On 8 March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill No.2. As with the previous bill, the new bill aims to alleviate the burden of compliance with the UK GDPR and its implementing UK Data Protection Act (2018) for organisations in the UK.
What are the main proposed changes?
|Personal data definition||Pseudonymised data is only personal data if it can be re-identified using reasonable means, i.e. a person is “reasonably likely to use” (time, cost and effort involved, technology and resources available to the person). Aims to exclude data to which the controller/processor applied technical and organisational measures to prevent third-party access.|
|Records of processing||No longer required unless the organisation is involved in high-risk processing.|
|Legitimate interests||Direct marketing, the intra-group transmission of personal data, and security of network and information systems are listed as examples of legitimate interest. A balancing test is still required for the foregoing.|
|Further processing for scientific research purposes||Expands the scope to cover any research that can be described as scientific, privately or publicly funded, for commercial or non-commercial activity, including statistical research. Exempts from notifying individuals about such processing if it takes disproportionate effort and data provided by them directly.|
|Data subjects rights||Allows controllers to refuse a data subject request or charge a fee if it is vexatious (replaces “manifestly unfounded”) or excessive. Controllers can take the resources available to them into consideration. Examples listed include a request “intended to cause distress”, “not made in good faith”, or “an abuse of process”. Controllers are allowed to stop the clock to clarify a request if they hold large amounts of data about the requestor.|
|DPIA||Replaced with a simplified “assessment of high-risk processing”|
|Representatives for controllers/processors not established in the UK||No longer required|
|DPO||No longer required and replaced by a senior manager for organisations involved in high-risk processing|
|Adequacy decisions by the UK||Standards applied will be a level of protection “not materially lower” instead of “essentially equivalent” to the UK|
|Privacy and Electronic Communications Regulations (PECR)||Fines for failure to comply with the rules on direct marketing and cookie consent under the PECR are to be raised to the GDPR levels. Public electronic communication services and networks are to report suspicious direct marketing activity to the ICO.|
|Cookies consent exemptions||Includes collecting statistical information to make improvements, enabling the appearance or function of a website to reflect user preferences, installing necessary security updates to software on a device and identifying the individual’s geolocation in an emergency.|
The UK government wishes to maintain data adequacy with the EU. Therefore, it argues the proposed changes do not affect the fundamental principles of the GDPR or the core controller/ processor obligations.
Which organisations will be affected?
Those based in the UK or offering goods or services in the UK will benefit from the new rules if they become law. A key question for multinational organisations with a presence in the EU and the UK is whether they treat the UK the same as the EU or end up with a regulatory patchwork.
The bill will need to go through hurdles in the House of Commons, then it will be reviewed by the House of Lords before it is approved and adopted.