LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

New and improved?

The Data Protection and Digital Information (No.2) Bill fails to live up to the government’s promises of a radical overhaul of the ‘regulatory minefield’ of the UK’s data protection regime to deliver a ‘truly bespoke British system of data protection’. It also fails to fulfil the government’s stated intention that it would not “reduce the requirement for data protection”. We are not persuaded that the Bill will make data protection compliance “more straightforward” for most organisations, but consider that it is drafted in a manner intended to ease the burden on participants in the ad tech ecosystem - including big tech -who will be free to suck up even more personal data of British citizens. The Bill is a missed opportunity to capitalise on the opportunities and freedoms afforded by Brexit for the benefit of British businesses while maintaining protections for British citizens.
— Handley Gill Limited

Reform of the UK’s data protection law was first put forward in the DMCS’ ‘Data: A New Direction’ consultation, which was published in September 2021. The Minister for Brexit Opportunities, Jacob Rees-Mogg, then confirmed that the Government would pursue data protection reform through the introduction of a data reform bill, which was then formally announced in the Queen’s Speech. The Government subsequently issued its response to the ‘Data: A New Direction’ consultation, indicating which proposals it intended to incorporate into the Bill and clarifying that it did not intend to seek to consolidate the data protection legislation but would instead amend existing provisions. We have previously published a post on the Government’s response.

On 18 July 2022, the then Secretary of State for Digital, Culture, Media and Sport, Nadine Dorries, introduced the Data Protection and Digital Information Bill (Bill 0143 2022-23) in the House of Commons. The Bill was said to represent the government’s attempt to capitalise on post-Brexit freedoms to depart from the “box-ticking” and “burdens” imposed by the EU GDPR, and was intended to support economic growth.

Having had its First Reading in the House of Commons on 18 July 2022, however, the Bill fell victim to the whims of the candidates in the Conservative Party’s leadership campaign. Candidate Rishi Sunak wrote in The Telegraph that one of his top priorities would be to “remove the burdens of GDPR, creating in its place the most dynamic data protection regime in the world”. Following the election of Liz Truss as Conservative Part leader and pending her appointment as Prime Minister on 06 September 2022, the Second Reading of the Bill, which had been due to take place on 05 September 2022, was postponed to allow “ministers to further consider this legislation”.

Galvanised by British businesses apparently being “shackled by unnecessary red tape”, Michele Donelan MP, at the time the Secretary of State for Digital, Culture, Media and Sport and now the Secretary of State at the Department for Science, Innovation and Technology, promised at the Conservative Party conference on 03 October 2022 that the government would re-think the Data Protection and Digital Information Bill (Bill 143 2022-23) and instead offer “simplification” of the existing data protection regime comprised of the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations and certain other sector-specific legislation, through a “business and consumer-friendly, British data protection system”.

Liz Truss’ short-lived tenure as Prime Minister, which concluded on 25 October 2022, didn’t put a stop to these ambitions, as she was replaced by Sunak, who had already set out his position on reform. Upon his creation of the Department for Science, Innovation and Technology, responsibility for the Bill was transferred from the Department for Culture, Media and Sport.

At Handley Gill, we dared to dream that reform would bring a consolidated piece of data protection legislation, taking a risk-based approach to compliance, establishing clear standards and an effective yet proportionate approach to the protection of the personal data of individuals in the UK while rejecting some of the more extreme interpretations of the GDPR that have been adopted by certain EU supervisory authorities. Alas, the Data Protection and Digital Information (No.2) Bill (Bill 265 2022-23) fails to deliver on the government’s promises, including that the Bill would maintain “the requirement for data protection”, or its potential. Having taken advice from a panel chaired by the IAB (the digital advertising industry body), however, in the new Bill the government has introduced further amendments to the existing legislative framework to reduce the compliance requirements on the ad tech industry.

The Information Commissioner welcomed the new Bill, stating that he supported “its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights”.

What impact will the Data Protection and Digital Information Bill (No.2) (DPDI2 Bill) have on the UK’s data protection regime?

  • In relation to the regulation of the processing of personal data:

    • The name of the regulator will change from the Information Commissioner to the Information Commission, which will be a body of between 3 and 14 individual executive and non-executive members, with non-executive members outnumbering executive members.

    • The Chair of the Information Commission will be appointed by the King on the recommendation of the Secretary of State following fair and open competition for a period of up to seven years.

    • Non-executive members of the Information Commission will be appointed by the Secretary of State, who must be satisfied that they do not have any conflict of interest, for a period of up to seven years and the Chief Executive will be appointed by the non-executive members of the Commission following consultation with the Secretary of State.

    • The Information Commission may establish Committees, to which it may delegate its functions.

    • The Commission must prepare accounts and submit them to the Secretary of State and the Comptroller and Auditor General.

    • The emphasis of the Information Commission’s focus is altered from a requirement to “have regard to the importance of securing an appropriate level of protection for personal data” to having as its objective securing “an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest”, but with the added requirement to have regard to factors including “the desirability of promoting innovation”.

    • A statutory right (and obligation) to make a complaint to a data controller prior to the Information Commission is introduced.

    • The right of data subjects to complain to the Information Commission is removed, and the Information Commission is to be entitled to decline to act upon any complaint if it has not been the subject of a concluded complaint to a data controller or is otherwise vexatious or excessive, and must publish guidance as to how it will exercise its discretion in this regard.

    • The obligation on the Information Commission to produce and publish an annual report is subject to specific requirements.

    • In addition, the Information Commission is required to publish at least annually a statement of its performance as against key performance indicators (KPIs).

    • The Information Commission is also required to publish an annual report on the regulatory action it has taken.

    • The entitlement of the Information Commission to issue standard data protection clauses for the purposes of international data transfers is subject to the reduced threshold that the protection for personal data is “not materially lower”.

    • The Information Commission is required to prepare, publish and review its strategy for carrying out its functions.

    • The Information Commission is required to consult with other appropriate regulators as to its functions.

    • The Secretary of State is granted the power to issue a statement of strategic priorities for the Information Commission, to which the Commission must have regard when carrying out its functions and publish a statement setting out how it will do so.

    • The Secretary of State is granted the power to make regulations requiring the Information Commission to prepare codes of practice.

    • The Information Commission is required to publish draft codes of practice, together with impact assessments in respect of them, and to establish a panel to consider and report upon any codes of practice it prepares.

    • The Secretary of State is granted the power to approve the Information Commission’s codes of practice, and to direct revisions, before laying them before Parliament.

    • The Information Commission is granted the right to refuse vexatious or excessive data subject rights requests.

    • The powers of the Information Commission in relation to assessment notices are expanded to allow it to require the relevant controller or processor to submit to an approved person preparing a report, who may be nominated by the controller or processor and whose fees must be met by the controller or processor, whether or not the Information Commission accepts the controller or processor’s nomination or appoints its own approved person.

    • The powers of the Information Commission are expanded to introduce a right to require an individual on behalf of a data controller or processor to attend for interview and answer questions.

    • The Information Commission is required to produce a wider range of guidance in relation to its enforcement powers to address the appointment of an approved person to prepare a report and the issue of interview notices.

    • The matters in respect of which the Information Commission may impose a fine are expanded to include circumstances where there has been a failure to comply with the obligations in relation to complaints by data subjects.

    • The matters in respect of which an appeal against the conduct of the Information Commission may be brought are expanded to encapsulate the issue of an interview notice.

    • A right of appeal is introduced to the First-Tier Tribunal (Information Rights) in respect of the Information Commission’s refusal to consider a complaint.

    • The current six month deadline for the Information Commission to impose a penalty notice following the issue of its notice of intent is removed.

    • The Information Commission must publish guidance for public electronic communications service providers and public electronic communications network providers on what constitute reasonable grounds to suspect a contravention of the direct marketing regulations.

    • The Information Commission’s enforcement powers, including to issue information notices, assessment notices, interview notices, powers of entry and inspection etc, are extended to the enforcement of the Privacy and Electronic Communications Regulations, with certain modifications.

    • The maximum amount of any monetary penalty notice issued by the Information Commission in respect of a breach of the Privacy and Electronic Communications Regulations is increased to align with the wider data protection regime.

  • In relation to processing which is subject to the UK GDPR:

    • The definition of what constitutes personal data is narrowed in a manner that differs from international norms, to introduce a subjective test meaning that what constitutes personal data will differ as between individual controllers or processors and require assessment.

    • The requirement for certain organisations to appoint a Data Protection Officer (DPO) is removed and instead a Senior Responsible Individual (SRI) is required to be designated who, while retaining responsibility for the performance of certain tasks, is not required to have the same knowledge, skills or experience as a DPO.

    • The requirements for consent for processing for the purposes of scientific research, which is defined broadly to include “processing for the purposes of technological development”, are reduced.

    • The regulatory burden of conducting a legitimate interests assessment (LIA) is obviated in respect of certain “recognised legitimate interests” which are legislated for and can be amended by the Secretary of State by the affirmative resolution procedure.

    • The processing of personal data for direct marketing, cyber security and/or sharing of personal data between entities in a group is deemed to constitute a legitimate interest of a data controller.

    • An exemption to the obligation to comply with data subject rights requests where the request is “vexatious or excessive” is introduced, making it easier for data controllers to reject requests, with such circumstances being specified to include where the request overlaps with another request which would encapsulate personal data (which could include a pre-action disclosure or disclosure request in the context of litigation, for example).

    • The restrictions on automated decision-making where the processing is not based on special categories of personal data are eased, and the Secretary of State is permitted to make regulations in relation to what constitutes meaningful human involvement and an effect which is similarly significant to a legal effect.

    • The requirement that technical and organisational measures be deployed to protect personal data is removed, instead recognising that these are merely one of a number of mechanism that may protect personal data.

    • The obligation on certain controllers and processors based outside of the UK but which are subject to the UK GDPR to designate a representative within the UK is removed.

    • The obligation on all but the smallest organisations, and those with the most routine data processing activities, to maintain a record of processing activities is removed – instead only requiring those engaged in high risk processing to comply - while retaining the obligation to be able to demonstrate accountability for compliance.

    • The specific statutory circumstances in which a Data Protection Impact Assessment (DPIA) is deemed to be necessary are removed (while maintaining a requirement that the Information Commission publish guidance containing examples of such circumstances), as well as the requirements that data subjects be consulted and that a DPIA be reviewed to ensure that processing is being conducted in compliance with the DPIA.

    • The obligation for data controllers to consult the Information Commissioner where processing will result in a high risk to data subjects is removed.

    • The threshold for the Secretary of State to make regulations approving transfers of personal data to countries outside the UK or to international organisations is reduced to a level where the protection for personal data is “not materially lower”, which may be determined having regard to “the desirability of facilitating transfers of personal data”.

    • The threshold for data controllers and processors to transfer personal data to a third country in the absence of regulations is reduced by enabling them to transfer data where they consider that the protection for personal data is “not materially lower”.

    • The Secretary of State is granted the power to ban transfers of personal data to a third country, even where the requirements for transfers would otherwise be met, where considered “necessary for important reasons of public interest”.  

    • A new offence is created of knowingly or recklessly making a false statement in response to an interview notice.

    • A new right for data subjects to complain to data controllers is introduced, which must be acknowledged within 30 days and responded to without undue delay.

    • The Secretary of State is entitled to make regulations requiring data controllers to notify the Information Commission of the number of data subject complaints received.

    • A clarification is introduced that processing of personal data pursuant to an enactment does not itself override the obligation to comply with the UK GDPR and related data protection legislation unless explicitly stated to do so.

  • In relation to processing for law enforcement purposes by competent authorities under Part 3 of the Data Protection Act 2018:

    • The definition of consent is imported into Part 3 of the Bill, which regulates the processing of personal data for law enforcement purposes, bringing this into line with the wider regime (cl.4 DPDI (No.2) Bill).

    • The obligation to appoint a Data Protection Officer (DPO) is removed and replaced with the requirement to designate a Senior Responsible Individual (SRI) who, while retaining responsibility for the performance of certain tasks, is not required to have the same knowledge, skills or experience as a DPO

    • The right to make a complaint to the data controller is introduced.

    • An exemption to the duties upon data controllers and to the obligation to respond to a data subject access request is introduced in respect of privileged information.

    • The safeguards for data subjects in respect of automated decision-making are reduced and the right not to be subject to automated processing which produces legal or similarly significant effects is removed.

    • The concept of a data protection impact assessment (DPIA) is replaced with that of an Assessment of High Risk Processing (AHRI).

    • The obligation to consult the Information Commission prior to conducting processing activities which would result in a high risk to data subjects is removed.

    • Adherence to a code of conduct is introduced as a concept to demonstrate that a processor offers sufficient guarantees to secure compliant processing.

    • An obligation on the Information Commission to encourage public bodies to produce codes of conduct under Part 3 of the Data Protection Act 2018 is introduced. 

    • The obligation to maintain records of processing is maintained but the specific requirements are less burdensome.

    • Controllers are entitled to decline to act on a data subject rights request where the request is vexatious or excessive, reducing the threshold for the rejection of requests.

    • The reduced threshold for the making of regulations by the Secretary of State for the transfer of persona data to a third country or international organisation is replicated.

    • The reduced threshold for data controllers and processors to transfer personal data to a third country in the absence of regulations, by enabling them to transfer data where they consider that the protection for personal data is “not materially lower” is replicated.

    • The need to protect the public and/or national security of the UK, and not merely that of a third country, is introduced as a justification for transferring personal data as being necessary for a “special purpose”.

    • An exemption from the obligation not to further transfer personal data transferred from the UK is introduced where it is necessary to prevent an immediate and serious threat and authorisation could not be obtained in good time.

    • An exemption from the obligation not to further transfer personal data obtained by the UK from an overseas authoriser without its permission is introduced where necessary to prevent an immediate and serious threat to national security, public security or essential interests of the UK or another country.

    • An exemption from the obligation to comply with various provisions is introduced where necessary for reasons of national security.

  • In relation to intelligence services processing under Part 4 of the Data Protection Act 2018:

    • The application of these provisions is extended to apply not only to the intelligence services but also, where designated by the Secretary of State to safeguard national security, by other competent authorities where they act jointly with an intelligence service as a data controller, and provision is made for the making and oversight of designation notices.

    • The provisions in relation to the right to refuse vexatious or excessive data subject rights requests are imported into Part 4.

    • The threshold for processing to be deemed entirely automated is specified as being the absence of the ability for a human to accept, reject or influence the decision.

  • In relation to the Privacy and Electronic Communications Regulations (PECR):

    • The Information Commission’s powers to conduct audits of are removed.

    • The Secretary of State is granted the right to amend by regulations the amount of the fixed penalty notice issued by the Information Commission against public electronic communications service for failure to comply with notification obligations, which is currently set at £1,000.

    • A right is granted to the storage of and accessing of information stored on a user’s terminal equipment, such as cookies, where the sole purpose of doing so is for certain statistical purposes and certain conditions are met, effectively removing the requirement to obtain consent in respect of certain analytics cookies.

    • A right is granted to the storage of and accessing of information stored on a user’s terminal equipment, such as cookies, where the sole purpose is the functionality of the service or to reflect the user’s preference and certain conditions are met, effectively removing the obligation to obtain consent for this type of non-necessary cookie.

    • A right is granted to the storage of and accessing of information stored on a user’s terminal equipment, such as cookies, where the sole purpose is to deliver security updates, privacy settings are unaffected and certain conditions are met.

    • A right is granted to the storage of and accessing of information stored on a user’s terminal equipment, such as cookies, where the sole purpose is to geolocate the user in response to the user’s request for emergency assistance.

    • Provision is made such that it will not be necessary to revisit the authorisation to store or access information on a user’s terminal equipment provided the requirements for compliance were met on the first occasion.

    • The Secretary of State is granted the power to make regulations granting further exceptions to the requirement to obtain consent to the storage of and accessing of information stored on a user’s terminal equipment.

    • The application of the so-called ‘soft opt-in’. which permits direct marketing communications to be directed toward individuals who have purchased or engaged in negotiations in relation to products or services, is extended to entities for the purposes of furthering political, charitable or other non-commercial objectives.

    • An obligation on public electronic communications service providers and public electronic communications network providers to notify the Information Commission within 28 days of any reasonable grounds for suspecting that a person is contravening or has contravened any of the direct marketing regulations in the use of the service is introduced, with failure to comply subject to the imposition of a fine of up to £1,000 (subject to regulations made by the Secretary of State).

What amendments should be made to the Data Protection and Digital Information Bill (No.2) (DPDI2 Bill)?

  • The Bill should aim to consolidate the legislation comprising the UK’s data protection regime, which would support the simplification of the understanding and compliance.

  • The Bill and its provisions should align with, as a minimum, existing international standards, such as the Organisation for Economic Co-operation and Development (OECD) Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (C(80)58/FINAL) (as amended by C(2013)79) and the Council of Europe ‘Convention for the protection of individuals with regard to automatic processing of personal data’ (CETS No. 108).

  • A narrower definition of what constitutes scientific research should be introduced, to avoid – for example – reduced protections for the processing of personal data in the context of the development of artificial intelligence (AI) tools.

  • The requirement to consult with data subjects or their representatives where appropriate in connection with high-risk processing should, instead of being removed, be substituted with a requirement to engage a ‘data steward’, an independent third party with appropriate knowledge, skills and experience, to represent the interests of data subjects and make recommendations.  

  • The Information Commission should be required to produce guidance on the specific data protection and related legislation and practices of individual third countries to inform the assessments to be made by controllers and processors prior to conducting international data transfers.

  • The circumstances in which “important reasons of public interest” may exist enabling the Secretary of State to ban transfers of personal data to a third country or international organisation should be clarified.

  • The ability to prosecute data protection offences should not be limited to the Information Commissioner or with the consent of the Director of Public Prosecutions.

  • A requirement for the Secretary of State to conduct public consultations before making regulations under the legislation should be introduced.

  • The recognised legitimate interest for providing personal data in response to a request, and for processing to be treated as being compatible with the original purpose for processing, should only apply where the requester not only states but demonstrates their need for it and compliance with any other conditions.   

  • In relation to the recognised legitimate interest of  processing personal data for the purposes of democratic engagement in relation to data subjects aged 14 and over, a reduction to age 13 years since although the age of 14 aligns with the age for attainers in Scotland, many of democratic engagement activities, such as those set out in ‘Democratic Engagement: Respecting, Protecting and Promoting Our Democracy’, including the Youth Democracy Ambassadors scheme, are aimed at individuals aged 13 and above.

  • An obligation on the Information Commission to produce guidance to support controllers and processors to determine whether an individual is likely to be identifiable by third parties, with particular reference to commonly used third party services such as those offered by companies including Google.

  • The reference to the processing of “sensitive personal data” introduced by clause 11(3) of the Bill to section 50B of the Data Protection Act 2018 should be amended as there is no concept of “sensitive personal data” under Part 3 of the Act.

  • The obligation under Part 3 of the Data Protection Act 2018 that requires controllers processing personal data for the law enforcement purposes to monitor and report infringements of the Act should be extended to all data controllers, who should also be required to maintain records of infringements of the data protection legislation, similarly to how they would be required to record data breaches.

  • The maximum fees on an hourly rate basis for any approved person appointed by the Information Commission should be the subject of regulations.

  • A time period for controllers to provide a substantive response to data subject complaints should be established.

  • The exercise of the Information Commission’s enforcement powers in cases where the special purposes exemption is, or might reasonably be considered to be capable of being, engaged should be the subject of prior judicial authorisation.

  • A right of appeal by data subjects against decisions of the Information Commissioner that there has been no breach of the data protection legislation should be introduced.