Data Protection Law
This week, the second iteration of the Government’s Data Protection and Digital Information Bill (DPDI 2) had its second reading in Parliament. DPDI 2 follows a previous attempt by the Government to reform the UK’s data protection laws post-Brexit in July 2022, by an earlier version of the bill (DPDI 1). DPDI 1 was put on hold in September 2022, following the election of Liz Truss as leader of the Conservative Party – a stronger, more ‘bespoke’ data protection regime was sought.
Liz Truss resigned in October 2022, leaving DPDI 1 in a state of flux. It has returned in the form of DPDI 2. DPDI 2, however, is not a post-Brexit flagship of legislative reform. This is most likely because, as Rishi Sunak’s Government has noted, too much divergence from the original EU GDPR may compromise the UK’s status as an ‘adequate’ jurisdiction providing equivalent protection of personal data (ensuring the free flow of personal data between the UK and EEA). Accordingly, DPDI 2 contains additional tweaks and clarifications – not a substantive departure from DPDI 1.
In both bills, the Government is focused on the elimination of ‘red tape’ and some of the administrative burdens of the existing Data Protection Act 2018 (DPA). On paper, this favours data controllers rather than data subjects.
Below is a summary of the key changes to the DPA, UK GDPR, and the Privacy and Electronic Communications Regulations 2003 (PECR) that DPDI 2 proposes, as it currently stands. It remains to be seen if the Parliamentary process will produce its own amendments to DPDI 2.
Data Protection Reform – Key Changes
The EU GDPR (as adopted by the original UK GDPR, referred to below for ease as the GDPR) defined pseudonymisation as the “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person…”
DPDI 2 amends this definition slightly: “the processing of personal data in in such a manner that it becomes information relating to a living individual who is only indirectly identifiable; but personal data is only pseudonymised if the additional information needed to identify the individual is kept separately and is subject to technical and organisational measures to ensure that the personal data is not information relating to an identified or directly identifiable living individual.”
This is a helpful clarification and data protection reform which benefits controllers in that it creates a clear test for anonymisation. It accordingly widens the potential scope for controllers/processors to process personal data without having to comply with the other requirements of the GDPR (as the GDPR does not restrict the processing of anonymised personal data in the same manner).
The GDPR requires that personal data must be processed lawfully. There are currently six lawful bases, including the frequently relied on ‘legitimate interests’.
The DPDI adds to the lawful bases under the new ‘recognised legitimate interests’. DPDI 1 contained an Annex 1, which includes a list of recognised legitimate interests such as the prevision of crime, safeguarding vulnerable individuals, and democratic engagement.
This addition is of little use to businesses. However, DPDI 2 has now included further ‘examples’ of legitimate interests (notably not recognised legitimate interests) which includes (1) direct marketing, (2) intra-group transmission of personal data for administrative purposes, and (3) processing for the purposes of network and information systems.
This is not a significant divergence from the GDPR (indeed, direct marketing was referred to in a rectial to the GDPR). But business, especially larger ones, will benefit from the ability to directly cite examples of legitimate interests that frequently occur in practice.
Data subjects’ rights
The significant, pro-controller, change is the DPDI 2’s amendment to the GDPR to the effect that a ‘Data Subject Access Request’ (DSAR) may be refused if it is “vexatious or excessive” – arguably reduced from the current “manifestly unfounded or excessive”.
‘Vexatious’ is in law a matter of good faith. Accordingly, the scope of refusal is wider if it can be demonstrated that the DSAR is not an attempt to enforce one’s data subject rights but is intended to burden or gain advantage over a data controller.
There have been earlier attempts to control ‘weaponised’ DSAR requests made by data subjects along these lines. In a limited attempt at data protection reform, the ICO produced official guidance in 2020 to the effect that DSARs could be refused if the data subject had ‘no intention’ to exercise their rights – citing the specific example of an individual who “offers to withdraw it in return for some form of benefit” – or where the DSAR was “malicious in intent.” The High Court in Lees v Lloyds Bank plc  EWHC 2249 (Ch) went (arguably) further in that DSARs with a “collateral” purpose with the intention to “obtain documents rather than personal data” could be refused.
Although it remains to be seen how any enacted DPDI 2 would work in practice, it is likely that the “vexatious” requirement enshrines the decision in Lees – in consultation for the DPDI the Government sought views on “[a]mending the threshold for response, for example, by allowing organisations not to respond to DSARs where access to personal data or concerns about its processing are not the purpose of the request.”
Whilst the burden of proof remains on the controller, the DPDI 2 may increase the temptation and ability of businesses to not respond to DSARs.
That said, DPDI 2 also gives a data subject a distinct ‘right to complain’ to the data controller prior to complaining to the ICO. This means data controllers will have to put in place more policies and procedures to deal with this additional right, rendering non-compliance with a data subject request even more of a burden.
AI and ‘automated decision making’
DPDI 2 seeks to remove the GDPR’s prohibition on a controller’s decision making based solely on automated processing, whilst at the same time placing additional emphasis on data subjects’ rights around it.
Although this is not a total opening of the floodgates – an automated decision is, following DPDI 2, one which there is no “meaningful human involvement” and the GDPR already permitted automated decision making for the purposes of entering into or performing a contract – clearly this data protection reform is a departure from the GDPR that will require further explanation from Government.
Data Protection Impact Assessments
The current regime of producing detailed Data Protection Impact Assessments (the ICO’s template contains six detailed ‘steps’ organisations are to go through in its current assessment) is to be replaced with an ‘Assessment of High Risk Processing’. This Assessment of High Risk Processing will require only a summary of the purposes of the processing, its necessity, the risks to data subjects, and risk mitigation efforts.
Technical and organisational measures
The GDPR required that appropriate technical and organisational measures were put in place by controllers to ensure the security of processing. Lawyers and businesspeople will recall the list of these measures that are frequently found at the back of contracts where it includes appropriate data protection clauses.
DPDI 2 proposes a direct reduction of this requirement, setting out that only “appropriate measures, including technical and organisational measures” are required.
This offers more flexibility for businesses to determine what protections they put around personal data, reducing (but not eliminating) the prescriptive need for technical and organisational solutions. Small businesses are likely to benefit most from this change, but it will only be seen how lenient the ICO will be in practice. There is still a requirement for a ‘risk based assessment’ when ascertaining whether personal data is sufficiently protected.
DPDI 2 proposes to eliminate the requirement for international controllers of UK personal data to appoint a representative.
This is a significant change, but in practice not likely to be substantive. The role of a UK representative was limited already limited under the GDPR and reduced in scope following the High Court’s decision in Rondon v LexisNexis Risk Solutions UK Ltd  EWHC 1427 (QB).
Record of processing activities
The UK GDPR required that almost all organisations kept an internal ‘record of processing activities’ which set out how personal data is processed within the organisation. This is one of the key administrative requirements imposed by the UK GDPR on all businesses. Reducing these obligations is a key objective for Government in implementing data protection reform.
DPDI 2 amends this obligation to be necessary only where the processing carries a high risk to the rights and freedoms of individuals. The ‘high risk’ record itself is reduced in scope. Helpfully, the ICO will publish guidance on high risk processing, which has bearing on many other aspects of data protection compliance. This a welcome further addition to data protection reform.
DPDI 2 extends the ability of an organisation to rely on the “soft opt-in” exemption to obtaining consent when carrying out direct marketing to non-commercial organisations. The soft opt-in, in the commercial context, permitted commercial organisations to market (i.e by email or text) their existing customers. Non-commercial organisations, like charities, following the enactment of DPDI 2, could then send direct marketing communications without consent if the targeted individual expressed an interest in supporting the non-commercial organisation’s objective.
Cookies can be uploaded to users’ computers without consent if they are for statistical or functional purposes, or to software without consent.
Lastly, fines for a breach of PECR are to be increased to the GDPR level – £17.5 million or 4% of annual turnover. This is an increase from the current level of £500,000. Given that the ICO is extremely vigilant in enforcing breaches of PECR, this is an important increase.
Data Protection Reform Comment
This data protection reform will be useful to UK businesses and other controllers, but it does not represent a massive change. It is likely to become law later this year.
Some red tape is slashed. However, the obvious concern is that UK businesses trading with the EU will have to comply with two different regimes that have slight, but substantive, differences. Businesses that do not trade with the EU will benefit somewhat. But larger businesses will almost certainly follow the EU GDPR to ensure they are compliant with both regimes. That the UK is seeking to retain is ‘adequate’ status is welcome, but in a sense it makes data protection reform largely toothless. It remains to be seen how far the government will go to obtain the potential benefits of the post-Brexit environment.
At EM Law, we are experts in data protection law. To discuss whether you are compliant with the current, or indeed future, UK and EU GDPR please do not hesitate to contact us.