The UK government recently introduced a new Data Protection and Digital Information (No. 2) Bill (the “New Bill”). The reforms are intended to update and simplify the UK’s data protection framework and reduce burdens on organisations, while maintaining high data protection standards.
The New Bill replaces the original Data Protection and Digital Information Bill introduced in July 2022 (the “Previous Bill”), which we discussed in detail in our previous blog post. Much of the original drafting remains the same in the New Bill. However, there are some key changes to the proposals, outlined below.
Record Keeping
The New Bill proposes significant changes to record-keeping requirements. The Previous Bill required all businesses, except for small organisations that do not carry out high-risk processing, to maintain records of processing activities. The New Bill relaxes the requirements further. Controllers and processors will share record-keeping duties and will only need to keep records of processing where their personal data processing activities are likely to result in a high risk to the rights and freedoms of individuals, regardless of the size of their business. Whether processing is likely to be considered high risk will depend on the nature, scope, context and purposes of the processing. The Information Commissioner will also be required to publish guidance providing examples of high-risk processing to add clarity for businesses.
Legitimate Interests
The New Bill maintains the general position under the Previous Bill of “recognised” legitimate interests that will automatically be considered acceptable without a balancing test, covering limited areas such as national security, emergencies and crime prevention security. The New Bill goes further and introduces in its operative provisions a non-exhaustive list of examples of processing which might be considered necessary for the purposes of conducting a legitimate interests assessment, including direct marketing, intra-group transmission of personal data where necessary for internal administrative purposes, and ensuring the security of network and information systems.
These examples are not part of the list of “recognised” legitimate interests and data controllers will still be required to carry out a balancing test to ensure their interests are not outweighed by the data subject’s rights and interests. This potentially results in greater confusion where businesses are seeking to rely on legitimate interests as a lawful basis for their processing. It creates, in effect, a three-tiered structure of: 1., “recognised” legitimate interests (requiring no balancing test), 2., the necessary examples listed in the New Bill (requiring a balancing test), and 3., any other potentially necessary activities considered by businesses to be legitimate commercial activities (also requiring a balancing test).
Automated Decision Making and AI
Under the Previous Bill, restrictions on the use of automated decision making were only to apply to decisions that are a result of automated processing without “meaningful human involvement.” The New Bill expands on this by expressly stating that the extent to which the decision is reached by means of profiling must be taken into account.
International Data Transfers
The Previous Bill proposed a new approach to assessing international data transfers and assessing the adequacy of the third country and conducting transfer impact assessments. The threshold would be met provided data protection standards in a given third country were not “materially lower” than in the UK. The New Bill confirms that data transfer mechanisms lawfully entered into under the current UK GDPR, before the bill takes effect will continue to be valid.
Scientific Research Purposes
The New Bill contains an updated, broader definition of “scientific research purposes,” relevant for the existing exceptions that apply when processing for such purposes. The definition includes (as it did under the Previous Bill) research “that can reasonably be described as scientific”, whilst adding that such research may be carried out for the purposes of commercial or non-commercial activity (whether publicly or privately funded). This explicit inclusion of commercial activity is likely a welcome development in the New Bill for businesses looking to rely on this exception. The New Bill also includes a non-exhaustive, illustrative list of types of scientific research, and clarifies that research into public health is only considered scientific research if it is in the public interest.
Cookies, Online Tracking and Marketing
Some of the more significant divergences from the EU in the Previous Bill related to use of cookies and other online tracking. One such proposed change was the expansion of the marketing opt-out under the Privacy and Electronic Communications Regulations (“PECR”) to include non-commercial organisations for charitable, political or other non-commercial objectives. The New Bill, however, expands the obligations on providers of electronic communications networks such that they would be required to notify the Information Commissioner’s Office (“ICO”) (or as it will be called, the Information Commission) of suspected contravention of direct marketing rules, with the risk of fines for non-compliance. This is likely to result in increased enforcement of these rules and will sit alongside an increase in the level of fines for PECR breach to GDPR-levels, which had already been set out in the Previous Bill.
Comment and Next Steps
Overall, the New Bill makes relatively few substantive changes to the Previous Bill. Amendments to simplify record keeping, to expand the scope of using personal data for scientific research, and to clarify the position on several other key areas such as international transfers, are welcome.
The New Bill is now awaiting its second reading in UK parliament, which is expected to be scheduled in the coming weeks.
