Following the UK Government’s publication of their response to the consultation on ‘Data: a New Direction’, The Data Protection and Digital Information Bill was introduced to the UK Parliament this summer. The UK Government herald the Bill as a means to harness post-Brexit freedoms to create an independent data protection framework. Whilst not an exhaustive commentary on the proposed reforms, we discuss some of the key changes.
Definition of personal data
One of the most notable changes proposed under the Bill is to the definition of personal data. Whilst the core definition of personal data remains broadly unchanged under the proposals (i.e. “personal data relating to living individuals), the Bill narrows the definition on how a living individual will be an identifiable individual by either direct or indirect means by a controller or processor.
Under the proposals, there will essentially be a two-stage test as to whether data relates to an identifiable individual:
- firstly, will the controller or processor (or other party) be able to identify the individual by reasonable means at the time of processing?; or
- will the controller or processor know, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing and the living individual will be identifiable by reasonable means at the time of processing.
The proposals seek to clarify that the identification of an individual will be restricted to an assessment by a processor or controller and not anyone else.
Lawful basis for processing
Legitimate interests is one of the conditions most commonly used by organisations to justify their data processing. The Bill sets out a number of legitimate interests that represent lawful processing to help organisations seeking to rely on this as a lawful basis. These are:
- processing is necessary for the performance of a task carried out in the public interest;
- processing is necessary for national security, public security and defence;
- processing is necessary for responding to national emergencies;
- processing is necessary in detecting, investigating or preventing crime, or apprehending or prosecuting offenders;
- processing is necessary in safeguarding vulnerable individuals (including children); and
- processing is carried out for the purposes of democratic engagement (political campaigning).
It is interesting (and perhaps a little worrying) to note that all of the legitimate interests listed under the Bill reference the processing to be necessary for each legitimate interest, with the exception of democratic engagement (political campaigning) whereby the processing need only be carried out for the purpose of democratic engagement. It is unclear at this stage why such a carte blanche approach has been taken in relation to processing personal data to aid political campaigning. A cynic would suggest that the interests of the political establishment have taken precedence over data subjects and legitimate business interests under the proposals.
Data Subject Access Requests (DSARs)
If the proposals are implemented the UK will differ from the EU in how DSARs are dealt with. Currently, organisations do not have to comply with DSARs that are “manifestly unfounded” whereas the proposals seek to lower this threshold to organisations not having to comply with “vexatious or excessive requests”. The Bill provides some guidance on what is meant by a vexatious or excessive request. The net effect being that the proposals are likely to reduce the number and complexity of requests that are actioned.
Furthermore, the proposals codify response times and provide practical advice to organisations in relation to response times and whether they may charge a fee for processing a DSAR.
Another area of potential divergence by the UK from the EU relates to consent to cookies. Whilst the EU looks to increase control over organisations using cookies to track users on their sites, under the UK proposals, the UK legislation will not require consent to cookies where cookies are used for the following purposes:
- to collect statistical information about an information service or website in order to bring improvements to the service or website;
- to enable the way a website appears or functions to adapt to the preferences of the user or to otherwise enhance the appearance or functionality of the website;
- to install necessary security updates to a device; and
- to identify the geolocation of an individual in an emergency.
An important caveat is this relates only to those over 18 years of age and therefore organisations will still have to obtain consent for children using their sites. The UK Government cites boosting innovation as the purpose behind this divergence.
International Data Transfers
Schedule 5 of the Bill introduces a new power for the Secretary of State to allow for international transfers that will be subject to a risk-based ‘data protection test’. The data protection test will be met if the general processing of personal data in the third country is not materially lower than the standard in the UK. The sort of considerations that are to be applied by the Secretary of State when considering the data protection test in relation to the country or organisation include:
- respect for the rule of law and human rights;
- the existence of an authority responsible for data protection in that country;
- arrangements for judicial or non-judicial redress for data subjects in relation to processing; and
- the constitution, traditional and culture of the country or organisation.
Whilst there are similarities between the current regime and the proposals, the Bill does not expand on what is meant by the ‘constitution, tradition and culture’ of a country and how this is likely to impact an adequacy decision in respect of that country.
Assessed in a vacuum and considering the objective of the UK Government, to create an independent data protection framework, the Bill succeeds in many ways. Once implemented, the UK may potentially interpret personal data differently from the EU and will assess the adequacy of data regimes in other countries independently of the EU’s standards. Moreover, the Bill proposes reforms to the ICO (creating the IC), albeit with greater control and input from the UK Government. Although it has to be said, the UK regime will firmly remain based on the GDPR.
There are potential downsides though. The creation of different compliance standards for the UK and the EU will inevitably lead to further compliance (and associated costs) for businesses across the UK doing business in the EU and conversely, those businesses in the EU doing business in the UK. In addition, the adequacy decision in respect of the UK issued by the European Commission may be called into question once the Bill becomes an Act of Parliament. At present, the UK GDPR is very closely aligned with the EU GDPR and therefore there is no concern over the adequacy of the UK data protection regime. This may change. The UK’s risk-based proposal for international data transfers is, in particular, something that may not be welcomed in Brussels.
Should you require any data protection advice or assistance, please contact a member of our Data Protection and Cyber Security team.