This blog is based on material presented at our GDPR in Practice seminar in London on 22 June 2023. If you would like to sign up to our mailing list to hear about future Kemp IT Law events, please contact julia.anderson@kempitlaw.com.
1. Introduction: A Whole New UK GDPR?
Published in March 2023, the Data Protection and Digital Information (No. 2) Bill (the “Bill”) is the second iteration of the UK Government’s post-Brexit proposals to reform UK data protection legislation.
Press releases at the time of the Bill’s publication promise considerable simplification and efficiency savings to the UK’s data protection framework: the Bill will potentially enable businesses to “save millions”, enabling organisations to “grow and innovate” whilst “maintaining high standards of data protection rights”.[1]
So what does the Bill actually cover? Will it result in a whole new UK GDPR? This blog looks at some of the key proposals and their implications.
2. What’s Being Proposed?
The Bill proposes a number of changes to UK data protection rules: some minor, others potentially highly significant. For the purposes of this blog, we’ve opted to focus on the more significant changes.
a. Cookies
Part 4 of the Bill proposes a number of changes to the UK rules on cookies. These rules are currently largely housed in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (commonly abbreviated to “PECR”). Regulation 6(1) of PECR sets out the general ban on dropping cookies without consent. There are two narrow exceptions to this ban at Regulation 6(4).
The Bill proposes several additional exceptions to the Regulation 6(1) ban. These are where the sole purpose of the cookie is:
- To collect information about how the service / website is used with a view to making improvements to the service / website.
- To enable specific functionality or adapt to user preferences.
- To update / patch security.
- For emergency assistance.
At this stage, it is difficult to gauge how significant an effect these new exceptions will have in practice. On the one hand, the exceptions come with strict requirements: First, the exception use case must be the “sole purpose” of the cookie, so consent would be required in the usual way for any ancillary uses of the relevant cookie. Secondly, the user must be given “clear and comprehensive information” about the cookie, even though consent is not required. Thirdly, the user must be able to opt out.
On the other hand, the proposals do add a degree of flexibility in a range of common cookie use cases. The Bill also proposes a ministerial power to add further exceptions in future, subject to a requirement to consult with the ICO among others and the affirmative resolution procedure (i.e. a vote in both Houses of Parliament).
b. Data Protection Officers
The Bill proposes changes to the UK GDPR rules for Data Protection Officers (“DPOs”). If passed in its current form, the Bill would replace DPOs with Senior Responsible Individuals (“SRIs”) – a new role with subtle but important differences.
The key differences between DPOs and SRIs would be:
- First, the threshold at which a controller or processor is obliged to appoint an SRI. The Bill proposes to change this to circumstances where the relevant entity is carrying out processing that is “likely to result in a high risk to the rights and freedoms of individuals”.
- Secondly, the status of the SRI versus the DPO within their organisation. Under the existing regime, a DPO needs to have sufficient independence such that the DPO role does not create “conflicts of interest” with other roles the individual may have. An SRI is permitted to “be part of the organisation’s senior management”, which would mean that the individual must “play [a] significant role[] in the making of decisions about how the [organisation’s] activities are to be managed.”
Some commentators have questioned whether the proposed SRI role is compatible with the DPO role under the existing UK regime or the EU GDPR.
c. “Legitimate Interests”
The Bill proposes to make it slightly easier for controllers to rely on “legitimate interests” as a lawful basis of processing. It does this in two ways.
First, the Bill introduces an entirely new lawful basis of processing in the form of “recognised legitimate interests”. This operates in conjunction with a proposed new Annex 1 to the UK GDPR which sets out a list of “recognised legitimates interests” (responding to an emergency, preventing crime, safeguarding a vulnerable individual, etc.). If the new provisions are enacted, processing which is necessary for the purposes of one of these recognised legitimate interests will be lawful, without the need also to perform a legitimate interests assessment.
Secondly, the Bill introduces an illustrative and non-exhaustive list of examples of processing which may constitute legitimate interests (within the existing lawful basis). These are derived from the existing recitals to UK GDPR and include:
- Processing that is necessary for the purposes of direct marketing.
- Intra-group transmission of personal data where necessary for internal administrative purposes.
- Processing necessary for the purposes of ensuring the security of network and information systems.
d. Research Purposes
In keeping with the UK Government’s stated aims of promoting innovation, the Bill proposes a number of changes to facilitate the processing of personal data for research purposes, subject to certain conditions. Here, the points to watch are in the definitions (both what is defined, and what isn’t defined).
The Bill proposes to amend the definitions at Article 4 of the UK GDPR to add a new definition of “scientific research purposes”: “References in [the UK GDPR] to the processing of personal data for the purposes of scientific research… are references to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.”
This is already broadly drawn. But a key point to note is that the Bill in its current form does not define “scientific”. Will it be taken to refer to things that we might understand to be strictly scientific (e.g. medical research)? Or could it also include processing that may be required to train an AI system (which might be regarded as commercial, but not necessarily scientific in a strict sense)? If enacted, it will be important to keep an eye on what any new ICO guidance says about this, and where market practice heads.
e. Transfers
We intend to publish a blog summarising the points we made on international transfers in our June 2023 seminar in the coming weeks, so we will keep our comments here brief.
In short, the Bill’s proposals venture into the vexed area of international transfers in a potentially significant way: it proposes to amend the test for when a transfer of personal data subject to appropriate safeguards (e.g. SCCs) is permitted such that the test is met if the standard of protection after the transfer is “not materially lower” than the standard of protection it would receive in the UK.
This proposal has met with concern from businesses and privacy interest groups because of the risks it poses to the existing EU-UK adequacy decision – the language of the new test is, on its face, very different from the “essential equivalence” required under the EU GDPR.
As noted above, the Bill proposes a number of other changes which are not addressed in this post but which will be relevant if the Bill progresses into law. These include changes to the rules around: direct marketing, data subject access requests, purpose limitation, record-keeping and data protection impact assessments.
3. What Next?
The Bill is still working its way through the UK’s legislative process and, as a result, there is a degree of uncertainty as to whether its proposals will make their way into law. The Bill has, however, received endorsement from a number of politicians and the Information Commissioner’s Office (the “ICO”, the UK’s personal data regulator).
Having said this the first iteration of the Bill was withdrawn earlier this year and the significant residual concerns in key areas (particularly as to the Bill’s potential effect on EU-UK adequacy) coupled with the political reality of an approaching UK general election mean the Bill is still a ‘watch this space’ in our view.
[1] Information Commissioner’s Office, ‘ICO statement on re-introduction of Data Protection and Digital Information Bill’, 8 March 2023 <https://tinyurl.com/mr3r3re8>.