On 8 March 2023 the UK government introduced the Data Protection and Digital Information (No. 2) Bill to Parliament (the Bill). The Bill reflects the government’s view that some elements of the UK’s current data laws create barriers, uncertainty and unnecessary burdens for businesses and consumers.
The Bill is wide ranging, and includes provisions to:
- reform the Information Commissioner’s Office (ICO), including its name, structure, duties and powers;
- update and simplify the UK’s general data protection (UK GDPR) and ePrivacy law regimes;
- extend certain data sharing powers relating to the disclosure of information to improve public service delivery under the Digital Economy Act 2017;
- enable the establishment of smart data schemes, which are intended to allow for the secure sharing of customer data (e.g. data held by a communications provider or financial services provider) with authorised third-party providers (e.g. switching, personalised market comparison and account management providers) if the customer requests;
- establish a framework for the provision of digital verification services in the UK;
- reform the information standards for health and adult social care in England and the way births and deaths are registered in England and Wales; and
- facilitate the flow and use of personal data for law enforcement and national security purposes.
This article focuses on the proposed reforms to the ICO and the UK GDPR and ePrivacy regimes.
Background to the proposed reforms
The Bill proposes the third major reform to UK data protection laws since 2018. The UK’s current data protection regime is heavily based on the EU’s landmark ‘GDPR’ regime, which became applicable in 2018 and significantly reformed UK and EU data protection laws. In 2021 the UK replaced the EU’s GDPR with the UK GDPR, which broadly retained the key principles of the EU’s GDPR except for some amendments needed as result of Brexit.
A Data Protection and Digital Information Bill was introduced to further reform UK data and privacy laws in July 2022 (the Original Bill). However, the Original Bill’s second reading in Parliament was postponed after Liz Truss became Prime Minister (PM) to give the government the opportunity to reconsider its approach. At that time, senior ministers indicated that the government might seek more extensive reforms to the UK’s data protection regime and further divergence from the EU. Deliberations by the UK government continued after the appointment of Rishi Sunak as PM. The Bill introduced on 8 March 2023 is largely identical to the Original Bill, although some changes have been made.
Key data protection and ePrivacy reforms
ICO
The ICO currently regulates the UK’s data protection and ePrivacy regime along with many other information laws.
The Bill will replace the ICO with a new supervisory authority called the ‘Information Commission’ and also make various reforms to the regulator’s organisation and duties. In particular, the Information Commission will be required by law to have regard to promoting innovation and competition. It will also grant the Information Commission some new enforcement powers (e.g. the right to require an organisation to produce a report or compel a person to attend an interview in connection with an investigation).
Data protection
Significant data protection reforms include, for example, those designed to:
- clarify when data is ‘personal data’ and therefore subject to the UK GDPR and the operation of the ‘legitimate interests’ lawful basis;
- remove the requirement for data controllers or processors established outside the UK to appoint a representative in the UK;
- replace the current obligations to appoint a data protection officer (DPO) with new and more flexible requirements for certain organisations to have a ‘senior responsible individual’ (SRI);
- remove the current obligation to keep various specific records, replacing them with obligations to keep a revised list of records only if the data controller or processor carries out processing that is likely to result in a high risk to the rights and freedoms of individuals;
- replace the requirement to conduct data protection impact assessments (DPIAs) with a new regime requiring assessments of high-risk processing (in addition, organisations would no longer be required to consult with the regulator if the assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller);
- allow data controllers to charge a fee or refuse to respond to subject requests that are ‘vexatious or excessive’ (instead of ‘manifestly unfounded or excessive’) and some changes to the calculation of timeframes within which responses must be provided;
- give individuals a statutory right to make complaints to the data controller and impose a statutory obligation on those controllers to put in place processes to facilitate complaints and respond to them within certain timeframes;
- empower organisations to implement automated decision-making in additional scenarios;
- allow a more ‘risk-based’ approach to international transfers of personal data, and therefore facilitate more transfers of personal data outside the UK. This includes:
- introducing a revised set of criteria that the government will use to decide if the laws of a non-UK country are generally ‘adequate’ and therefore personal data can be sent to that country from the UK without additional safeguards; and
- a new statutory test that will govern how organisations should undertake transfer risk assessments that must be completed by organisations before using commonly used safeguards to transfer personal data outside the UK (e.g. ICO-approved data transfer agreements or binding corporate rules); and
- introducing a revised set of criteria that the government will use to decide if the laws of a non-UK country are generally ‘adequate’ and therefore personal data can be sent to that country from the UK without additional safeguards; and
- assist organisations using personal data in connection with undertaking certain research, including to clarify key provisions, allow data to be more easily reused for research purposes and to reduce the need to provide information to data subjects.
ePrivacy
The UK’s ePrivacy regime, among other things, governs aspects of direct marketing and the use of cookies and other tracking technologies. Key proposals include:
- reforms that would remove the need to obtain a user’s consent before a website uses certain cookies or other tracking solutions; and
- making breaches affecting direct marketing and the use of cookies subject to increased fines equivalent to those under the UK GDPR (i.e. up to the greater of £17,500,000 or 4% of an undertaking’s total annual worldwide turnover, compared with a maximum of £500,000 currently).
Since nuisance marketing is commonly subject to action by the ICO, the increase in maximum fines may make a significant difference to the amounts of fines imposed by the regulator. The Bill will also impose new obligations on providers of electronic communications networks to notify the new Information Commission if they have ‘reasonable grounds’ for suspecting someone is undertaking unlawful direct marketing. This could furnish the regulator with valuable new evidence and assist it in bringing more enforcement actions.
It will be interesting to see whether the new Information Commission begins to impose fines for failure to comply with cookie laws. The French regulator has imposed over €420m in fines relating to cookies in recent years.
Further reforms?
The Bill includes wide powers for the Secretary of State to make subsequent reforms through secondary legislation.
Implications and next steps
Most of the proposed reforms introduce relatively limited changes as compared with the current UK or EU GDPR and ePrivacy regimes. Businesses that already comply with the current UK regime will generally only need to make minor adjustments.
The Bill promises greater flexibility and divergence in certain areas (e.g. accountability, automated-decision making, data processing in connection with research and international transfers). The government estimates the benefit of all the reforms in the Bill to be £4.7bn over 10 years (around 47% of which would relate to the private sector). UK privacy advocates have objected to several reforms that are seen as reducing the protections and rights of data subjects or controller’s obligations. For example, concerns have been raised about whether SRIs will be sufficiently independent from corporate management structures.
The UK government has made clear that it understands the importance of keeping the UK’s designation by the EU as an ‘adequate’ jurisdiction, which allows most personal data to be transferred from the EU to the UK without the need to put in place additional safeguards. It will be interesting to see the extent to which the European Commission or other EU institutions object to the UK’s proposals. It may be that the UK’s proposed reforms to its regime for international personal data transfers and concerns about whether the new Information Commission is sufficiently independent from the UK government will be of the greatest concern to the EU. The UK’s adequacy decision could be revoked if the EU deems the UK’s regime no longer adequate.
Divergence from the EU’s regime may also make a potential challenge to the UK’s adequacy status before the EU’s Court of Justice more likely to succeed. The EU Court of Justice has overturned two adequacy findings relating to the US in recent years following challenges brought by an EU based privacy advocate.
The Bill will introduce some new burdens on organisations and a need for them to consider how they should adapt their existing processes. For example, businesses will face potentially far higher fines for infringements of the ePrivacy regime, new enforcement powers and the requirement to put in place a process to facilitate data subjects raising complaints directly with them. Businesses and other organisations should start considering how they may adapt to, and take advantage of, the new reforms. Overall, it seems likely that most businesses with operations also subject to the EU GDPR will generally prefer to continue to apply any higher compliance requirements under EU laws across both their EU & UK organisations, rather than operate separate UK processes.
The Bill is still at the early stages of the Parliamentary process and a date for its second reading in the House of Commons has yet to be announced.