Background
As we previously reported in a blog, on 18 July 2022 the Data Protection and Digital Information Bill (the “Bill”) was introduced in the House of Commons, with a second reading initially scheduled for 5 September 2022. However, following the election of Elizabeth Truss, which saw a cabinet reshuffle with several items moving up and down the Government’s agenda, a second reading was postponed to allow time for further consideration.
The purpose of the Bill sought to update and simplify the UK’s data protection framework to reduce the burdens on organisations, whilst still upholding high data protection standards, in a post-Brexit reform. The calls for the Bill followed a consultation paper by the Department for Digital, Culture, Media and Sport (DCMS) titled “Data: A New Direction” which emphasised the desire for a data reform package, as a critical building block in the overall implementation of the UK’s National Data Strategy.
The Government’s intention for such a package involved introducing a regulatory regime, that provides not only legal clarity, but which also eliminates the overly burdensome “one size fits all” approach of the GDPR, which arguably infringes on businesses’ ability to use data in innovative and facilitative ways. The DCMS describes the current “EU inherited” regime as being filled with bureaucracy, disproportionate red tape and pointless paperwork that they wish to depart from to transform the UK’s data laws for the digital age.
The Bill intends to depart from the so-called inherited GDPR in several ways, including:
- Automatic Decision Making (“ADM”)
The Bill removes the general prohibition on ADM for decisions made using non-special category personal data replacing it with new obligations on controllers to adopt certain safeguards.
- Identifiability
The Bill proposes to limit the scope of personal data to “where the information is identifiable by the controller or processor by reasonable means at the time of processing, or where the controller or processor ought to know that another person will likely obtain the information”.
This is a less stringent scope, which could mean that UK technology businesses shall no longer need to burden themselves with pre-emptive practice for addressing future identifiability but shall instead focus just on being identifiable “at the time of processing”. Also, the Bill clarifies that organisations need only to assess identifiability to the controller, processor or any other person who will likely obtain information.
- Scrapping the Data Protection Officer (“DPO”) for the Senior Responsible Individual (“SRI”)
The new SRI shall be an individual appointed from senior management internally within the organisation, although their responsibilities shall not depart in any major way from that of the DPO under the GDPR. There are concerns as to whether the SRI being an internal member of the organisation will disrupt standards of independence and impartiality, which are currently maintained under the GDPR For instance, in a recent judgment, the CJEU clarified that a DPO cannot be entrusted with tasks which would result in him “determining the objectives and methods of processing personal data”. For further information see our blog on DPO’s Dismissal & Conflicts of Interest Under the EU GDPR – CJEU Ruling. The new SRI is, however, an arguably cost-effective alternative, especially beneficial for smaller organisations, who shall be able to replace a potentially costly external DPO with an in-house member of senior management.
- Legitimate interests
The Bill proposes a list of recognised legitimate interests for which data can be processed lawfully. These exempt interests that are considered necessary include national security, public security and defence, responding to emergencies, preventing crime, safeguarding vulnerable individuals and for democratic engagement purposes. This approach, which clearly lists areas of legitimate interest, diverges and simplifies the current GDPR approach which instead leaves controllers in the dark to carry out balancing exercises to determine the extent and scope of legitimate interests.
- International transfers of personal data
The Bill proposes a risk-based approach when assessing adequacy regulations, which would mean that organisations would use risk assessments to determine the risks of international data transfer. This departure has been classified as “not materially lower” than the standard under the GDPR but may still have the potential to impact the European Commission’s UK adequacy decision.
Market Concerns and Criticisms
Despite the news that the Bill will make its way back into the House of Commons in the coming days, its re-emergence has been met with overwhelming concerns that the implementation of this reform will fall desperately short of having its desired effect for the UK.
There are many criticisms that the UK will be stunting its own growth by departing from the existing EU-aligned UK GDPR. This may particularly affect UK organisations who have or plan to expand the usage of their services to customers based in the EU. Any disparities between the regulation shall consequently demand compliance with two different regimes, which may discourage technology firms from setting up shop in the UK.
Above this, there is also the looming risk that if the UK Bill departs too far from the current GDPR, UK data protection law will lose its current EU Data Adequacy Status. The Adequacy Status is considered to be the EU’s stamp of approval, which currently confirms that UK law is adequately compatible for personal data to move freely to and from the EEA without further safeguards being required. These criticisms and potential risks beg the question as to whether the desire for legal clarity and a more comprehensive framework will result in a practical detriment to technology businesses who have just got to grips with the EU’s data protection regime and GDPR alignment.
Nonetheless, the re-introduction of the Data Protection Bill is expected to come back into the House of Commons, with the Government revealing no signs of budging from the initial content laid out in the Bill back on 18th July 2022. Therefore, it seems that the jury is still out as UK organisations and data protection practitioners alike must patiently wait to see whether this new Bill will catapult the UK forward leading the pack in the digital age or materialise into a piece of fragmented post-Brexit framework.
Find the Bill here.
Find the previous Preiskel & Co blog post on the Bill here.
Find the previous Preiskel & Co blog on DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling here.
Please contact Jose Saras and Xavier Prida if you have any questions regarding the above.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.