In this Q&A formatted article, our Data Privacy team explains the implications of the Data Protection and Digital Information (No. 2) Bill.

Earlier this month, the UK government introduced the Data Protection and Digital Information (No. 2) Bill. This signals the beginning of potential post-Brexit divergence between the UK’s existing data protection regime and that of the European Union.

Q: Hold on a second. Please could you explain what the implications are of Bill no. 1 before jumping ahead with “no. 2”?

A: There aren’t any. Bill no. 1, which was introduced in July 2022, was withdrawn for further consultation and has been superseded by this version.

Q: Does this Bill mean we have to overhaul our data protection practices yet again? We’ve only just got ourselves comfortable with our GDPR compliance!

A: First, the Bill itself isn’t yet law, so in that respect nothing is changing until and unless this Bill passes through Parliament. A first reading of the Bill took place on 8 March 2023, and a second is due to take place on 17 April 2023.

Second, even if this Bill does become law, the good news is that there is nothing in it (as it currently stands) that will require your business to do anything more than it does already in respect of data protection, assuming it is already compliant with its obligations under the current UK GDPR and Data Protection Act 2018 (as well as the EU GDPR, to the extent that you process personal data relating to individuals based in the European Economic Area (EEA)).

In other words, if you are already compliant with what the UK GDPR and EU GDPR currently require your business to do, then you will automatically be compliant with the proposed Bill in its current form.

Q: That’s a relief. But, in that case, what is the purpose of this Bill?

A: In its press release that accompanied the launch of the Bill, the UK government states that it would like the UK’s privacy laws to be ‘easier to understand’ and ‘easier to comply with’ in order to ‘release British businesses from unnecessary red tape’. The government believes that the Bill’s proposed reforms could ‘unlock £4.7 billion in savings’ for the British economy over the next decade by improving the country’s credentials for attracting business investment.

Q: What proposals are there in the Bill to ease the compliance burden?

A: The most noteworthy changes from the current regime that British businesses might welcome including the following:

– UK businesses would only be required to have a written record of their data processing activities if these are considered ‘high risk’ in line with future guidance published by the UK’s privacy watchdog, the Information Commissioner’s Office (ICO). Processing an individual’s health data is an example of what the ICO would likely consider to be ‘high risk’ in this context.
– Data subject access requests (DSARs) that are considered ‘vexatious or excessive’ could be refused, or, alternatively, the data subject making any such DSARs could be charged a fee in those circumstances. Currently, UK businesses can only refuse to respond to a DSAR under a narrower exemption, i.e. that it is ‘manifestly unfounded or excessive’.
– If your business processes the personal data of individuals based in the UK but does not have a UK establishment, then the requirement (as per Article 27 of the UK GDPR) to appoint a UK representative for data protection matters would no longer apply.
– The requirement to have in place a Data Protection Officer (DPO), which itself only applies in certain circumstances, would be removed. Instead, business would be expected to designate a ‘senior responsible individual’ for privacy. Currently, DPOs are required to be independent from a business’s decision-making executive functions. Under the proposed reform, however, the ‘senior responsible individual’ would be part of senior management.
– Currently, as discussed here, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and associated guidance stipulate that only ‘strictly necessary’ cookies may be placed on users’ devices without their prior consent (which has to be freely given on an opt-in basis). The Bill drops this requirement for certain types of analytics/statistical cookies, subject to certain conditions about how the information collected from them is used and provided users are still provided with comprehensive information about those cookies and a way of opting out of them.

The above is not an exhaustive list of the Bill’s proposed reforms. It is debatable as to whether certain additional proposals not listed above constitute a real practical difference from the current legal position, as opposed simply to reframing it. For example, whereas current laws prohibit the use of AI technology to process individuals’ personal data in order to make automated decisions about them, before going on to provide for certain exceptions to that prohibition, the Bill permits such automated decision-making, but adds a series of provisos concerning additional safeguards that must be implemented.

Q: Some of these proposals could reduce the administrative burden on our business, but why couldn’t this Bill go further?

A: The government has had to walk a tightrope between, on the one hand, what it describes in the aforementioned press release as ‘tak[ing] advantage of the many opportunities of post-Brexit Britain’ by introducing its own data protection regime ‘tailored to the UK’s own needs’, and, on the other, avoiding jeopardising the current mutual recognition of adequacy between the UK and the EU vis-à-vis their respective privacy laws.

Brexit to date has not affected the transfer of personal data between the UK and the remaining countries of the EEA because the European Commission has formally adopted an ‘adequacy decision’ in respect of the UK’s own data protection regime. However, that adequacy decision is not permanent and is subject to renewal every four years. The EU is likely only to renew the UK’s adequacy status in 2025 if the UK’s own data protection laws continue to align with those on the Continent. If the UK diverges too greatly from the principles of the EU GDPR, therefore, it risks losing this adequacy status. The result would be counterproductive to what the UK government intends to achieve insofar as this could plunge British businesses with international operations into a burdensome quagmire of administration in order to maintain personal data flows between the UK and the EEA.

This is why, in a speech made in Brussels last year, the UK’s current Information Commissioner urged his EU counterparts to ‘look beyond any political rhetoric’ concerning ‘the benefits of being free of the red tape of European regulation’, stressing his confidence that ‘data in the UK will continue to enjoy the same high standard of protection that it does within the EU’.

Q: Does this mean our operations will have to remain compliant with EU privacy laws?

A: If your business processes the personal data of EEA-based individuals, then the EU GDPR will continue to govern how that personal data must be handled. In other words, the Bill changes nothing concerning your business’ compliance with the EU GDPR.

This is why the statement of Michelle Donelan, the Science, Innovation and Technology Secretary, that ‘[n]o longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR’ is somewhat misleading. The reduced compliance burden will only help businesses’ processing of personal data of individuals who are based in the UK. If your organisation has an establishment in the EEA or offers products or services to anyone who lives there (or monitors their behaviour), then the EU GDPR will continue to apply. If your organisation is responsible for a website or app that targets EEA-based individuals, then European cookie laws will similarly continue to apply. As such, you may have little commercial appetite to implement a lighter-touch set of data protection practices solely for your business’s UK operations.

Consequently, the Bill as it stands will likely only alleviate the compliance burden for those organisations that solely have UK operations and do not process the personal data of individuals based in the EEA.

For more information, visit our data protection page.