Mishcon de Reya page structure
Site header
Main menu
Main content section

Data Protection reform right back on the agenda

Posted on 24 October 2024

The government has, on 23 October, introduced a Data (Use and Access) Bill (DUA Bill) into Parliament. It revives many of the provisions of the Data Protection and Digital Information Bill (DPDI Bill) which failed to get passed prior to July's General Election, but drops some of the more controversial ones. But, for good measure, there are some notable new proposals. 

The UK GDPR 

Not repealed – accountability provisions 

In terms of what has not been revived, there is no longer a proposal to jettison the requirements for certain data controllers to appoint data protection officers, nor to conduct "data protection impact assessments" of high risk processing, or to maintain "records of processing activities". Though the absence of repeal of these provisions will reassure many, questions may remain about whether these obligations impose unnecessary compliance obligations on some SMEs.

Amendments of note 

Of particular interest to data controllers are clauses in the DUA Bill which would amend data subject access request (DSAR) rights and obligations, "privacy notice" requirements, rules and penalties in the area of cookies and electronic marketing, and the way the Information Commissioner functions.

DSARs 

Data controllers would – assuming the Bill passed in its current form – be able to require a data subject to identify which information or activities a DSAR relates to - for instance where the controller "processes a large amount of information concerning the data subject". In such circumstances, the time for compliance would be "paused". Although this is something that often currently happens in practice, it would be put on a statutory footing. Similarly, although it is common for a controller to decide that the time for compliance with a DSAR does not begin until the controller is satisfied as to the identity of the requester, the DUA Bill would make it clear in law that this was the case.

The Bill would also put into statute the point that courts have made on several occasions: that when searching for personal data in response to a DSAR, the search need only be a "reasonable and proportionate one".

Privacy notices 

"Privacy notices" are the means whereby controllers meet their current obligations under Articles 13 and 14 of the UK GDPR to provide information to data subjects about processing. The DUA Bill contains clauses which were not in the prior bill, and which are of real significance. The Bill proposes that the obligation to give a privacy notice to data subjects from whom data is directly collected will not apply to the extent that providing it "is impossible or would involve a disproportionate effort". It gives examples of factors that might be taken into account when considering whether there would be a "disproportionate effort", such as "the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing. Similar wording is proposed for the Article 14 case where personal data is collected but not directly from the data subject. It seems likely that if these clauses are enacted, the obligation on data controllers to notify data subjects of processing will be greatly reduced. Correspondingly, these clauses are likely to be highly controversial, and subject to parliamentary debate.

Complaints procedures 

An interesting side note is that the Bill would require data controllers to have a complaints procedure for data subjects, and it would give the Secretary of State the power to make regulations requiring data controllers to notify the Information Commissioner of how many complaints it had received.

PECR 

There are some interesting proposed amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003) (PECR).

Spam sent to no one 

For instance, currently, when someone sends huge volumes of "spam" emails (or text messages) but they are not received by anyone, these do not count as potentially offending communications: the DUA Bill would change this – such communications would be treated as having been sent to a "recipient". This would mean that those who send enormous volumes of speculative "spam" would be more at risk of enforcement action.

Analytics without consent 

What reappears in the proposed amendments to PECR is the proposal that was in the DPDI Bill to permit the use of first-party cookies (and similar technology) for website analytics purposes, without the need to get users' consent. Additionally, the DUA Bill would grant the Secretary of State the power, by making regulations, to introduce other circumstances where cookies might be deployed without consent.

PECR fines to equal UK GDPR level 

Furthermore, the DUA Bill revives the proposal to increase the potential fine for PECR infringements to UK GDPR levels (£17.5m for the most serious infringements).

The Information Commissioner 

The proposal to recast the Commissioner (a "corporation sole") as a Commission, with a chief executive, is also revived. However, also revived is the intention that the Secretary of State would have considerable ability to affect the operation of the Commission - for instance, they would be able to determine the number of members, would be able to appoint non-executive members and would have to be consulted on the matter of the appointment of a chief executive.

What does it all mean? 

"Never let a good bill go to waste" may well have been the thought of ministers in the new Labour administration, when they took power in July. Certainly, by breathing life back into the expired DPDI Bill, they have declined the opportunity a) to decide to prepare a wholly new bill, or b) to decide there was no need for change at all. And many of the returning provisions are sensible (and some of those which have been dispensed with are not going to be mourned).

What needs, now, to be observed closely, is how any final enactment lands with business, and how it lands with the European Commission. The UK-EU "adequacy agreement", which enables effective free movement of personal data between the two jurisdictions, is due to expire (and be renegotiated) in 2025. If the EU member states, and the European Commission, decide that the UK has diverged too far from the EU model, they may want to take the opportunity to give the UK a bloody nose. And that, in itself, would inevitably have an economic impact.

There is a long road ahead.

 

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else