New Data and Digital Bill

The UK government has published its ‘Data Protection and Digital Information Bill‘ (New Data and Digital Bill), which is intended to create less-strenuous burdens on organisations wishing to process personal data, whilst also complying with the GDPR.

The New Data and Digital Bill was introduced in the House of Commons on 18^th July 2022 and is scheduled to have its second reading on 5^th September 2022. Generally, the New Data and Digital Bill suggests reforms to UK data protection and electronic privacy laws. Although there are many proposed reforms, the New Data and Digital Bill is not intended to be revolutionary, but simply evolutionary.

The government has stated that the New Data and Digital Bill is intended to update and simplify the UK’s data protection framework, so that burdens on organisations are reduced, all the while maintaining high data protection standards.

What are the Key Reforms?

The Information Commissioner

There are wide ranging reforms proposed to the ICO, including bringing the ICO to a higher level of government supervision and accountability. For example, the Secretary of State will be able to set strategic priorities for the Commission (S27), as well as it becoming compulsory for the Commission to assess its own performance on an annual basis (S33).

A further key proposed reform in the 96-page Bill is that the powers of the ‘Information Commissioner’s Office’ will be transferred to the ‘Information Commission’. The Commission will be given additional new powers to support its investigatory and enforcement activities, such as:

• Requiring controllers or processors to prepare a report at the controller or processor’s expense (S35).
• Being able to order persons to attend at a place and time to answer questions about data processing (S36).

Cookies

There are certain key reforms proposed in the New Data and Digital Bill which would, if implemented, change UK existing law in relation to cookies and other internet tracking technologies. The proposed reforms would essentially reduce cookie consent requirements in some circumstances (S79).

Currently, UK law disallows the storing and accessing of information on users’ computers unless those users have given their consent on the basis that they have had access to clear and comprehensive information about the purposes of the processing. An exception to the consent requirements exists where the use of cookies is strictly necessary for the provision of a service explicitly requested by the user.

The proposed reforms list further certain activities which would fall into the category of strictly necessary, for example to prevent or detect fraud or authenticate a user.

However, the New Data and Digital Bill seeks to widen the situations in which tracking technologies may be used without the consent of the user. For example, consent would not be needed where the technologies are used to collect information for statistical purposes with a view to making improvements to the service provided, or for enabling enhancements to the appearance of the service on the user’s device. It is important to mention that the user will still be given an opportunity to object, or opt out, in both cases.

Data Subject Rights

Amongst the reforms are changes to the rights of data subjects. Firstly, controllers will be able to refuse data subject access requests that are classified as vexatious or excessive (S7). This is a change from where data subject access requests could be refused if they qualified as manifestly unfounded. Vexatious requests are classified as those which are intended to cause distress, are not made in good faith, or amount to an abuse of power.

A further proposed reform is that a controller can be excused from the requirement to provide fair processing information, under Article 13 GDPR where data is collected for scientific research or statistical processing.

The New Data and Digital Bill therefore relaxes some of the strict conditions that organisations face in relation to processing data. It widens the conditions in which a controller can refuse a request in its entirety, or charge a fee, specifically where the requests are deemed to be vexatious or excessive. Organisations have the ability to decide whether the requests are either of these.

Obligations of Controllers and Processors

In accordance to the new proposals, the requirement to carry out a Data Protection Impact Assessment will be replaced by a requirement to carry out an Assessment of High Risk Processing (S17).

The general criteria for triggering a requirement to carry out a Data Protection Impact Assessment is currently in Article 35(3) of the UK GDPR, and will be removed under the proposed reforms. However, the general nature of what is to be assessed is relatively similar.

Another change is that the role of the Data Protection Officer is to be replaced by a new role, with the title Senior Responsible Individual (S14).

Changing the Definition of ‘Personal Data’

The New Data and Digital Bill intends to refine which information data protection laws apply to. Within the Bill, the scope of personal data is limited and defined as:

• Where information is identifiable by the controller or processor by reasonable means at the time of processing; or
• Where the controller or processor should know that another person will likely obtain the information as a result of the processing.

Legitimate Interests

An individual’s consent is not needed in every circumstance to enable the processing of personal data. However, at least one of the lawful bases for processing data is necessary, and only one can be relied upon.

One of the bases is legitimate interests. Organisations must complete a balancing exercise, and carefully consider if there is a legitimate interest behind the processing of personal data. The balancing test is where an organisation must establish whether there is a legitimate interest, and whether the individuals’ interests are likely to override the legitimate interests of the organisation.

The New Data and Digital Bill, however, will abolish the current balancing test for some activities, and create a list of recognised legitimate interests instead. One of the examples on the new list is where the processing is necessary for detecting, investigating, or preventing crime.

It must be noted that it is not quite clear yet as to whether organisations will still have to complete a kind of legitimate interests assessment in order to establish grounds for processing.

Final Thoughts

The second reading of the New Data and Digital Bill will take place on 5^th September 2022 and will be debated in either House. The overall principles of the Bill will be considered and if the Bill passes the second reading it will move to the Committee Stage.

It will therefore take some time for the Bill to potentially be implemented into law, however the second reading will provide further clarity and refinement on the proposed reforms.

If you have any questions on the above or data protection compliance more generally please contact Neil Williamson.