‘GDPR reform bill’: new proposals announced by UK government

Posted: 14/03/2023

On 8 March 2023, the UK government re-introduced the Data Protection and Digital Information Bill as the Data Protection and Digital Information (No. 2) Bill to Parliament. The bill was first introduced in June 2022 but was then paused for further consultation with business leaders and data experts.

The government press release that accompanied the bill states that the new UK regime will, among other things, ‘introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws’, as well as maintain data adequacy with the EU and reduce the amount of paperwork that is needed for compliance.

Although there are some noteworthy changes in this second version of the bill (relating to legitimate interest, record keeping, scientific research and international transfers), overall the changes are relatively limited. The objective of reducing the administrative burden on businesses remains the same.

Key proposals in the new bill include:

A non-exhaustive list of activities that may be in the legitimate interest of a data controller, including direct marketing, intra-group transmission of personal data, and ensuring the security of network and information systems. A data controller will still be required to ensure its interests are not outweighed by the data subject’s rights and interests.
A defined list of ‘recognised legitimate interests’ – if one of these applies, organisations will no longer be required to balance their legitimate interests against the data subject’s rights and interests, provided they can show their processing is necessary. The current list includes processing for the purposes of national security, protecting public security and defence, emergencies, preventing crime, safeguarding vulnerable individuals and democratic engagement. The Secretary of State would be able to add new categories.
Clarification that the exceptions for processing for scientific research cover all activities that can reasonably be described as scientific, whether publicly or privately funded and whether commercial or non-commercial. Research into public health will only be considered scientific research if it is in the public interest.
Replacing the ‘manifestly unfounded or excessive’ test for refusing data subject access requests with a ‘vexatious or excessive’ test (the bill gives examples).
A new definition of personal data so that an individual will only be considered as identifiable if (a) they are identifiable by the controller or processor by reasonable means at the time of processing, or (b) where the controller or processor knows (or ought reasonably to know) that another person is likely to obtain the information about that individual because of the processing, and is likely to be able to identify the individual by reasonable means (which is defined).
A relaxation of the rules on automated decision making, which is based on ordinary personal data, provided there are safeguards, including the right to obtain human intervention and to contest decisions. Where an automated decision is based on special category data, the rules are stricter and one of the following must generally apply: (a) consent; or (b) the decision must be necessary for a contract or required by law and fulfil the substantial public interest condition.
A risk-based approach to the international transfer of personal data (eg using the ICO’s International Data Transfer Agreement or Addendum as a transfer tool). Data transfer mechanisms lawfully entered into before the reforms take effect will continue to be valid under the new regime.
Removing the requirement for controllers and processors not established in the UK to appoint a UK representative, and replacing the requirement to appoint a data protection officer with a requirement for public bodies and organisations undertaking high risk data processing to appoint a ‘Senior Responsible Individual’ for data protection compliance. This individual must be a member of the organisation’s senior management team, rather than independent from it, as required currently.
Limiting the requirement to keep records of processing of personal data – this will apply only where the processing is likely to result in a high risk to the rights and freedoms of individuals, taking into account the nature, scope, context, and purposes of the processing. This will apply to all organisations, not just those with 250 or more employees, as is currently the case.
Replacing the requirement to conduct data protection impact assessments (DPIAs) with a requirement to assess high-risk processing, focusing on how the organisation operates and the type of data it processes.
Expanding the categories of cookies that do not need consent to cookies which collect information: for statistical purposes to make service or website improvements; to adapt the appearance or function of the website to the user’s preferences; to install software updates necessary for security; and to identify the user’s geographical position in an emergency. In each case (except locating a user in an emergency), clear and comprehensive information must be given about the purpose of the cookie and a simple way to opt out must be provided.
Increased fines under the Privacy and Electronic Communications Regulations (PECR) for breaching its rules on marketing calls, emails, and texts, to bring this in line with the maximum fine under the UK GDPR and Data Protection Act 2018 of 4% of global turnover or £17.5 million (whichever is higher).
A new framework for the use of digital verification services, and a new framework of objectives and duties for the ICO, including reporting obligations to government and oversight by the Secretary of State.