In July last year the Government, under then Culture Secretary Nadine Dorries, introduced a Data Protection and Digital Information Bill. We wrote about that Bill here, and said, at the time, that, despite some of the changes which had been hinted at, in many ways it did not look likely fundamentally to change the core UK data protection law.
The Government, now under Culture Secretary Michelle Donelan, has this week published a new draft instrument – the Data Protection and Digital Information (No.2) Bill.
What is remarkable is how little difference there is between the first Bill and No.2. (Examining a comparison of the two draft instruments, there appears to be no more than approximately a 1% difference.
Some of the limited, but possibly notable changes include:
- Recitals 47, 48 and 49 of the UK GDPR become a new Article 6(9). These state that processing necessary for the purposes of legitimate interests will include processing necessary for: the purposes of direct marketing; intra group transmission of personal data (whether personal data of clients, employees or other individuals) necessary for internal administrative purposes; and processing necessary for the purposes of ensuring the security of network and information systems. Very little may turn on this: recitals (at least in European Union law) may not have the binding status of law, but wherever there is ambiguity or lack of clarity, they will constitute a definitive interpretative guide for a court. Therefore, moving a recital to the Articles may not have any substantive effect.
- The definition of "processing of personal data for the purposes of scientific research" is changed so that it expressly includes research carried out as a "commercial" activity. This is with the important caveat that where such processing is for the purposes of a study in the area of public health it must relate to a study conducted in the public interest.
- To the extent that a controller will still be required to maintain a record of the processing of personal data (along the lines of current Article 30 UK GDPR) this will now only apply where the controller carries out processing that is likely to result in a high risk to the rights and freedoms of individuals.
- There is some slight tweaking of wording in relation to the transfer of personal data out of the UK to a third country, but the effect appears largely unchanged. Parties who will have entered into lawful arrangements for such transfer prior to the enactment of the Bill should not need to enter into new arrangements.
The Bill now needs to go through the usual Parliamentary procedures (presenting it as a new Bill means it has to go back to the starting line). Because the Parliamentary session will now run until Autumn, and given that there has been little suggestion of any objection from the Opposition, there should be ample time for it be passed.
Speaking to Global Data Review (subscription required) on the Bill, Data Protection Partner Adam Rose said: "[The Bill] retains both the Data Protection Act 2018 and UK GDPR, amending both, which means that those wishing to comply with or use its provisions now need to look at three documents. The realities of international trade mean that the UK can't push things too far for fear of threatening the adequacy decision of the EU, and which has the knock-on effect that third countries would also be reluctant to do data deals with the UK."