In July the government published the Data Protection and Digital Information Bill, the next step in its much-publicised plans to reform the UK data protection regime following Brexit. In the government’s response to the September 2021 consultation (‘Data: A New Direction’) it said it intended ‘to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data’. The bill proposes substantial amendments to existing UK data protection legislation.
Vexatious data subject requests
Article 12 of the UK GDPR allows data controllers to refuse to comply with data subject rights requests (or charge a fee) when the requests are ‘manifestly unfounded’ or ‘excessive’. Clause 7 of the bill proposes to replace these words with ‘vexatious’ or ‘excessive’. Examples of vexatious requests given in the bill are those intended to cause distress, not made in good faith, or that are an abuse of process. All these could easily fit into ‘manifestly unfounded’ and so it is difficult to understand the need for change.
Senior responsible individuals
As announced in June, the obligation for some data controllers and data processors to appoint a data protection officer (DPO) is proposed to be removed. However, public bodies and those who carry out processing likely to result in a ‘high risk’ to individuals are required (by clause 14) to designate a senior manager as a ‘senior responsible individual’ (SRI). Just like the DPO, the SRI must be adequately resourced and cannot be dismissed for performing their tasks under the role.
ROPAs and DPIAs
The requirement for records of processing activities (ROPAs) will also go if the bill is passed in its current form. Clause 15 proposes to replace it with a leaner ‘record of processing of personal data’. Furthermore, clause 17 will replace data protection impact assessments (DPIAs) with leaner and less prescriptive assessments of high-risk processing. Clause 18 ensures that controllers are no longer required, under article 36 of the UK GDPR, to consult the ICO on certain high-risk DPIAs.
International transfers
The judgment of the ECJ in Schrems II ruled that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. It also said that in any international data transfer situation, whether to the US or other countries, the data exporter needs to make a complex assessment about the recipient country’s data protection legislation to ensure that it adequately protects the data, especially from access by foreign security agencies (a transfer impact assessment).
The bill amends chapter 5 of the UK GDPR (international transfers) with the introduction of the ‘data protection test’ for the above-mentioned assessment. This would involve determining if the standard of protection provided for data subjects in the recipient country is ‘not materially lower’ than the UK standard of protection. The new test would apply both to the secretary of state when making ‘adequacy’ determinations, and to controllers when deciding whether to transfer data. The explanatory notes state that the test would not require a ‘point- by-point comparison’ between the other country’s regime and the UK’s. Instead, an assessment will be ‘based on outcomes i.e. the overall standard of protection for a data subject’.
Information Commission
Under clause 100, the Information Commissioner’s Office will become the Information Commission, a corporate body with a chief executive (presumably John Edwards, the current commissioner). The commission would have a principal function of overseeing data protection alongside additional duties and some new powers.
Privacy and Electronic Communications (EC Directive) Regulations 2003
Currently, under PECR, cookies (and similar technologies) can only be used to store or access information on end-user terminal equipment without express consent where it is ‘strictly necessary’ – for example website security or proper functioning of the site. The bill proposes allowing cookies to be used without consent for web analytics and to install automatic software updates.
Another notable proposed change to PECR would permit political parties, charities and other non-profits to send unsolicited email and SMS direct marketing to individuals without consent, where they have an existing supporter relationship with the recipient (an extension of the so-called ‘soft opt-in’). Finally, on PECR the bill proposes to increase the fines for infringement from the current maximum of £500,000 to UK GDPR levels, that is up to £17.5m of 4% of global annual turnover (whichever is higher).
Business data
The bill would give the secretary of state and the Treasury the power to issue regulations requiring ‘data holders’ to make available ‘customer data’ and ‘business data’ to customers or third parties, as well as regulations requiring certain processing, such as collection and retention, of such data. ‘Customers’ would not just be data subjects but anyone who purchased (or received for free) goods, services or digital content from a trader in a consumer (rather than business) context. ‘Business data’ would include information about goods, services and digital content supplied or provided by a trader. It would also include information about where those goods and such are supplied, the terms on which they are supplied or provided, prices or performance and information relating to feedback from customers.
Adequacy?
The bill is passing through parliament although progress has stalled due to the change of government. The impact assessment reiterates that ‘the government’s view is that reform of UK legislation on personal data is compatible with the EU maintaining free flow of personal data from Europe’. Much depends on the balance struck in the final text of the bill.
Ibrahim Hasan is a solicitor and director of Act Now Training
No comments yet