A new Data Protection and Digital Information Bill (the Bill) in the UK is proposed to substantially modify the prevailing privacy framework derived from EU law. Amongst other reforms, it vows to soften the regulations and overhaul the UK Information Commissioner’s Office (ICO).
Since the EU-UK Transition Period ended on 31 December 2020, the UK Government made clear its intention to renovate the UK’s data protection framework. The Bill is purporting to maintain a high standard of protection for people’s privacy and personal data while pledging to deliver around £1 billion in savings for businesses.
The Queen’s Speech of May 2022 officially announced upcoming legislation to alleviate the current barriers of complying with the UK GDPR and Data Protection Act 2018 (DPA 2018). Among other updates, this new legislation seeks to harmonise and clarify the different lawful grounds on which private companies can process personal data at the request of public bodies and remove unnecessary regulatory hurdles in order to allow an adequate delivery of public services.
Following the conclusion of DCMS’ consultation, the Bill was formally laid before Parliament on 18 July 2022. The Bill outlines a more flexible approach to data protection compliance by introducing an array of measures concerning personal data and digital information as well as streamlining the requirements the current legislation places on organisations to demonstrate how they are complying with the regulations.
Current Data Protection Regulatory Framework in the UK
The EU’s General Data Protection Regulation (EU GDPR) was incorporated into UK law at the end of the EU-UK Transition Period under section 3 of the European Union (Withdrawal) Act 2018 (EUWA 2018) and modified by the Data Protection, Privacy and Electronic Communication (Amendments etc) (EU Exit) Regulations 2019 under the power in section 8 EUWA 2018 to create the UK GDPR.
The UK GDPR came into force on 1 January 2021 and covers the key principles, rights and obligations for most personal data processing activities in the UK, with the exception of law enforcement and intelligence agencies. It is based on the GDPR which applied in the UK from 25 May 2018 to 31 December 2020.
The GDPR together with the DPA 2018, replaced the Data Protection Directive (95/46/EC) and its UK implementing legislation with effect from 25 May 2018.
The Brexit Regulations introduced a number of changes so that the retained EU law version works in a UK setting from 1 January 2021. The DPA 2018 sits alongside and supplements the UK GDPR.
The UK’s data protection framework therefore consists of three regulatory regimes:
- general processing of personal data – governed by the UK GDPR as supplemented by Part 2 of the Data Protection Act 2018;
- processing by ‘competent authorities’ (as defined in section 30 & schedule 7 DPA 2018) for law enforcement purposes – governed by Part 3 DPA 2018, which implemented EU Directive 2016/680 (the EU Law Enforcement Directive) into UK law; and
- processing by the UK intelligence services – governed by Part 4 DPA 2018.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 transposed Directive 2022/58/EC (PECR). Certain types of processing activities are specifically regulated in the PECR, such as the collection of personal data through cookies and direct marketing, which overlap the general rules for processing in the UK GDPR. The Bill introduces a number of amendments to these existing sources of data protection law.
The main amendments introduced by the six Parts of the Bill are:
- Part 1 seeks to clarify ambiguities found in the UK GDPR and provides the ICO with additional enforcement powers.
- Part 2 outlines the provision of digital verification services (see section below for further details).
- Part 3 addresses the use of customer data and business data and provides powers to create ‘smart data’ schemes which allow the secure transfer of customer data, upon customer’s request, with authorised third-party providers.
- Part 4 includes stipulations around digital information including variations to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), for instance amendments to the rules on cookies, unsolicited direct marketing (including a duty on a public electronic communications service provider to notify the ICO of unlawful direct marketing) and communications security (e.g., network traffic and location data).
- Part 5 creates a statutory organisation, with a new governance structure, to replace the Office of the ICO. It also updates the scope of the police National DNA Database Board and provides the Secretary of State with a power to change the scope of the Board.
- Part 6 introduces the power to make consequential revisions, financial provision, and commencement.
The rules on international transfers and cross-border personal data flows are also refined in the Bill. This intends to simplify international commerce by providing a comprehensible and more balanced framework for international data transfers. The new scheme seeks to maintain high levels of protection when personal data is exported outside the UK, and the data protection criteria will focus on the protection afforded to data subjects, regardless of formalities.
The Bill similarly amends the threshold at which organisations can refuse to respond to a subject access request, to where a request is deemed to be ‘vexatious or excessive’. This threshold allows requests made without the intention of accessing personal information to be more easily refused or charged for than the existing threshold of ‘manifestly unfounded or excessive’.
Digital Identity Verification Services
As there are currently no specific regulations addressing how business are providing digital identity verification services in the UK, the digital identity provisions in this Bill seek to foster trust in and acceptance of digital identities across the UK to simplify identity proofing, reduce costs, make it more secure and to enable a booming digital identity marketplace in the UK for those that use these technologies to prove things about themselves, for example when opening an online bank account.
To do this, the Bill establishes a regulatory framework for the provision of digital identity verification services in the UK and allow public authorities to disclose personal data to trusted digital identity providers for the purpose of identity and eligibility verification.
The Data Protection and Digital Information Bill can be found here and the UK Parliament Legislation Tracker can be accessed here.
Please contact Jose Saras and Xavier Prida if you have any questions about the data protection implications around AI technologies.
The material contained in this article is only a general review of the topics covered and does not constitute any legal advice. No legal or business decision should be based on its content.