Earlier this month, the United Kingdom government introduced Bill No. 2 – Data Protection and Digital Information (“Bill 2”) that reforms the UK version of the European’s General Data Protection Regulation (“UK GDPR”).
While avoiding whole-sale changes that would upend the core principles of the UK GDPR as it exists today—such as data protection rights, the controller-processor regime, and general data protection obligations—Bill 2 tries to make targeted changes aimed at making the UK GDPR more “business-friendly” in a bid to make the UK a more appealing destination for business in the post-Brexit world.
For businesses that are already compliant with the EU GDPR and/or the UK GDPR, the good news is that the reforms will not necessitate changes to data protection compliance programs already in place. However, if passed, Bill 2 will allow businesses potential efficiencies in how it complies with the UK GDPR.
Some examples of the target reforms in Bill 2 are (1) a shift in the legal bases necessary to make processing of personal data lawful that removes the need to balance the rights and interests of the data subjects; (2) a broader definition of “legitimate interest” as a business’ legal basis to make processing lawful; (3) replacing the obligation of establishing a data protection officer; (4) lowering the threshold for international data transfers; (5) limiting when businesses need to maintain data processing records; and (6) a relaxing of the prior consent rules related to cookies and direct marketing.
The UK government, through Bill 2, is attempting to walk the fine line of making the UK data protection regime more business-friendly while at the same time maintaining the UK GDPR in a manner that does not threaten its adequacy status as recognized by the EU.
It is important to note that, while the UK is proposing a slight relaxation of the UK GDPR, the EU GDPR will still be in full effect regardless of any UK reforms. Businesses operating in the EU and beyond the UK will need to continue their data protection compliance program in line with EU standards and requirements.
See below for further analysis of some of the most important changes proposed in Bill 2.
Legal Bases for Processing
The UK GDPR, in line with the EU GDPR, offered only limited bases to make the processing of personal data lawful: (1) prior consent from the data subject; (2) processing is necessary to perform a contract with the data subject; (3) processing is necessary for compliance with a legal obligation that that the business is subject to; (4) processing is necessary for the performance of a task in the public interest; (5) processing is necessary for the purposes of a legitimate interest the business might have, unless such legitimate interests are outweighed by the fundamental interests or rights of the data subjects.
Bill 2 makes an important change to the legitimate interest processing basis as it removes the requirement to balance the legitimate interest against the fundamental interests or rights of the data subjects.
Bill 2 also provides an exemplar list of legitimate interests—beyond what many might have considered legitimate interests under the current UK GDPR. The new example legitimate interests include: (1) processing personal data for direct marketing purposes; (2) intra-group or intra-company transmission of personal data (whether the personal data is related to employees, customers, clients, or other individuals) where necessary for internal business administrative purposes; and (3) processing of personal data necessary for the purposes of ensuring the security of a network and information systems.
Further, the UK GDPR currently requires a new lawful basis be established when personal data collected for one specified purpose is then processed for another, new purpose—and normally consent is required. This is called the “Purpose Limitation Principle”. Bill 2, however, expands the purposes under which a business can process personal data beyond the original purpose by clarifying that a business is not in violation of the Purpose Limitation Principle where subsequent processing for a new purpose is compatible with the original purpose.
The new purpose is considered compatible where, for example, the new purpose is: (1) pursuant to a data subject’s new consent; or (2) for the purposes of scientific or historical research, archiving the public interest, or for statistical purposes.
Importantly, “statistical purposes” is defined under Bill 2 as meaning processing for statistical surveys or to produce statistical results where the information that results is aggregated, non-personal data and where the controller does not use the personal data processed or resulting from the survey in support of decisions with respect to individual data subjects. Essentially, processing will be considered for “statistical purposes” if a business is creating aggregated data and not using the data to take targeted action against or for specific individuals.
UK Representative and Data Protection Officers
Bill 2 also removes the requirement that businesses that are not established physically in the UK, but that process UK personal data must appoint a representative that is located in the UK. If passed, businesses in the United States, for example, that process UK personal data and do not have a physical location in the UK will not be required to appoint a UK-based representative.
Additionally, Bill 2 replaces the data protection officer requirement that businesses have become accustomed to and instead imposes a “senior responsible individual.” Further, a senior responsible individual in charge of overseeing data protection efforts is only required where processing of personal data in the business is likely to represent a high risk to individuals. This is a move away from the data protection officer requirement that necessitated a dedicated data protection resource in a business in almost all cases, to only certain instances.
The main qualification needed to be considered a senior responsible individual is that they be a member of the business’s senior management. They will not be required to be “independent” meaning they can continue maintaining other—non-data protection related—roles and responsibilities.
Cookie Consent
Currently, under the UK GDPR, prior expressed consent is necessary prior to a business loading or processing cookies, with the only exception being those cookies that are strictly necessary and essential in order for the website to exist and work.
Under Bill 2, the new exceptions to the prior cookie consent requirement include: (1) the business if providing an information society service; (2) the business is only using the cookies to collect information for statistical purposes about how the service is used (i.e., analytics) and the information is not shared with other parties except for the specific analytical purposes; and (3) the user is provided with clear and comprehensive information about the purposes of the cookies. In any of the foregoing three cases, however, businesses will still be required to provide the user with a simple means of objecting to the cookies.
This is a major departure from the current EU data protection regime as now, businesses will more easily be able to collect analytical data about their websites and products without needing to obtain prior consent.
Moving Forward
The UK GDPR is still in effect and is in lock step with the EU GDPR for the time being. However, the proposed reforms represent a desire by the UK to make it a potential “haven” from the strict data protection regime that has existed in the EU and Europe more generally over the past five years.
However, businesses should not start making decisions or contemplating changes to their data protection compliance programs based on the reforms until they are fully passed through the UK parliament.
