In November 2023, the UK government introduced further amendments to the already-extensive set of data protection reforms proposed in the Data Protection and Digital Information Bill (the Bill).
This article focuses on those amendments introduced in November 2023 and explains how they:
- generally aim to further reduce the regulatory burden on organisations, including in relation to subject access requests, record keeping and the reporting of some data breaches;
- add a data retention duty that may apply to some companies that process children’s data; and
- introduce a change of approach designed to reassure the EU that the UK regulator will remain independent.
In practice, the last of those may be the most consequential if it helps preserve the UK’s critical data transfer arrangements with the EU.
Background
The Bill is wide-ranging and will, among other things, reform various aspects of the UK’s general data protection (UK GDPR) and ePrivacy regimes.
We blogged about key aspects of the Bill in March 2023 and blogged on its implications for automated-decision making in September 2023.
In November 2023 the Bill was subject to over 120 pages of proposed amendments – numerous of which were government-backed and have therefore now been included in the latest version of the Bill. Those amendments will impact many areas of law, but it is the further changes to the UK’s data protection regime that will have the widest impact across UK business.
This article outlines some of the key implications of those recently introduced amendments for the UK’s generally applicable data protection and ePrivacy regimes.
Subject access requests
Under UK data protection laws, individuals have the right to access and receive a copy of their personal data, and other supplementary information. Those are commonly called ‘subject access requests’.
The Bill already proposed to enable data controllers to charge a ‘reasonable’ fee or refuse to respond to subject access requests that are ‘vexatious or excessive’ (replacing the current formulation of ‘manifestly unfounded or excessive’).
In a further effort to reduce the burden on data controllers, the amendments introduced by the government in November 2023 confirmed that, in responding to subject access requests, data controllers are only required to undertake reasonable and proportionate searches for personal data and other information. This change gives statutory effect to the approach set out in guidance from the UK’s data protection authority (currently known as the ICO but to be renamed the ‘Information Commission’ under the Bill).
Independence of the Information Commission
A number of stakeholders raised concerns over the power of the Secretary of State under the original version of the Bill to veto Codes of Practice issued by the Information Commission. EU authorities, among others, flagged specific concerns regarding the Information Commission’s independence. The EU’s concerns raised the spectre of the UK losing its valuable ‘adequacy’ decision from the EU that allows personal data to be transferred from the EU to UK with reduced paperwork.
The updated Bill softens the Secretary of State’s power significantly, limiting the Secretary of State to providing non-binding recommendations on Code of Practices drafted by the Information Commission, which the Information Commission must consider before the relevant Code of Practice is laid before Parliament.
UK officials hope this change will resolve one of the most significant concerns that EU authorities had with the Bill.
Children’s data
Many of the developments in UK data protection and online laws over recent years have centred around how to protect children.
The updated version of the Bill proposes, via amendments to the UK’s Online Safety Act 2023 (OSA), to impose further obligations on various organisations providing services regulated under the OSA. The new obligations would require those organisations to retain any relevant personal data related to a child that has committed suicide upon notice from the UK’s online safety regulator, Ofcom. Currently, this data may otherwise be deleted when a user is deceased. Under the proposed amendment, the data can be used for subsequent investigations or coroner inquests into suspected suicides and creates related offences for companies and their senior managers in certain circumstances where notices have not been complied with.
Personal data breaches impacting public electronic communications services
Providers of a public electronic communications service (ie entities which provide any service allowing members of the public to send electronic messages, including telecoms providers and internet service providers) are subject to a personal data breach notification regime under UK ePrivacy laws, which is distinct from that under the UK’s general data protection regime.
Those obligations currently include notifying the ICO of a personal data breach within 24 hours. In February 2023, the ICO announced some relaxation to how it would enforce that deadline. The November 2023 amendments to the Bill will specify in law that the obligation would be relaxed to require reporting of breaches to the Information Commission without undue delay and, where feasible, not later than 72 hours after having becoming aware of it (plus an obligation to explain any failure to notify within the 72 hours).
Record keeping:
Organisations will only be required to keep copies of certain records of processing activities where the data controller carries out processing likely to result in a high risk to individuals. Further amendments were also made to other record-keeping obligations. Broadly this advances the government’s aim of reducing the administrative burden of recording keeping.
Other changes
The amendments introduce various other data protection changes that may be relevant in certain scenarios. For example, the Bill enables certain further processing of personal data for the purposes of archiving in the public interest where personal data was originally obtained based on consent.
Next steps
After lengthy Parliamentary processes, the Bill has finally passed all three readings in the House of Commons, and the first two readings in the House of Lords. The Bill still needs to complete its committee stage, report stage and third reading in the House of Lords.
Until it receives royal assent, the Bill may go through further amendments.
It remains to be seen whether the Bill becomes law in 2024, before the UK’s upcoming general election, and what further amendments may be made.