The Government has now published a Data Protection and Digital Information Bill, to follow up its consultation response in June.
Long and complex, the Bill proposes reforms to core data protection law as well as dealing with certification of digital identity providers, electronic registers of births and deaths and information standards for data-sharing in the health and adult social care system.
We will provide further and more detailed commentary in due course, as the Bill progresses through Parliament and – indeed – if and when it is enacted.
Below, we highlight some of the notable aspects.
What it doesn't do
Before turning to the actual clauses of the Bill, it is important to note what it omits.
It does not repeal the UK GDPR: it seems clear that the GDPR itself is still accepted as the framework for our domestic laws. We will still have a UK GDPR (but amended), a Data Protection Act 2018 (but amended) and "PECR" - the Privacy and Electronic Communications (EC Directive) Regulations 2003 (but amended).
However, with the multiple amendments proposed in the Bill, the UK GDPR is starting to look quite different to its European cousin. And the more the two regimes diverge, the more there is a risk that the EU might question whether it still considers the UK to have an "adequate" regime for the purposes of data transfers.
The Bill also does not create a scheme of "privacy management programmes", at least not using that term, as trailed in the June announcement. However, most of the proposals that were to have fallen under that banner are still there.
Another thing the Bill doesn't do is – in many cases – create directly applicable provisions. There are many clauses which confer powers on a future secretary of state to make secondary legislation. Although this is now a common feature of law-making, in this instance the Bill also proposes to amend the UK GDPR itself to confer these secondary legislation powers with a new Article 91A (at clause 44). This has already received some criticism.
What it does propose to do
Definition of personal data
The Bill starts off at clause 1 with a bold attempt to refine the definition of "personal data", specifically those parts of the existing definition which refer to an "identifiable living individual". The clause proposes that information being processed will be information relating to an identifiable living individual only where they are:
"identifiable by the controller or processor by 'reasonable means' at the time of the processing", or "where the controller or processor knows, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing, and the living individual will be, or is likely to be, identifiable that person by reasonable means at the time of the processing."
Not only is this convoluted, it does not deal with the fact that there is both direct and indirect identification to factor in, nor with the fact that “by reasonable means” means if the individual is identifiable by the person by any means that the person is reasonably likely to use.
There have been several cases over the years where some of the country's best judges have grappled with definitions of "personal data" and identifiability. One of them (the case of Durant from 2003) is controversial even now, and it – in part - caused the UK to be put at risk of infraction proceedings by the European Commission. One suspects that this proposed clause may well be seen by the European Commission as a narrowing of the definition, leading to a diminution of rights. If so, the Bill's very first clause might become a battleground.
Vexatious data subject requests
UK GDPR allows controllers to refuse to comply with such requests when they are "manifestly unfounded" or "excessive". The Bill proposes, at clause 7, that this should instead be "vexatious" or "excessive". Examples are given in the Bill of requests intended to cause distress, not made in good faith, or that are an abuse of process. It is difficult to see how any of these could be "vexatious" but could not already have been "manifestly unfounded". It is worth noting that – as its use in the Freedom of Information Act regime has shown - the term "vexatious" is a complex and emotive one. It is not clear what this change will actually achieve.
Removal of requirement for an Article 27 representative
The UK GDPR currently provides that, where a controller is outside the UK, but still caught by its extra-territorial provisions, it must appoint a representative in the UK (this mirrors the GDPR itself). The Bill proposes to remove this requirement in total (clause 13). This may be a notable saving for some large companies who operate outside the UK, but offer goods and services to data subjects in the UK. It may also be bad news for those who currently offer Article 27 representative services.
Goodbye DPOs, hello Senior Responsible Individuals
As predicted, the obligation for some controllers and processors to have to appoint a data protection officer (DPO) is proposed to be removed. However, public bodies and those who carry out processing likely to result in a "high risk" (undefined) to individuals, must designate a senior manager as a "Senior Responsible Individual" (clause 14). This requirement for the person to be a senior manager (rather than just reporting to senior management, as current DPOs must) may well pose a challenge to those currently offering outsourced DPO services.
The Senior Responsible Individual must be adequately resourced and cannot be dismissed for performing their tasks under the role. While this sounds somewhat like the DPO under the UK GDPR, one of the tasks assigned to the "SRI" is unusual: they are responsible for "dealing with personal data breaches". It may be that what is envisaged here is the administrative side of dealing with them – one would hope so, because personal data breach response is a team job and arguably an organisation-wide job and responsibility.
Records of processing and DPIAs
Again, although Article 30 Records of Processing Activities (ROPAs) are slated to go, they are to be replaced by a requirement – albeit a leaner one – to have a "Record of Processing of Personal Data" (clause 15).At clause 17, Data Protection Impact Assessments (DPIAs) will become Assessments of High Risk Processing (again, probably leaner and less prescriptive than the existing requirements). Added to this, in the context of DPIAs, at clause 18 controllers will no longer be required, under Article 36 UK GDPR, to consult the Information Commissioner's Office on certain high risk DPIAs – instead, they will merely be permitted to do so.
An Information Commission, its roles and powers
Instead of all the powers and responsibilities of the office being vested in one person, as a "corporation sole", the Information Commissioner, under clause 100, would transform into an Information Commission – a "body corporate", with a chief executive (the first incumbent will – presumably – be current Commissioner John Edwards). The effect of this may take some time to be seen.
Notably, the Commission would have a principal function (overseeing data protection and presumably freedom of information law, which might also need to be amended) but also certain duties, such as to have regard (as relevant) to the desirability of promoting innovation; the desirability of promoting competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard public security and national security.
The Commission(er) is proposed to have other new powers. These include: an audit/assessment power to require a controller to appoint a person (approved by the Commission(er)) to prepare and provide a report (clause 35) and to compel individuals to attend for interviews in civil as well as criminal investigations (clause 36).
Data subject complaints
Currently, the UK GDPR allows a data subject to complain to the Information Commissioner, but nothing expressly deals with whether or how they can actually complain in the first place to a controller. The Bill would make provision for this and require the controller to acknowledge receipt of such a complaint within 30 days and respond substantively "without undue delay" (clause 39). The flipside of this is that if a data subject has not availed themselves of this right, the Commission(er) is entitled not to accept the complaint (clause 40).
International transfers of data
The most notable change here (and one which might again attract the ire of the European Commission) is around the introduction of what would be known as the "data protection test" for overseas jurisdictions. This would involve determining if the standard of the protection provided for data subjects in the data receiver's country is "not materially lower" than the standard of the protection provided for data subjects in the UK. The "data protection test" would apply both to the Secretary of State (when making "adequacy" determinations) and controllers (when deciding whether it is safe to use other transfer mechanisms). [SL3] [JB4] As the explanatory notes to the Bill say, the test would not require a "point- by-point comparison" between the other country’s regime and the UK’s (Schedule 5). Instead an assessment will be "based on outcomes i.e. the overall standard of protection for a data subject". An outcome based approach would be highly valued by industry, particularly when transferring personal data internationally, which has no practical interest to foreign security services. However, this approach will score very badly when the EU-UK adequacy assessment is reviewed in 2024.
Scientific and historical research
Clause 2 of the Bill deals with the processing of personal data for scientific research and historic research and proposes that the term would include publicly and privately funded research including for technological development or demonstration, fundamental research or applied research. However, where research is studying public health it would only be able to be conducted in the public interest.
"Historic research" would include research for genealogical purposes. However, the latter term is undefined in the Bill with potentially significant implications: some of the very large commercial genealogy databases have received criticism in recent years, including around the promotion of DNA profiling in pursuance of genealogical research. One hopes that Parliament will be alive to these issues and consider adding protective provisions to avoid too broad an application.
Automated decision making
Article 22 of UK GDPR currently confers a "right" on data subjects not to be subject to automated decision making which produces legal effects or otherwise significantly affects that data subject. The Bill proposes no longer to cast this as a right, but the replacement provisions, at clause 11, appear to retain similar protections to those which Article 22 currently offers. However Article 22 has always been a complex and controversial area and these proposed amendments will require some scrutiny.
Email and SMS marketing, and cookies
As predicted, the Bill proposes extending the circumstances under which cookies (or similar technology) can be used to store or access information on end user terminal equipment without express consent. Currently, this is only permitted where the technology is "strictly necessary" for the purposes of providing the website/web service. The Bill would make it permissible if it were being deployed for the purposes of web analytics although only if the information is not shared with any other person except for the purpose of enabling that other person to assist with making improvements to the service or website (clause 79). Another permitted "non-consent" use of cookies would be to install automatic software updates.
Notably, the key technical definitions in PECR, in relation to cookies etc. (such as "storing information" on "terminal equipment") are largely unchanged, even though they are more than twenty years old and reflect an internet that was very different from today's. However, it is worth noting that the Bill proposes to say that "gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment". This would seem to clarify that the use of techniques such as browser fingerprinting and reverse DNS look-ups would be covered.
Another notable proposed change to PECR, at clause 82, would permit political parties, charities and other non-profits to send unsolicited email and SMS direct marketing to individuals without consent, where they have an existing supporter relationship with the recipient. This is similar to the existing provisions which allow such marketing to be sent to those who have purchased or proposed to purchase goods or services from those sending the marketing.
The Bill would also extend the reach of the law when it comes to nuisance calls, by including all calls, whether or not they connect with the intended recipient, within its ambit (clause 80).
If infringed, all of these provisions would potentially be punishable by fines on the UK GDPR scale of up to £17.5m of 4% of global annual turnover (whichever is higher), instead of the current maximum of £500,000 (Schedule 10).
Access to business data
Finally, an interesting set of "Smart Data" provisions (clauses 61-77), which would allow the Secretary of State to make secondary legislation, potentially create a new right of access by "customers" to "business data". "Customers" would not just be data subjects, but anyone who purchased (or received for free) goods, services or digital content from a trader in a consumer (rather than business) context. "Business data" would include information about goods, services and digital content supplied or provided by a trader. It would also include information about where those goods etc. are supplied, the terms on which they are supplied or provided, prices or performance and information relating to feedback from customers. Customers would potentially have a right to access their data, which might include (as the explanatory notes to the Bill explain) information on the customer’s usage patterns and the price paid to aid personalised price comparisons. Similarly, businesses could potentially be required to publish, or otherwise make available, business data.
The explanatory notes suggest that these provisions go further than existing data portability provisions in the UK GDPR, which don't guarantee provision of data in "real time", nor cover wider contextual data.Nor do they apply where the customer is not an individual.
These provisions would repeal similar regulation-making provisions which are currently in the Enterprise and Regulatory Reform Act 2013.
Conclusion
This is a complicated Bill, covering multiple different areas (many of which we haven't touched on). Despite best intentions, it would, if enacted, still leave a patchwork of laws for companies to have to negotiate and comply with. Writing about the consultation response in June, we said that the devil would be in the detail. Analysing the Bill, it seems that some of the details (and potentially some of the devils) are not where one might have expected.