Last week the Data (Use and Access) Bill (Data Bill) was published, being the most recent bill to be introduced to the UK Parliament to reform data laws - the previous attempt in the form of the Data Protection and Digital Information Bill (DPDI Bill) having failed to make it through Parliament before the general election.
This Bill was anticipated given proposals in the King’s speech in July (see our blog), albeit it was then called the Digital information and Smart Data Bill. For those who have been following the progress of UK data reform, much of the new Data Bill will be familiar, although there are some differences. It therefore continues to be an evolution rather than a revolution of the law in this area.
Changes to accountability provisions dropped
Reforms to the UK data protection regime are less extensive than included in the DPDI Bill, with the previously proposed changes to records of processing activities, data protection officers and data protection impact assessments having been dropped. There was scepticism about the benefit of these changes and so maintaining the status quo for these is sensible.
Data subject access requests remain as now
The proposed ‘vexatious’ test for charging or refusing data subjects’ rights requests has been abandoned. We didn’t think this change went far enough to address the challenges faced by organisations dealing with data subject access requests (DSARs) from disgruntled employees and customers. We therefore see the lack of change as a wasted opportunity to reduce the burden on organisations in circumstances where the purpose of the DSAR is not in reality connected with privacy rights.
Increase in fining and enforcement powers
The proposed changes to the structure of the Information Commissioner’s Office (ICO) and upgrades to its powers have been taken forward, including:
- the enforcement and fining regime for marketing and cookie infringements under Privacy of Electronic Communication Regulations (PECR) will be aligned with the UK General Data Protection Regulation (UK GDPR), including fines of up to the greater of £17.5m or 4% of annual worldwide turnover; and
- the ICO’s powers in relation to investigations will be extended, including powers to require the preparation of expert reports.
Scope of research provisions clarified
There had been concern that the provisions on research in the UK GDPR were too restrictive and so these will be amended, including to confirm that ‘scientific research’ includes privately funded commercial research as long as it can reasonably be described as scientific.
Public sector reliance on legitimate interests is eased
As proposed under the DPDI Bill, a list of recognised legitimate interests for which no balancing exercise is required has been put forward, all of which in reality are only relevant to the public sector.
Restrictions on automated decision making are reduced
The rules on automated decision making will be relaxed, mirroring the position in the DPDI Bill, so that only automated decision using sensitive data would be automatically prohibited. Other automated decision making will be possible with the explicit consent of the data subject, if necessary for performance of a contract or if required by law.
Changes to standard for international transfers
There will be a ‘data protection test’, requiring a ‘not materially lower’ standard of data protection in the recipient country in order to transfer personal data across borders. This was also included in the DPDI Bill (see our blog.)
Wider data reforms
The Data Bill proposes changes in the wider data arena too, including on:
- Smart Data schemes, to enable secure sharing of customer data, at their request, with third party providers beyond the GDPR’s portability right;
- digital verification services to support the creation and adoption of secure and trusted digital identity products e.g. enabling prospective tenants to prove their identity without providing physical documents; and
- putting the national underground asset register on a statutory footing to help with the installation and operation of underground utilities and the avoidance of accidents.
Outlook
The UK Government is confident the reforms should not pose any risk to the UK’s adequacy decision from the EU, which is due to be reconsidered in 2025, and we agree with that view. We expect the reforms to pass through the legislative process smoothly given the various iterations to date and the Government’s majority in the House of Commons, albeit that some provisions we suspect will be much debated, such as those around the opening up of health data.
Businesses should therefore monitor the Data Bill’s progress, including on implementation timelines, and look out for ICO guidance so that they are ready to comply with, and take advantage of, the reforms. In particular, any risk based decisions around e-marketing need to be reassessed given the higher fines that could be imposed.