2022 was quite the rollercoaster year, politically. So it’s no wonder that The UK Data Protection And Digital Information (DPDI) Bill remains on the agenda in 2023. The Bill was first introduced in the House Of Commons on July 18th 2022 and was expected to be passed swiftly. However, during the turbulence of October and several changes of leadership, it was decided that ministers needed more time to review and edit the proposed legislation. Now though, it seems the government is keen to get the Bill over the line as part of their mission to cut red tape and fuel business opportunities in Post-BREXIT Britain.
What Is The UK Data Protection And Digital Information Bill?
The UK’s first data protection law was created in 1984 when very few people even had a home computer and phones were the size of bricks. Fortunately, in 1995 the European Union passed a directive to regulate the processing of personal data and the UK incorporated that into our Data Protection Act under which businesses operated until General Data Protection Regulation (GDPR) took over in 2018.
In 2018, businesses struggled to get to grips with GDPR. Apart from data protection being a difficult area to navigate, having voted to leave the European Union, British businesses were unsure of how long they would operate under EU GDPR. On 31st December 2020, when the UK officially left the European Union, EU GDPR ceased to apply to UK-based businesses. However, operating under the former Data Protection Act has not been ideal, least of all because it was created almost three decades ago, meaning many of the data issues and risks we face today are not incorporated into the legislation. Hence, why UK businesses have been awaiting the introduction of the UK Data Protection And Digital Information Bill (DPDI).
Due to a cabinet and departmental reshuffle in UK politics in early February, the Bill has become the focus of attention once again. The recent creation of a new governmental Department for Science, Innovation and Technology means that the digital and data policy will now be the responsibility of this department and no longer falls under the Media, Culture and Sports Department. With the UK government very keen to drive innovation and open up opportunities for UK businesses to play a leading role in the digital revolution, it is believed that the DPDI Bill will be a priority for early 2023. Despite political enthusiasm and claims of economic benefit, many are concerned that relaxing regulation in a bid to grow the economy may leave the UK public’s privacy rights weakened.
What Will New UK Data Protection Laws Include?
It is necessary to incorporate the EU’s General Data Protection Regulation into domestic law so that UK businesses have a framework from which to operate and are clear on what data they are allowed, and not allowed, to collect. The legislation should also direct how data can be gathered, stored and handled and whether it may be transferred or shared.
The government intends to simplify digital and data protection law whilst safeguarding robust protection standards.
Changes To Definitions
Identifiable living individual
Personal data is information relating to any living individual that enables identification. That being, the definition of ‘identifiable living individual’ is crucial to any data protection act. The new UK DPDI Bill seeks to revise what information (personal data) makes a person identifiable. New requirements include that the individual must be identifiable by the controller or processor at the time of processing. It also defines an individual as identifiable if the processor or controller knows, or should know, that another person or organisation would be able to, and likely to, identify the individual as a result of the processing.
International data protection requirements
The EU uses the adequacy test (more on this further down) to establish whether they can share data with other counties and the UK has also done so. The adequacy test demands the country wishing to exchange data must have at least equivalent standards in its own data protection act, to meet or supersede that of GDPR. The new legislation proposes moving to a new data protection test which would only require other countries to have data protection standards that are ‘not materially lower.’
The definition of scientific research is also amended by the Bill to include ‘any research that can reasonably be described as scientific.' Furthermore, it adds a clause that consent for a person’s data being processed must also be ethical.
The Bill seeks to extend when Automated Decision-Making (ADM) can be used. Automated decision-making is defined as that which does not require the intervention of a human being in the decision-making process. The aim of extending this use is to allow for AI and digital growth. However, this change naturally comes with the caveat that automated decision-making may not be used for legal matters or for decisions that have a meaningful effect on the data subject.
Cookie Consent And Tracking Technologies
To reduce the burden on UK businesses, the new Bill relaxes consent requirements on cookies and tracking technologies. Currently, under GDPR, a website must ask every first time visitor to give consent for cookies to be dropped. Whilst some businesses may use advanced tracking technologies to gather personal data, many are using cookies only to generate basic statistics relating to their website visitors. The DPDI would no longer require such businesses to obtain consent for tracking that is used only to produce statistics and improve services. So, yes, it’s likely that many businesses based in the UK will be able to remove the cookie consent pop-up if this Bill is passed.
Increased Fines For Direct Marketing
The DPDI redefines direct marketing as the communication of advertising or marketing materials directed to particular individuals. Regulation of direct marketing falls under The Privacy and Electronic Communications Regulations (PECR) and will remain so. However, the DPDI Bill requests fines issued for breaches of PECR regulations on nuisance calls and texts be increased to up to 4% of global turnover, in line with GDPR levels.
Data Protection Officer Changes
GDPR states that certain organisations need to appoint a Data Protection Officer (DPO) who is responsible for ensuring compliance in handling the personal data of both its staff and its customers. This individual is required to possess expert knowledge of data protection law and practices. However, the need for a Data Protection Officer only applies to companies for whom:
Processing of personal data is done by a public body or authority
Processing of personal data, or specific ‘special’ data categories, is the core activity of an organisation that regularly observes its data subjects on a large scale
Under the proposed new UK DPDI Bill, such organisations would no longer need to appoint a Data Protection Officer but instead must appoint a senior responsible person within the organisation’s senior management team.
Will The DPDI Bill Make Data Protection Compliance Simpler For UK Businesses?
Until the final Bill is clarified and passed, it is difficult to tell whether the proposed legislation will make it easier for UK businesses to comply with data protection or whether the new policy strikes the correct balance.
On this note, a significant part of the Bill proposes changes to the Information Commissioner’s Office (ICO), including changing the name of the body to Information Commission. Operating as a regulator, like Ofcom, the focus of the commission would be continuing to protect the public’s right to privacy and data protection whilst ensuring businesses are enabled to thrive. The new Bill instructs that the IC operates in a way which gives regard to economic growth, specifically promoting innovation and competition for UK businesses, as well as ensuring data protection compliance.
The proposed changes to the ICO appear to be welcomed, even by the commission itself, though it remains to see how the interests of businesses can be balanced with consumers' want to keep their data private, given that personal data has become such a desirable commodity in the digital age.
The DPDI Bill, if passed, may result in fewer demands for consent over the collection of very basic data and fewer obstructive pop-ups for the British public when online. This, in turn, would reduce demands on businesses, especially smaller businesses. Less stringent rules over data handling may provide a boost to the UK economy. A significant concern though is that many businesses may find they’re required to be compliant with both domestic DPDI and EU GDPR, which could be time-consuming, complicated and costly. Thus any benefits would be outweighed. There is also the matter of adequacy decision.
Since many businesses will still be accessing and transferring data from the EU they may find themselves having to comply with both UK policy and EU policy. Currently, the UK benefits from adequacy decision. This means that our current data protection laws have been found to be in accordance with EU GDPR since they provide an equivalent level of data protection. Some politicians, journalists and organisations believe that the new Bill, which claims to lower ‘red-tape’ and ‘overcautious rules’, will fail to meet the standards that would see us retain adequacy decision. Being without this would likely result in far bigger costs for UK businesses working with EU territories, as well as disruption to digital trade and investment.
Keeping Up With Data Protection And Digital Information Policy
Data protection has been on the agenda for a while now, for many reasons. Many experts are confident that new legislation will pass this year (2023) and now that responsibility for the Bill has moved to a new government department, the belief is that this will forward, rather than hinder, progression.
Get in touch if you require a trusted commercial lawyer to assist you with this.