Longer Reads

Demystifying the UK government’s proposed reforms to data protection laws

In this Q&A formatted article, our Data Privacy team explains the implications of the Data Protection and Digital Information (No. 2) Bill.

4 minute read

Published 23 March 2023

Share

Key information

Earlier this month, the UK government introduced the Data Protection and Digital Information (No. 2) Bill. This signals the beginning of potential post-Brexit divergence between the UK’s existing data protection regime and that of the European Union.

Q: Hold on a second. Please could you explain what the implications are of Bill no. 1 before jumping ahead with “no. 2”?

A: There aren’t any. Bill no. 1, which was introduced in July 2022, was withdrawn for further consultation and has been superseded by this version.

Q: Does this Bill mean we have to overhaul our data protection practices yet again? We’ve only just got ourselves comfortable with our GDPR compliance!

A: First, the Bill itself isn’t yet law, so in that respect nothing is changing until and unless this Bill passes through Parliament. A first reading of the Bill took place on 8 March 2023, and a second is due to take place on 17 April 2023.

Second, even if this Bill does become law, the good news is that there is nothing in it (as it currently stands) that will require your business to do anything more than it does already in respect of data protection, assuming it is already compliant with its obligations under the current UK GDPR and Data Protection Act 2018 (as well as the EU GDPR, to the extent that you process personal data relating to individuals based in the European Economic Area (EEA)).

In other words, if you are already compliant with what the UK GDPR and EU GDPR currently require your business to do, then you will automatically be compliant with the proposed Bill in its current form.

Q: That’s a relief. But, in that case, what is the purpose of this Bill?

A: In its press release that accompanied the launch of the Bill, the UK government states that it would like the UK’s privacy laws to be ‘easier to understand’ and ‘easier to comply with’ in order to ‘release British businesses from unnecessary red tape’. The government believes that the Bill’s proposed reforms could ‘unlock £4.7 billion in savings’ for the British economy over the next decade by improving the country’s credentials for attracting business investment.

Q: What proposals are there in the Bill to ease the compliance burden?

A: The most noteworthy changes from the current regime that British businesses might welcome including the following:

– UK businesses would only be required to have a written record of their data processing activities if these are considered ‘high risk’ in line with future guidance published by the UK’s privacy watchdog, the Information Commissioner’s Office (ICO). Processing an individual’s health data is an example of what the ICO would likely consider to be ‘high risk’ in this context.
– Data subject access requests (DSARs) that are considered ‘vexatious or excessive’ could be refused, or, alternatively, the data subject making any such DSARs could be charged a fee in those circumstances. Currently, UK businesses can only refuse to respond to a DSAR under a narrower exemption, i.e. that it is ‘manifestly unfounded or excessive’.
– If your business processes the personal data of individuals based in the UK but does not have a UK establishment, then the requirement (as per Article 27 of the UK GDPR) to appoint a UK representative for data protection matters would no longer apply.
– The requirement to have in place a Data Protection Officer (DPO), which itself only applies in certain circumstances, would be removed. Instead, business would be expected to designate a ‘senior responsible individual’ for privacy. Currently, DPOs are required to be independent from a business’s decision-making executive functions. Under the proposed reform, however, the ‘senior responsible individual’ would be part of senior management.
– Currently, as discussed here, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and associated guidance stipulate that only ‘strictly necessary’ cookies may be placed on users’ devices without their prior consent (which has to be freely given on an opt-in basis). The Bill drops this requirement for certain types of analytics/statistical cookies, subject to certain conditions about how the information collected from them is used and provided users are still provided with comprehensive information about those cookies and a way of opting out of them.

The above is not an exhaustive list of the Bill’s proposed reforms. It is debatable as to whether certain additional proposals not listed above constitute a real practical difference from the current legal position, as opposed simply to reframing it. For example, whereas current laws prohibit the use of AI technology to process individuals’ personal data in order to make automated decisions about them, before going on to provide for certain exceptions to that prohibition, the Bill permits such automated decision-making, but adds a series of provisos concerning additional safeguards that must be implemented.

Q: Some of these proposals could reduce the administrative burden on our business, but why couldn’t this Bill go further?

A: The government has had to walk a tightrope between, on the one hand, what it describes in the aforementioned press release as ‘tak[ing] advantage of the many opportunities of post-Brexit Britain’ by introducing its own data protection regime ‘tailored to the UK’s own needs’, and, on the other, avoiding jeopardising the current mutual recognition of adequacy between the UK and the EU vis-à-vis their respective privacy laws.

Brexit to date has not affected the transfer of personal data between the UK and the remaining countries of the EEA because the European Commission has formally adopted an ‘adequacy decision’ in respect of the UK’s own data protection regime. However, that adequacy decision is not permanent and is subject to renewal every four years. The EU is likely only to renew the UK’s adequacy status in 2025 if the UK’s own data protection laws continue to align with those on the Continent. If the UK diverges too greatly from the principles of the EU GDPR, therefore, it risks losing this adequacy status. The result would be counterproductive to what the UK government intends to achieve insofar as this could plunge British businesses with international operations into a burdensome quagmire of administration in order to maintain personal data flows between the UK and the EEA.

This is why, in a speech made in Brussels last year, the UK’s current Information Commissioner urged his EU counterparts to ‘look beyond any political rhetoric’ concerning ‘the benefits of being free of the red tape of European regulation’, stressing his confidence that ‘data in the UK will continue to enjoy the same high standard of protection that it does within the EU’.

Q: Does this mean our operations will have to remain compliant with EU privacy laws?

A: If your business processes the personal data of EEA-based individuals, then the EU GDPR will continue to govern how that personal data must be handled. In other words, the Bill changes nothing concerning your business’ compliance with the EU GDPR.

This is why the statement of Michelle Donelan, the Science, Innovation and Technology Secretary, that ‘[n]o longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR’ is somewhat misleading. The reduced compliance burden will only help businesses’ processing of personal data of individuals who are based in the UK. If your organisation has an establishment in the EEA or offers products or services to anyone who lives there (or monitors their behaviour), then the EU GDPR will continue to apply. If your organisation is responsible for a website or app that targets EEA-based individuals, then European cookie laws will similarly continue to apply. As such, you may have little commercial appetite to implement a lighter-touch set of data protection practices solely for your business’s UK operations.

Consequently, the Bill as it stands will likely only alleviate the compliance burden for those organisations that solely have UK operations and do not process the personal data of individuals based in the EEA.

For more information, visit our data protection page.

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Longer Reads

Demystifying the UK government’s proposed reforms to data protection laws

In this Q&A formatted article, our Data Privacy team explains the implications of the Data Protection and Digital Information (No. 2) Bill.

Published 23 March 2023

Associated sectors / services

Earlier this month, the UK government introduced the Data Protection and Digital Information (No. 2) Bill. This signals the beginning of potential post-Brexit divergence between the UK’s existing data protection regime and that of the European Union.

Q: Hold on a second. Please could you explain what the implications are of Bill no. 1 before jumping ahead with “no. 2”?

A: There aren’t any. Bill no. 1, which was introduced in July 2022, was withdrawn for further consultation and has been superseded by this version.

Q: Does this Bill mean we have to overhaul our data protection practices yet again? We’ve only just got ourselves comfortable with our GDPR compliance!

A: First, the Bill itself isn’t yet law, so in that respect nothing is changing until and unless this Bill passes through Parliament. A first reading of the Bill took place on 8 March 2023, and a second is due to take place on 17 April 2023.

Second, even if this Bill does become law, the good news is that there is nothing in it (as it currently stands) that will require your business to do anything more than it does already in respect of data protection, assuming it is already compliant with its obligations under the current UK GDPR and Data Protection Act 2018 (as well as the EU GDPR, to the extent that you process personal data relating to individuals based in the European Economic Area (EEA)).

In other words, if you are already compliant with what the UK GDPR and EU GDPR currently require your business to do, then you will automatically be compliant with the proposed Bill in its current form.

Q: That’s a relief. But, in that case, what is the purpose of this Bill?

A: In its press release that accompanied the launch of the Bill, the UK government states that it would like the UK’s privacy laws to be ‘easier to understand’ and ‘easier to comply with’ in order to ‘release British businesses from unnecessary red tape’. The government believes that the Bill’s proposed reforms could ‘unlock £4.7 billion in savings’ for the British economy over the next decade by improving the country’s credentials for attracting business investment.

Q: What proposals are there in the Bill to ease the compliance burden?

A: The most noteworthy changes from the current regime that British businesses might welcome including the following:

– UK businesses would only be required to have a written record of their data processing activities if these are considered ‘high risk’ in line with future guidance published by the UK’s privacy watchdog, the Information Commissioner’s Office (ICO). Processing an individual’s health data is an example of what the ICO would likely consider to be ‘high risk’ in this context.
– Data subject access requests (DSARs) that are considered ‘vexatious or excessive’ could be refused, or, alternatively, the data subject making any such DSARs could be charged a fee in those circumstances. Currently, UK businesses can only refuse to respond to a DSAR under a narrower exemption, i.e. that it is ‘manifestly unfounded or excessive’.
– If your business processes the personal data of individuals based in the UK but does not have a UK establishment, then the requirement (as per Article 27 of the UK GDPR) to appoint a UK representative for data protection matters would no longer apply.
– The requirement to have in place a Data Protection Officer (DPO), which itself only applies in certain circumstances, would be removed. Instead, business would be expected to designate a ‘senior responsible individual’ for privacy. Currently, DPOs are required to be independent from a business’s decision-making executive functions. Under the proposed reform, however, the ‘senior responsible individual’ would be part of senior management.
– Currently, as discussed here, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and associated guidance stipulate that only ‘strictly necessary’ cookies may be placed on users’ devices without their prior consent (which has to be freely given on an opt-in basis). The Bill drops this requirement for certain types of analytics/statistical cookies, subject to certain conditions about how the information collected from them is used and provided users are still provided with comprehensive information about those cookies and a way of opting out of them.

The above is not an exhaustive list of the Bill’s proposed reforms. It is debatable as to whether certain additional proposals not listed above constitute a real practical difference from the current legal position, as opposed simply to reframing it. For example, whereas current laws prohibit the use of AI technology to process individuals’ personal data in order to make automated decisions about them, before going on to provide for certain exceptions to that prohibition, the Bill permits such automated decision-making, but adds a series of provisos concerning additional safeguards that must be implemented.

Q: Some of these proposals could reduce the administrative burden on our business, but why couldn’t this Bill go further?

A: The government has had to walk a tightrope between, on the one hand, what it describes in the aforementioned press release as ‘tak[ing] advantage of the many opportunities of post-Brexit Britain’ by introducing its own data protection regime ‘tailored to the UK’s own needs’, and, on the other, avoiding jeopardising the current mutual recognition of adequacy between the UK and the EU vis-à-vis their respective privacy laws.

Brexit to date has not affected the transfer of personal data between the UK and the remaining countries of the EEA because the European Commission has formally adopted an ‘adequacy decision’ in respect of the UK’s own data protection regime. However, that adequacy decision is not permanent and is subject to renewal every four years. The EU is likely only to renew the UK’s adequacy status in 2025 if the UK’s own data protection laws continue to align with those on the Continent. If the UK diverges too greatly from the principles of the EU GDPR, therefore, it risks losing this adequacy status. The result would be counterproductive to what the UK government intends to achieve insofar as this could plunge British businesses with international operations into a burdensome quagmire of administration in order to maintain personal data flows between the UK and the EEA.

This is why, in a speech made in Brussels last year, the UK’s current Information Commissioner urged his EU counterparts to ‘look beyond any political rhetoric’ concerning ‘the benefits of being free of the red tape of European regulation’, stressing his confidence that ‘data in the UK will continue to enjoy the same high standard of protection that it does within the EU’.

Q: Does this mean our operations will have to remain compliant with EU privacy laws?

A: If your business processes the personal data of EEA-based individuals, then the EU GDPR will continue to govern how that personal data must be handled. In other words, the Bill changes nothing concerning your business’ compliance with the EU GDPR.

This is why the statement of Michelle Donelan, the Science, Innovation and Technology Secretary, that ‘[n]o longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR’ is somewhat misleading. The reduced compliance burden will only help businesses’ processing of personal data of individuals who are based in the UK. If your organisation has an establishment in the EEA or offers products or services to anyone who lives there (or monitors their behaviour), then the EU GDPR will continue to apply. If your organisation is responsible for a website or app that targets EEA-based individuals, then European cookie laws will similarly continue to apply. As such, you may have little commercial appetite to implement a lighter-touch set of data protection practices solely for your business’s UK operations.

Consequently, the Bill as it stands will likely only alleviate the compliance burden for those organisations that solely have UK operations and do not process the personal data of individuals based in the EEA.

For more information, visit our data protection page.

Associated sectors / services

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close