The Data Protection and Digital Information (No. 2) Bill has received its second reading in the House of Commons.
The government intends this new UK version of the GDPR to 'reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online'.
First introduced last summer, the Data Protection and Digital Information Bill was paused in September 2022, to enable further consultation with business leaders and data experts.
This note summarises some of the principal proposed changes to the current law.
Data Subject Access Requests: Under the current law, a data controller can only refuse to comply with a subject access request which is “manifestly unfounded or excessive” which is generally quite difficult to justify. Under the proposed new law this will change to “vexatious or excessive.” Examples of vexatious requests include those which are not made in good faith, are an abuse of process or are intended to cause distress. A controller can refuse to comply with or make a charge for dealing with a vexatious request. One of the factors a business can take into account when considering if a request is vexatious or excessive is the resources of the business. It will also be made clear that the time limit for a business to respond to a request begins, where applicable, from when the business receives any information requested to confirm the identity of the data subject making the request or payment of any charge.
Businesses will still need to exercise caution when considering whether refusing or charging for a request can be justified.
Legitimate Interests: One of the legal grounds most relied upon for justifying the processing of data is that it is in the legitimate interest of the data controller. In order to rely on this legal basis for processing, the controller’s interests need to be balanced against the interests, rights and freedom of the individual whose data is being processed.
Under the proposed new law, there will be a new category of “recognised legitimate interests” where this balancing is not required. These include processing for the purposes of, for example, safeguarding national security, the detection, investigation or prevention of crime and safeguarding vulnerable individuals.
The Bill provides examples of where the legitimate interests ground may be used for direct marketing and transferring data within an organisation for administrative purposes. The intention is to give organisations more certainty about when they may be able to process data without obtaining consent.
Complaints: The new law will require individuals who wish to complain about the processing of their data to complain initially to the controller before a complaint is raised with the ICO. The controller will need to provide a complaint form and acknowledge a complaint within 30 days and take appropriate steps to respond without undue delay.
The ICO has a right to refuse to intervene if a complaint has not been made to the controller, the controller has had less than 45 days to respond to a complaint, or if the complaint is vexatious or excessive.
Cookies: Under the current law only cookies which are “strictly necessary” for the use of a website can be set without the consent of the user. Under the proposed new law, the types of cookie (or similar technology) which can be placed will be expanded to include in summary:
- statistical cookies which analyse how a site is used for the purpose of improving the site;
- cookies enabling the display or function of a site to adapt to the user’s preferences or to improve the display or function;
- cookies to facilitate necessary security updates; and
- cookies to assist in locating a device user at their request in an emergency.
The definition of what constitutes “strictly necessary” has also been widened.
The Government would like in future to make more radical changes which could mean that users would need to opt out of receiving types of cookies. This is not contemplated by the Bill and would be dependent upon the government being satisfied about the availability of effective technical means for users to manage their preferences.
In the meantime, business should note that the potential penalties for breach of the legislation relating to cookies is to be substantially increased from the current maximum of £500,000 to the higher of £17.5m or 4% of annual worldwide turnover.
Data Protection Officers: It is proposed that the obligation on organisations engaged in operations requiring regular and systematic monitoring of individuals on a large scale to designate a data protection officer will be replaced with an obligation to appoint a “senior responsible individual”. The new obligation will be triggered where the controller is a public body or where, taking into account the nature, scope, context and purpose of the processing, the processing is likely to result in a high risk to the rights and freedoms of individuals. This differs from the current requirement to appoint a data protection officer which arises where the core activities of the controller require regular and systematic monitoring of data subjects on a large scale. The responsibilities of a senior responsible individual are broadly similar to those of a data protection officer.
Data Protection Impact Assessments: The requirement to conduct data protection assessments in all of the circumstances listed in article 35 of the GDPR is to be removed.
Instead, controllers engaged in high risk processing must conduct a simpler assessment of the purpose of the processing, whether it is necessary for the purpose, the risks to the individual and how the controller proposes to mitigate the risks. It is proposed that where high risk processing is identified, there will also no longer be a requirement to consult with the Information Commissioner.
Record keeping: The Bill reduces the obligation to maintain records of processing activities by providing that such records will need to be kept only where the personal data processing is likely to result in a high risk to the rights and freedoms of individuals. The intention is to reduce compliance costs
The details which need to be recorded have been revised. Controllers will need to keep records of where the personal data is located, the purpose of processing, any transferees or proposed transferees with whom the data will be shared, the proposed retention period, any special categories of data or criminal conviction data and security arrangements for the data.
There will no longer be a requirement to record contact details of the controller or data protection officer nor other categories of data or of data subjects held.
International Transfers: The Bill confirms that current provisions for making lawful international transfers of data will remain in place when the new law come into effect so businesses can continue to rely on these and should not need to make changes to their existing arrangements.
Reform of the ICO: The Bill proposes that the ICO (Information Commissioner) will be replaced by a new corporate body, the Information Commission, of between 3 and 14 members. In performing its principal functions of securing an appropriate level of data protection and promoting trust and confidence in the processing of personal data, the new body will need to bear in mind factors such as the promotion of innovation and competition, the prevention or detection of crime and national security.
Concerns have been raised that this may give rise to a dilution of the ICO’s independence and so affect the exercise of its powers.
Summary
The bill is intended to ease some of the administrative burdens face by businesses in complying with the GDPR. This note does not cover all of the proposed changes. Generally, the proposed changes are more in the nature of tweaks than substantial revision, but some of the changes may be significant.
Businesses that have established procedures for complying with the current law and who process data of individuals in the EU may chose for consistency to continue to follow the rules set out under the current law which mirror the EU GDPR rather than adopting revised practices for the UK only.
It remains so be seen how the EU will view the final form of the proposed legislation and whether its adoption might affect the EU’s finding that the UK provides adequate protection for the processing of EU citizens.
The bill is still proceeding through parliament and so is not yet in final form. Some of the proposed changes may be subject to revision. We will provide a further update when the legislation is finalised.
In the meantime, if you have any questions about data protection compliance, please contact Sydney Mitchell on 08081668827.
|