UK Government tables a bill to reform the UK’s data protection regime

Although aspects of the bill may raise eyebrows, the bill won’t transform UK data laws in the way heralded in official circles. Whilst the bill will now come under close scrutiny, there is little that should cause the European Commission to revisit the adequacy status which enables free flow of data from the EU to the UK.

As trailed in the Government’s response to its consultation on potential reforms in June 2022, the bill seeks to reduce the compliance burden on organisations, especially smaller businesses. Here, for example, the bill would:

• “Legitimate interest” lawful basis: Introduce a list of conditions for constituting a recognised legitimate interest, and enable the Secretary of State to make further regulations to amend the published list. With the possible exception of processing for the purpose of detecting crime, it is notable that the conditions on the initial list, such as those dealing with national security or democratic engagement, will be of limited interest to businesses.
• Records of Processing Activities: Introduce a requirement to maintain only an “appropriate” record of personal data, with guidance on what is meant by “appropriate”.
• Compatibility of Purposes of Processing: List circumstances in which a processing purpose is deemed compatible with an organisation’s original processing purpose.
• Data Subject Rights: Make various adjustments in relation to data rights, including by adjusting the threshold for refusing access requests, or charging a fee, to “vexatious or excessive”, and codifying earlier ICO guidance on how a response to an access request can be paused.

Through the bill, the Government also proposes to:

• UK Representatives: Remove the requirement for organisations outside the UK which must comply with the UK GDPR to appoint a UK based representative. This is an interesting move from the perspective of the ICO’s enforcement powers.
• Schrems II and Data Transfer Risk Assessments: Articulate a simplified version of the transfer risk assessment that businesses have been grappling with since the Schrems II judgment and related EU-level guidance. In this context, the bill refers to a “data protection test” that “will be met if, after the personal data being transferred has reached its destination, the standard of protection provided for the data subject (by relevant safeguards and other means, where relevant) would not be lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018 in a way which is material”. While there is some room for interpretation as to what constitutes a “material” lowering of the standard of protection, there is helpfully also an emphasis on organisations only needing to act “reasonably and proportionately” in carrying out these assessments; according to the Explanatory Notes to the bill, the new test “does not require a point by point comparison of protections for data subjects, which would not be reasonable or proportionate given the ways in which data protection regimes may differ”. Further guidance from the ICO on how to apply this test will be eagerly anticipated.
• Direct Marketing, Cookies, and Tracking Technologies: Introduce new exceptions to the existing requirement to obtain an individual’s consent to storing or accessing information on devices, including through the use of cookies. These exceptions relate to the collection of information for statistical purposes, to accommodating a user’s preferences, to the installation of software updates for security reasons, and to establishing location in the context of emergency communications. Non-commercial organisations would also be able to benefit from the “soft opt-in” to email marketing.
• Processing for Research Purposes: Support the use of personal data in research – most significantly, by introducing a new definition of processing for scientific research purposes and adjusting related requirements to notify individuals.
• The ICO: Overhaul the ICO by, amongst other things, introducing new statutory objectives, changing how the ICO’s strategy is set and publicised, and codifying certain powers of the ICO in the context of investigations. As anticipated based on the Government’s response to consultation, the bill includes a requirement that statutory codes of practice produced by the ICO be approved by the Secretary of State before they are debated by Parliament.

The proposal to relax the circumstances in which organisations can take solely automated decisions producing legal or similarly significant effects will likely be of greatest concern for privacy advocates. This said, the rights of individuals to contest permitted automated decision-making have not been significantly impacted by the bill.

Next Steps

We will provide further updates as the bill continues its passage through the UK Parliament. Businesses would be wise to monitor reactions to the bill from the European Commission.