UK GDPR and changes to pending legislation

The Data Protection and Digital Information Bill was due to enter the report stage in the House of Lords on 10 June. It may, among other things, make changes to the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). I say ‘may’ because just after I wrote this, Rishi Sunak called a general election. However there is still a chance of it passing (see later), so let us for now proceed on this basis. 

The current bill is not substantially different to the previous version, whose passage through parliament was paused in September 2022 so ministers could engage in ‘a co-design process with business leaders and data experts’ and move away from the ‘one-size-fits-all’ approach of the EU’s GDPR.

The following provisions are the same as in the previous version of the bill:

• Amended definition of personal data: This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.
• Vexatious data subject requests: The terms ‘manifestly unfounded or excessive’ requests, in Article 12 of the UK GDPR, will be replaced with ‘vexatious or excessive’ requests. Explanations and examples of such requests will also be included.
• Data subject complaints: Data controllers will be required to acknowledge receipt of data subject complaints within 30 days and respond substantively ‘without undue delay’. The Information Commissioner’s Office (ICO) will be entitled not to accept a complaint if a data subject has not made a complaint to the controller first.
• Data protection officer: The obligation for some controllers and processors to appoint a data protection officer will be removed. However, public bodies and those who carry out processing likely to result in a ‘high risk’ to individuals will be required to designate a senior manager as a ‘senior responsible individual’ who must be part of the organisation’s senior management team.
• Data protection impact assessments: These will be replaced by leaner and less prescriptive ‘assessments of high-risk processing’.
• International transfers: There will be a new approach to the test for adequacy applied by the government to countries (and international organisations) and when data controllers are carrying out a transfer impact assessment. The threshold for this new ‘data protection test’ will be whether a jurisdiction offers protection that is ‘not materially lower’ than under the UK GDPR.
• The Information Commission: The ICO will transform into the Information Commission, a corporate body with a chief executive.
• PECR: Cookies will be allowed to be used without consent for the purposes of web analytics and to install automatic software updates. Furthermore, non-commercial organisations (for example, charities and political parties) will be able to rely on the ‘soft opt-in’ for direct marketing purposes, if they have obtained contact details from an individual expressing interest. Finally, there will be an increase to the fines from the current maximum of £500,000 to UK GDPR levels – that is, up to £17.5m or 4% of global annual turnover (whichever is higher). 

The main changes from the previous bill are summarised below:

• Scientific research: The definition of scientific research is amended so that it now includes research for the purposes of commercial activity. This expands the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement.
• Legitimate interests: The previous bill proposed that businesses could rely on legitimate interests (Article 6, lawful basis) without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are ‘recognised’. These ‘recognised’ legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.  The new bill, while keeping the above changes, introduces a non-exhaustive list of cases where organisations may rely on the ‘legitimate interests’ legal basis, including for the purposes of direct marketing, transferring data within the organisation for administrative purposes and for the purposes of ensuring the security of network and information systems, although a balancing exercise still needs to be conducted in these cases.
• Automated decision-making: The previous bill clarified that its proposed restrictions on automated decision-making under Article 22 of the UK GDPR should only apply to decisions that are a result of automated processing without ‘meaningful human involvement’. The new bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision. It also states that the right under Article 22 only applies to automated processing involving special category data.
• Records of processing activities (ROPAs): The previous bill streamlined the required content of ROPAs. The new bill exempts all controllers and processors from the duty to maintain an ROPA unless they are carrying out high-risk processing activities.
• Subject access: Clause 12 of the bill introduced at the House of Commons report stage amends Article 12 of the UK GDPR (and the DPA 2018) so that data controllers are only obliged to undertake a reasonable and proportionate search for information request under the right of access.

With a general election called, some bills making their way through parliament will still complete their journey in a period of furious horsetrading between the parties, known as the ‘wash-up’ period. This bill may be one.

If the bill is not passed during wash up, the next government could pick it up but the bill (or a likely a new version) would have to start the full parliamentary process again. Given the Labour Party did not propose substantial amendments to the current bill, this is a possibility.

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)