Take 2 of the Data Protection and Digital Information (No.2) Bill

Readers may recall that the Data Protection and Digital Information Bill (“Bill No.1”) was introduced in July 2022 and subsequently put on hold in September 2022, with the UK Secretary of State indicating at the time that a re-think of the bill was necessary to have "a truly bespoke, British system of data protection".

It may therefore have come as a surprise to those expecting substantial change, that the reforms contained in the New Bill are, in reality, not a dramatic departure from UK General Data Protection Regulation (‘GDPR’) and that, whilst Bill No.1 has been withdrawn, many of its reforms have been incorporated into the New Bill, albeit with some tweaks.

 

Objectives

The reforms in the New Bill are intended to simplify UK data protection laws and reduce compliance “paperwork” for businesses and employers. The other objectives are to ensure that data protection and privacy are securely protected, and that the UK maintains its EU data adequacy status

The government has reported that the reforms should save businesses up to £4.7bn over the next ten years as well as “unlock new discoveries, drive forward next generation technologies, create jobs and boost [the] economy".

 

Key Changes to Bill No.1

Although there are other changes, below we set out the key areas of focus for businesses and employers:

 

•  Legitimate interests

Bill No.1: The bill introduced a list of “recognised legitimate interests” which automatically satisfied the balancing test required in order to rely on legitimate interests as a lawful basis for data processing.

New Bill: In addition to the list, the New Bill provides 3 non-exhaustive examples of processing that may be considered necessary for the purpose of a legitimate interest. These include:

-        direct marketing;

-        intra-group transmission of personal data for internal administrative purposes; and

-        ensuring the security of IT systems.

 

•  Records of processing

Bill No.1: Article 30 of the Record of Processing Activities (‘ROPA’) was omitted and replaced with new, less burdensome, record keeping requirements. Such requirements were restricted to high-risk processing activities and/or organisations with more than 250 employees.

New Bill: The New Bill removes specific reference to a number of employees and places the focus solely on whether the processing ‘is likely to result in a high risk to the rights and freedoms of individuals’. It has retained the test to determine ‘high risk’ established in Bill No.1 whereby organisations must take into account the nature, scope, context and purposes of the processing.

 

•  International transfers

Bill No.1: No significant changes were made to the international transfer regime other than a re-naming of the adequacy assessment process as the ‘data protection test’, to be applied by data exporters when making transfers and assessing the protection offered in the recipient country. The test will be met if the standard of data protection is not materially lower than standards under UK law.

New Bill: The New Bill clarifies that transfer mechanisms used to transfer data outside of the UK, which were lawfully entered into before the New Bill comes into force, will continue to be valid. Once the New Bill is in force, only new transfer arrangements will need to be assessed with reference to the new test.

 

•  Automated decision-making

Bill No.1: The bill clarified Article 22 GDPR by providing that ‘a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision’.

New Bill: The New Bill further clarifies that, when assessing whether there is ‘meaningful human involvement’ in the decision-making, the extent to which the decision is reached by profiling must be considered among other things.  

 

What next?

As with Bill No.1, major concerns remain around whether proposed changes will put at risk the EU-UK adequacy decision. The UK's adequacy decision with the EU (currently to remain in place until 2025) permits a free flow of personal data between the UK and the EU and is crucial for businesses operating and trading internationally. The adequacy decision can be reassessed by the EU if there is any material change in UK data protection law and could end earlier than 2025 if the EU considers that the UK is no longer providing an equivalent level of of protection for personal data.

Although the New Bill is still in its early stages and it is currently unknown what the final version will look like, businesses should start considering now how they will adapt to any new data protection reforms.