The UK Data Reform is now Under Way
The UK ‘Data Protection and Digital Information Bill’ is now moving through parliament and there is much to consider. There is natural interest in its potential to amend the UK GDPR, and the Data Protection Act 2018 (DPA 2018) but of far greater use is the amendment to the Privacy and Electronic Communications Regulations 2003 (PECR).
Most likely as part of the Government plan to maintain adequacy, the Bill expands upon certain key definitions found in the GDPR recitals when making changes. Happily, the Bill is trying to address aspects of the ICO guidance, which arguably go too far or are not supported by the current law, but which can all too often be treated as if it is law. In terms of what the law will apply to, we see that the proposal is to further ‘clarify’ the law on the definition of ‘personal data,’ with a focus on whether additional information is or is not used to identify an individual. This provision looks to reflect ICO guidance on anonymisation and the ‘subjective’ approach to the question of identifiability. There is further expansion of definitions in defining scientific research and statistical purposes, by drawing on the existing recitals. This latter change is to address perceived issues with use of personal data in research.
Legal Basis and Principles
There will be a new concept of ‘recognised legitimate interests’ and this may help businesses avoid debates as to what is and is not a legitimate interest. It is hoped this will assist businesses, as those activities which are named will be deemed to automatically satisfy the legitimate interests balancing test, providing greater certainty to controllers looking to rely on this legal basis (cl. 5 and Schedule 1). We must hope this will not lead to an overly restrictive interpretation by the ICO, where matters not in the list are given more suspicion than under the current model. The Bill also creates new exemptions based on the ‘purpose limitation’ principle, including for example, the disclosure of personal data to a public authority that is relying on the ‘public task’ legal basis (cl. 6 and Schedule 2).
The Information Commissioner
The Commissioner will become an Information Commission, and there are a number of reforms proposed. In future, the Commission will be subject to express duties to have regard to promoting innovation and competition, and safeguarding public and national security (cl. 27); the Secretary of State will be able to set ‘strategic priorities’ for the Commission (cl. 28); and the Commission performance will be assessed on an annual basis using KPIs (cl. 33).
It is a little surprising that the Commission will be granted several new powers designed to support its investigatory and enforcement activities, including powers to require controllers or processors to arrange for the preparation of a report at the controller or processor’s expense (cl. 35); and the power to require persons to attend at a place and answer questions (referred to as an ‘interview notice’) (cl. 36). Given the past experience of those subject to the ICO’s investigations, and some past Government scepticism, not everyone expected that these new powers would or should be granted. Given those powers, it will be important to know what protections will be in place for witnesses subject to interview notices, and what financial risk and cost of the report might fall on businesses.
Obligations of Controllers / Processors
The Data Protection Officer is to be replaced by a new role, called ‘Senior Responsible Individual’ (cl. 14). The requirements for needing to appoint a Senior Responsible Individual are slightly different to the existing need to appointment a Data Protection Officer, with the new requirement applying to public bodies and organisations undertaking high risk processing. The designated individual must be a senior member of management, rather than simply reporting to senior management. In most respects however, the role is largely similar to those of the Data Protection Officer, such as monitoring compliance of the organisation, advising the organisation on data protection issues, taking steps to ensure compliance and acting as contact point for the Commissioner.
Under the proposed new regime, the requirement to carry out Data Protection Impact Assessments is replaced by a requirement to undertake ‘Assessments of High Risk Processing’ (cl. 17). This is welcome, given that the impact assessments were seen as too bureaucratic, and required too frequently. The criteria to carry out a DPIA that are currently set out in Article 35(3) of the UK GDPR are to be removed. This will likely raise a question of whether it affects adequacy, as any removal of a GDPR requirement is bound to raise questions. It is also proposed to remove the current obligation under Article 27 for organisations which operate outside of the UK, but are caught by the UK GDPR’s extra-territoriality provisions to appoint a representative.
Data Subject Rights
The Government is clearly concerned that data subject access requests are too numerous and cumbersome as to be fair on controllers. Consequently, controllers will be able to refuse data subject access requests that are ‘vexatious or excessive’ (cl. 7). Vexatious will mean requests which are ‘intended to cause distress,’ ‘not made in good faith,’ or amount to ‘an abuse of process.’ These sound fine, but practically we expect there to be considerable debate as to what is and is not; intended to distress, or is not in good faith.
When collecting information directly from a data subject, a controller will not need to be concerned about the requirement to provide fair processing information under Article 13 UK GDPR where data is collected for scientific research or statistical processing. Where data is collected indirectly and is subject to Article 14 UK GDPR, there will be criteria to help determine when the ‘disproportionate effort’ exemption applies, and the implication that this should be limited primarily to scientific research is, for Article 14 purposes, removed (cl. 9).
Amendments in relation to both international transfers and the UK’s approach to adequacy assessments are proposed (Schedule 5). Article 44 of UK GDPR is set to be removed, which is the over-arching requirement that “All provisions in this Chapter [V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.” Removing this is meant to make data transfers less onerous and give greater flexibility to UK exporters of personal data, but the EU response and the risk to the adequacy decision is a concern with any such change. The previous adequacy assessment criteria are to be replaced by a new ‘data protection test’ for which the required standard is now ‘not materially lower than,’ but whether this helps depends on keeping adequacy, and how the new Commission and Court deal with the EU doctrine of ‘essential equivalence’ in terms of judging what is adequate.
The Government seems very keen to change how we experience the consent pop ups for cookies. The interesting aspect to that is that the approach to pop up consent boxes is more convention than prescribed rule, so not everyone felt this change was needed. However, the Bill seeks to relax cookie consent requirements expanding what falls within the ‘strictly necessary’ exemption (cl. 79): As a result, cookies purely for statistical assessment and gathering information, are to move from a consent and opt-in to an opt-out default, albeit subject to certain criteria. The Bill also proposes to provide further clarity on what will fall within the ‘strictly necessary’ exemption.
As the Bill progresses we will monitor changes and update you further.