Tinker, Tailor, or Wholesale Reform? The UK’s Data Protection and Digital Information (No.2) Bill

Robert Dalling, Oliver Thomson
Jenner & Block
Contact
LinkedIn
Facebook
X
Send
Embed

Jenner & Block

On 8 March 2023 the UK Government released a new version of the Data Protection and Digital Information Bill (the Bill), which is intended to make a series of changes to the UK’s data protection framework found in the UK GDPR, the Data Protection Act 2018 (DPA ‘18) and the Privacy and Electronic Communications Regulations.

If enacted, what will be its effect? Is this proposed tailoring of the existing framework significant, or just tinkering around the edges?

Introduction

The previous version of the Bill was introduced in July 2022 but has now been withdrawn. The Bill’s new iteration makes a number of clarifications and carve outs, seeking to simplify the UK’s data protection regime now that the GDPR has been in force some five years. The Bill makes a series of changes (either to the existing framework or the Bill’s prior iteration), including in relation to accountability, legitimate interests, and international transfers.

Accountability

One change from the status quo in the Bill is in respect of organisations’ accountability. When it comes to record keeping, previously only small organisations that did not carry out high risk processing, for example processing high volumes of health data, were exempt from maintaining records of that activity. Under the Bill, any controller or processor that does not undertake high risk processing would now be exempt from keeping records of processing.

Whilst this may come across as a significant change, organisations will still need to evidence accountability; controllers will need to show evidence of processes and procedures for handling data in accordance with data protection principles. Large and international corporations may also adopt standard procedures across jurisdictions, meaning in practice the apparent “watering down” may not be taken up.

Legitimate Interest

The Bill’s previous iteration proposed that organisations would not be required to carry out a balancing exercise to rely on legitimate interests where those interests were “recognised”. The Bill continues with this general approach but now provides examples that track the UK GDPR’s recitals, including with respect to intra-group transmission of personal data where necessary for administration, crime-prevention, and direct-marketing.

This might be viewed as a slight expansion of the ambit of legitimate interest as a basis for processing. Controllers will still need to carry out impact assessments, but the likelihood that legitimate interest will be an appropriate basis appears to have increased slightly.

Scientific Research

In the Bill, organisations carrying out research will be treated as falling under the banner of “scientific research” (thereby making the data more freely available for transfer and use by others) where the processing involved could “reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. Whilst it remains to be seen how this will operate in practice, this apparent loosening of controls will no doubt be welcomed by commercial research firms and others for whom this definition may apply.

International Transfers

The Bill does not seek to tinker with the UK’s international transfers regime. The Bill’s previous iteration introduced a new test for assessing adequacy, being whether the destination jurisdiction offered “materially lower” protections than that available under the UK GDPR (in which case the transferee jurisdiction would not have adequacy and the proposed transfer would be unlawful). The Bill makes clear that mechanisms lawfully entered before the Bill would continue to be valid. Companies who have spent time and energy implementing valid transfer mechanism will no doubt welcome the apparent consistency here.

Adequacy

One might think some of the Bill’s changes (not all of which are included in this article) may risk the UK’s EU adequacy status. The UK Government has since acknowledged that any changes to the UK’s regime cannot risk its adequacy status. That said, the UK’s adequacy status is not a matter for the UK government. How the EU considers some of the proposed changes, including those regarding record keeping discussed above, remains to be seen.

Effect

There are real changes in this Bill that practitioners and industry participants will need to consider. That said, the Bill is not the GDPR-replacement some popular commentators might have you believe, slashing regulation and creating a new ‘Singapore-on-Thames’ for data. The UK is not diverging wholesale from EU rules and norms, specifically not – we have been assured – in a way that would jeopardise its “adequacy” status.

What is more, in an attempt to simplify – to “cut red tape” – in the Bill the UK Government has created another document to consult; the GDPR and the DPA ’18 are not going anywhere.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jenner & Block | Attorney Advertising

Written by:

Jenner & Block
Jenner & Block
Contact
more
less

Jenner & Block on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide