interests above (e.g. to safeguard public security, respond to emergencies, for crime prevention purposes or to safeguard a child/vulnerable adult).
Facilitating the use of data for research, archival and statistical purposes
As stated in the consultation response, the UK government aims to simplify legal requirements around research in order to boost innovation in the UK. To that end, the Data Reform Bill includes several amendments to permit or clarify further processing for RAS purposes, such as introducing statutory definitions for scientific research, historical research, and statistical purposes, and permitting organisations to rely on prior consent when conducting scientific research where it was not possible to fully identify the purposes of processing at the time consent was sought.
The Data reform Bill also includes limited exemptions to the requirement to provide data subjects with information where the additional processing is for RAS purposes. However, the Data Reform Bill also requires organisations to implement additional safeguards when processing personal data for RAS purposes, such as ensuring that such processing does not cause substantial damage or distress to individuals, and must also deploy technical and organisational measures to enforce data minimization (e.g. through the use of pseudonymisation).
Changes to direct marketing and cookie rules
The UK’s Privacy and Electronic Communications Regulations (PECR) is also amended by the Data Reform Bill. Among its other changes, the Data Reform Bill:
- Amends the consent requirement for certain cookies: the Data Reform Bill removes the requirement to obtain consent prior to the placement of statistic or functionality/preference cookies, and includes further clarification over the type of cookies that can be considered to be “strictly necessary” cookies (which do not require prior consent under current law). These changes generally put the ICO’s existing guidance on cookies into legislative form, although it remains unclear as to whether load balancing cookies may fall under the current scope of “strictly necessary” cookies. Regardless, as the enforcement regime for cookies currently presents organisations with much uncertainty, this clarification is a welcome first step to updating and possibly reforming the UK cookie compliance regime.
- Introduces direct marketing definitions and obligations: “Direct marketing” has now been defined to mean “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. Certain organisations are also required to notify the UK data protection authority if it has reasonable grounds for suspecting that a person is undertaking unlawful direct marketing, and may be issued with a fixed penalty of £1,000 for non-compliance.
- Extends liability for unsolicited marketing communications, whether or not received by intended recipient: Organisations which are responsible for generating unsolicited direct marketing communications, even where they do not reach with their intended recipient, may be subject to investigation and enforcement action by the UK data protection authority. This includes calls that do not connect with their intended recipient. Moreover, the Data Reform Bill increases the maximum penalty that may be levied on organisations for infringement(s) of their PECR obligations to GDPR levels (e.g. 17.5 million GBP or 4% of the global annual turnover, whichever higher). Given that the UK data protection authority takes far more frequent enforcement actions for breaches of PECR obligations than GDPR obligations, it remains to be seen whether it will change its approach to take this extended and expanded liability net into account.
Changes to the UK data protection authority
The Data Reform Bill reforms the Information Commissioner’s Office, the UK data protection authority, by abolishing it and replacing it with a body corporate, the Information Commission. The Data Reform Bill amends the powers, and obligations of the UK data protection authority as outlined in the consultation response, such as introducing the power to require individuals to attend interviews and a time limit to issue a penalty notice within six months from the day it issues a notice of intent. Broadly however, the role and responsibility of the UK data protection authority will remain the same. The Data Reform Bill also requires the UK data protection authority to produce an annual report on UK GDPR investigations and the exercise of its enforcement powers, which would no doubt be welcomed by organisations seeking to understand more about the UK data protection authority’s enforcement practices.
Commentary
On face value, these changes do not present a significant departure under the current regime. However the effects it will have in practice are difficult to assess at this early stage, particularly as it will be subject to further amendments.
As the Data Reform Bill makes its way through UK Parliament, one area of close scrutiny will be whether the business-friendly changes come at the cost of reducing the standard of data protection in the UK. Certain changes, such as the requirement for individuals to raise complaints with organisations before submitting a complaint with the UK data protection authority, the lack of a UK representative to focus enforcement on non-UK companies, and the ability to tailor GDPR-originated obligations and security requirements may potentially raise concerns, particularly if they are viewed as a “watering down” of existing standards instead of a clarification of or flexibility to meet existing standards.
In addition, it remains to be seen whether the European Commission (EC) raises any concerns with the proposed changes – the EC remains empowered to suspend, repeal or amend its UK adequacy decision, which currently permits the free flow of personal data from the EU to the UK (for more information, see our client alert here).
Timing
As before, organisations do not need to take any immediate action as the Data Reform Bill will be subject to further changes, and has several hurdles to overcome before coming into force. The Data Reform Bill is currently at its first stage in its passage through UK parliament and will be subject to several additional rounds of debate, examination and amendments.
The current political climate in the UK government may also affect the progress of the Data Reform Bill. Should a general election be called, the Data Reform Bill will fail if it is not carried through to the next parliamentary session. Assuming no major hiccups, the Data Reform Bill is likely to enter into force no earlier than 2023.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.