Data Protection reform right back on the agenda

In terms of what has not been revived, there is no longer a proposal to jettison the requirements for certain data controllers to appoint data protection officers, nor to conduct "data protection impact assessments" of high risk processing, or to maintain "records of processing activities". Though the absence of repeal of these provisions will reassure many, questions may remain about whether these obligations impose unnecessary compliance obligations on some SMEs.

Of particular interest to data controllers are clauses in the DUA Bill which would amend data subject access request (DSAR) rights and obligations, "privacy notice" requirements, rules and penalties in the area of cookies and electronic marketing, and the way the Information Commissioner functions.

Data controllers would – assuming the Bill passed in its current form – be able to require a data subject to identify which information or activities a DSAR relates to - for instance where the controller "processes a large amount of information concerning the data subject". In such circumstances, the time for compliance would be "paused". Although this is something that often currently happens in practice, it would be put on a statutory footing. Similarly, although it is common for a controller to decide that the time for compliance with a DSAR does not begin until the controller is satisfied as to the identity of the requester, the DUA Bill would make it clear in law that this was the case.

The Bill would also put into statute the point that courts have made on several occasions: that when searching for personal data in response to a DSAR, the search need only be a "reasonable and proportionate one".

"Privacy notices" are the means whereby controllers meet their current obligations under Articles 13 and 14 of the UK GDPR to provide information to data subjects about processing. The DUA Bill contains clauses which were not in the prior bill, and which are of real significance. The Bill proposes that the obligation to give a privacy notice to data subjects from whom data is directly collected will not apply to the extent that providing it "is impossible or would involve a disproportionate effort". It gives examples of factors that might be taken into account when considering whether there would be a "disproportionate effort", such as "the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing. Similar wording is proposed for the Article 14 case where personal data is collected but not directly from the data subject. It seems likely that if these clauses are enacted, the obligation on data controllers to notify data subjects of processing will be greatly reduced. Correspondingly, these clauses are likely to be highly controversial, and subject to parliamentary debate.

An interesting side note is that the Bill would require data controllers to have a complaints procedure for data subjects, and it would give the Secretary of State the power to make regulations requiring data controllers to notify the Information Commissioner of how many complaints it had received.

For instance, currently, when someone sends huge volumes of "spam" emails (or text messages) but they are not received by anyone, these do not count as potentially offending communications: the DUA Bill would change this – such communications would be treated as having been sent to a "recipient". This would mean that those who send enormous volumes of speculative "spam" would be more at risk of enforcement action.

What reappears in the proposed amendments to PECR is the proposal that was in the DPDI Bill to permit the use of first-party cookies (and similar technology) for website analytics purposes, without the need to get users' consent. Additionally, the DUA Bill would grant the Secretary of State the power, by making regulations, to introduce other circumstances where cookies might be deployed without consent.

Furthermore, the DUA Bill revives the proposal to increase the potential fine for PECR infringements to UK GDPR levels (£17.5m for the most serious infringements).