In our What’s on the horizon series we keep an eye on some of the legislation working its way through Parliament to give you a heads up of what may be in store and what impact it may have on your business.
Data Protection and Digital Information Bill
The Bill had its First Reading on 18 July 2022 and has not yet progressed any further. There is still some way to go until it hits the statute books, with the potential for debate and amendment, but here is a summary of the Bill in its current form:
Goodbye Data protection officers
The DPO is to be replaced by a suitable “senior responsible individual” who needs to be “part of the organisation’s senior management” . This might cause an issue for organisations wishing to use the services of an external consultant to fulfil this role. It is also not clear whether a DPO appointed to comply with the EU GDPR would be able to fulfil this role given the requirement for a DPO to be independent.
Data Protection Impact Assessments
Whilst the requirement to undertake DPIAs is being removed, organisations will still need to demonstrate their identification, assessment and management of their risks of processing personal data.
Record of Processing Activities (“ROPA”)
Article 30 (ROPA) is to be omitted and replaced by a slightly less burdensome requirement for record keeping. Records must still be kept but the requirement to maintain records of processing activities is set to be replaced with a requirement to maintain personal data inventories.
High risk processing consultations
In addition to the removal of DPIAs, organisations will no longer be required to conduct a consultation with the ICO when processing high risk data. This will now be a voluntary process and organisations may choose whether or not they wish to continue this practice going forward.
The Bill removes the requirement for controllers/processors that are not established in the UK but come within the scope of the UK GDPR, to have a UK based representative.
Recognised Legitimate Interests
The Bill introduces a pre-approved list of recognised legitimate interest bases which automatically satisfy the balancing test required to rely on legitimate interests as a lawful basis (and which the government may add to at a later date). These are focused on public interest and are:
The government will be able to add additional legitimate interests to this list later on.
Redefining Personal Data
There are changes to the definition of “personal data”. The government’s aim is to clarify when an individual is identifiable and within the scope of data protection law and to “avoid setting an impossibly high standard for anonymization”.
Information will be personal data:
if the individual can be identified from the information by the controller/processor at the time of processing using reasonable means;
where the controller/processor knows or ought to know that another person is likely to obtain the information as a result of the processing and the individual will be, or is likely to be, identifiable by that other person using reasonable means.
Right to refuse excessive data subject access requests (DSARs)
Whilst the Bill does lower the threshold for refusing a DSAR from “manifestly unfounded or excessive” to “vexatious or excessive”, those hoping for wider reform are likely to be disappointed. Examples of the types of requests that organisations may consider vexatious or excessive are provided in the Bill and include requests that are:
an abuse of process;
intended to cause distress; or
not made in good faith.
Further guidance from the ICO will be important to understand how much of a change this makes in practice.
Automated Decision Making
The Bill is set to replace Article 22 (GDPR) with a new provision which clarifies the definition of a “solely automated” decision as being a decision made without meaningful human involvement. Further, the Bill will only restrict automated decision-making where special category data is being processed.
The safeguards have been expanded to include an obligation on controllers to provide information to data subjects regarding any automated decisions that have been made. This will allow the data subject to contest the decisions, make representations and also obtain human intervention.
Organisations will no longer need to obtain consent from individuals for the use of statistics and preference cookies and cookies used to install security updates or for geolocation of an individual in an emergency. Individuals will still need to be given a right to object to the cookies (save for the emergency geolocation cookies) so, for now, it is not the end to cookies notices and banners.
The Bill also paves the way in the future to remove cookies banners altogether. However, this will only take place when the government deems browser-based solutions to be widely available. Consent for cookies will in any case continue to be a requirement for websites likely to be accessed by children (e.g. those caught by the Age Appropriate Design Code).
The fines that the ICO can impose under the Privacy and Electronic Communications Regulations (PECR) are to be brought in line with those under the GDPR. Therefore, fines of up to the higher of £17.5m or 4% of an organisation’s annual global turnover are possible.
When making an adequacy decision, the Secretary of State will apply a data protection test and is able to have regard to any matters it considers relevant including the desirability of the data transfer to and from the UK. Any changes that move the UK’s data protection regime too far away from the EU GDPR will threaten the UK’s EU adequacy status which many consider to be a price too high to pay for data protection reform. With the UK’s adequacy decision due to expire in 2025, all eyes will be on the passage of the Bill through Parliament and comment from the EU.
Retained EU Law (Revocation and Reform) Bill
The snappily titled Retained EU Law (Revocation and Reform) Bill was introduced on 22 September 2022. The long title of the bill is:
“A Bill to revoke certain retained EU law; to make provision relating to the interpretation of retained EU law and to its relationship with other law; to make provision relating to powers to modify retained EU law; to enable the restatement, replacement or updating of certain retained EU law; to enable the updating of restatements and replacement provision; to abolish the business impact target; and for connected purposes”.
At the time of writing, the Bill is working its way through the House of Lords so there is scope for further amendment before it receives Royal Assent. It therefore remains to be seen what the final version will look like and so we shall provide further details in our next updates. For now though suffice to say its implications may be significant for many businesses. There is a vast amount of retained EU legislation to be reviewed and decisions to be made about what should remain.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.