The UK’s future data protection framework and laws are likely to significantly differ from the European Union’s General Data Protection Regulation (GDPR). The changes set out in the UK’s Data Protection and Digital Information Bill, published in July 2022, are a mixture of significant legal changes and superficial adjustments. In other places, long established legal concepts have been renamed and redefined so that past and future EU legal and regulatory interpretation can no longer influence the emerging UK data protection regime. These updated definitions and new concepts will allow UK regulators and UK courts to interpret and develop these laws and rules, in ways that are more UK-centric. The UK’s exit from the European Union (Brexit) automatically ended UK residents’ specific right to data protection set out in the EU Charter of Fundamental Rights. The legal fact of Brexit narrowed the scope of data protection in the UK, by default, and detaches it from the EU institutions, courts, systems and mechanisms that have previously operationalised data protection. There are also plans in the UK to narrow the scope of the UK’s Human Right Act 1998. This will further limit UK data protection. The UK is left with the UK Data Protection Act 2018, a truncated UK GDPR and a complex web of other laws to synthesize and interpret. These are all derivative laws, which together are more complex than the EU legal framework yet retain key unifying elements. UK data protection is now less stable. New uncertainties abound and a period of re-learning will begin. It is unclear whether the UK will retain EU data protection adequacy, over time.
The definition of Personal Data has been narrowed. The new definition splits the link between personal data that can identify an individual directly and indirectly. The legal test for identifiability has also been restricted. This means that the scope and reach of UK data protection is more limited for individuals, controllers and processors. While the new definition may appear technical, it will have practical effects on digital data, databases, cloud services, security strategies and risk profiles. The change in the law also automatically creates new pools of non-personal data, which fall outside the scope and reach of UK data protection.
The Purpose Limitation Principle has been expanded with legal tests to judge compatibility with new personal data uses. There are also new rules for assessing that secondary uses are compatible with original purposes. This creates new pathways for personal data re-use and secondary uses.
The Legal Bases for Processing Personal data have been broadened. Legitimate interest has been given a new prominence. A new list of data processing activities that automatically meet the legitimate interest balancing test has been introduced. This includes crime prevention, safeguarding the vulnerable, emergencies and democratic engagement. These new rules will encourage data sharing, especially by the government and the public services. The new rules also limit the scope for objection or refusal.
The Information Commissioner’s Office (ICO), the UK’s Data Protection Regulator, will be abolished in its current form. This reform appears to be an attempt to remove the UK regulator from the orbit, influence and its history as part of the European Data Protection Board (EDPB). The Commission will come under more direct UK government control and supervision. The Commission will be less independent. The Commission will have two distinct additional powers. The first, is to require a controller or processor to prepare a report at their own expense. The second, is an Interview Notice, requiring a person to attend a place to answer questions.
UK International Data Transfers have been removed from the EU GDPR framework. The EU’s restrictive data transfer default position has been replaced by a slightly more permissive UK approach. Data transfers can now proceed via UK Adequacy Regulations, UK Standard Contractual Clauses (SCCs), UK Binding Corporate Rules (BCRs) or UK Derogations for Special Situations. A new Data Protection Test has been introduced to guide the evaluation of UK data protection adequacy and the UK data protection equivalence of third-party countries.
Data Subject Rights have become more complicated and restrictive than in the GDPR. Requests can be refused if Controllers decide that these are vexatious or excessive. This means requests made in bad faith, those intended to cause distress and those which are an abuse of process. Requests must be answered within 30 days, but at any time during this period the controller can extend the response time by a further two months (around 60 days) because of the complexity of the request or the number of requests. The data subject notice rules in GDPR Articles 13 and 14 have been restricted. No notice is required for collecting personal data for further processing (and re-use) for scientific or historical research, archiving in the public interest or statistical purposes, with appropriate safeguards and not if providing that information is impossible or would be a disproportionate effort.
A definition of Direct Marketing will be added to UK law in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426), which is called UK PECR. Direct marketing means “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals.” The scope for using cookies without consent has increased and the definition of strictly necessary cookies has also been widened. New opt-outs have been introduced for unreceived messages and direct marking for democratic engagement. There is a new duty to inform the regulator about unlawful direct marketing. UK PECR penalties have been increased.
A More Limited UK Data Protection Governance System
The Information Commissioners Office will be abolished, and a new organisation called the Information Commission will take its place and replicate most of its existing powers. The Information Commission will be more dependent on the involvement of a UK Government Secretary of State for objectives and direction. The Commission will be expected to do more reporting and outreach. The Commission will have a duty to encourage economic growth and innovation. The Commission will be given new powers to refuse to act on certain complaints such as those that have been made prematurely or are vexatious or excessive.
The legal duty to appoint a Data Protection Officer (DPO) has been removed. The role of Senior Responsible Individual (SRI) has been created for public bodies and those that carry out high risk data processing. There is no legal duty for the SRI to be independent, instead the organisation can direct and give instructions to the SRI about their work. The SRI must be a member of senior management.
The legal duty for foreign-based organisations to appoint UK Data Protection Representatives has been removed. The Information Commissioner and individual data subjects based in the UK will not have a formal legal route to engage with foreign-based companies that offer goods and services and target or monitor UK individuals.
The legal duty to have a Register of Processing Activities (ROPA) has been retained but it has been renamed Records of Processing of Personal Data. The contents of these Records are similar and serve a similar function. The new Register requirement does not apply to data controllers or processors that employ less than 250 individuals unless they carry out data processing that is likely to result in a high risk to the rights and freedoms of individuals.
Data Protection Impact Assessments (DPIAs) have been removed and renamed Assessments of High Risk Processing. The scope of the new Assessment is more limited and the Senior Responsible Individual’s (SRI) direct involvement is not legally required.
The Office of the Commissioner for the Retention and Use of Biometric Material will be abolished, and its powers transferred to the Investigatory Powers Commissioner. The Office of Surveillance Camera Commissioner will also be abolished. The functions of the National DNA Database Strategy Board will be transferred to a new Forensic Information Database Strategy Board.
Changes to UK Privacy and Electronic Regulations (UK PECR)
UK PECR has been amended to allow a range of new exceptions to the historical restrictions placed on cookies and similar technologies storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user. This means that there will be a greater scope to use and deploy cookies, web beacons and similar technologies in the UK. It is unclear how this will work in practice, especially for website services that target the UK, EU/EEA and the rest of the world. However, these legal provisions may lead to novel technical solutions and innovations.
New Ideas to Support Online Identification and Innovation
The proposed law contains new provisions to make Digital Verification Services (DVS) more reliable by initiating a trust framework, a register, an information gateway and a trust mark. UK Government Secretaries of State or the organisations they nominate will have new powers to request access to information secured by DVS. New definitions of business data, customer data, data holders, decision-makers, enforcers have been introduced. The new rules state that the UK Government will have power to regulate these actors and their activities. The new rules also include powers to encourage information technology that enables consent to be given, or to allow automatic objections.
The new law recognises European Union conformity assessment bodies under the EU eIDAS Regulation (trust services) and other overseas trust products and services.
The UK’s Data Protection and Digital Information Bill is a mixed picture. There is an attempt at data protection de-regulation. UK GDPR will be narrower in key areas, including the long-established definition of personal data. Importantly, UK data protection governance structures have been significantly scaled back, notably the new rules governing the Information Commissioner’s Office, Data Protection Officers and UK Data Protection Representatives. However, some of the new rules appear to be market-making for new technologies. Many of the legal changes substantially benefit the UK government, public services data sharing and their service providers. Nine senior Ministers have sponsored and support the new law. The sponsoring Secretaries of State has reserved sweeping and controlling powers to themselves. Companies and organisations will find that UK data protection is much more complex than EU GDPR, for what is a much smaller market. Further, UK data protection law can now change at any time in the future through easy to adopt regulations and direct government interventions.
PrivacySolved has years of expertise in UK, EU and global data protection and work with the key regulators. For advice, support, projects and programmes, contact PrivacySolved:
Telephone: +44 (0) 207 175 9771 (London)
Telephone: +353 1 960 9370 (Dublin)