The UK government recognizes that personal data is a significant strategic asset and the engine powering modern economies around the globe, as the government outlined in its National Data Strategy.
The government recognizes that data stimulates scientific advancement and encourages innovation in both large and small organizations. In the wake of Brexit, efforts have been directed toward adopting a comprehensive legal framework that aims to reform and replace the EU-based privacy framework.
As per the UK Government, the reforms will enable the UK to reap the rewards of increased use of personal data by easing the restrictions placed on companies that prevent the ethical use of personal data.
Existing Data Privacy Law Landscape
Currently, the Privacy and Electronic Communications Regulations (PECR), the Data Protection Act 2018 (DPA), and the UK General Data Protection Regulation (UK GDPR), which is incorporated within the DPA, make up the country's current data protection framework.
This existing legal framework is very similar to the European legal framework consisting of EU GDPR and e-Privacy Directive, with exemptions and limitations specific to the UK law. The Data Protection and Digital Information Bill will amend and replace this existing legal framework.
Following the release of the government's conclusion to the Data: a New Direction survey, the ‘Data Protection and Digital Information Bill’ was tabled to Parliament on July 18, 2022. This core law will establish a stand-alone framework for data protection by utilizing post-Brexit freedoms.
Key changes under the new Data Bill
The lengthy and intricate bill includes several provisions and changes to the fundamental data protection law.
Definition of Personal Data
The UK GDPR defines “personal data” as any information relating to an identified or identifiable natural person. The Data Bill retains the same definition of personal data. However, it clarifies when an individual is “directly” and “indirectly'' identifiable.
Accordingly, an individual is identifiable from the information directly ()if no further/additional information is required and is indirectly identifiable if such further/additional information is needed.
The Data Bill further clarifies where the controller or processor knows or ought reasonably to know that another person will or is likely to obtain the information as a result of the processing, and the living individual will be or is likely to be identifiable by reasonable means at the time of the processing, the datasets are considered to be personal data. Whether a person is reasonably likely to be identified depends on the time, effort, and costs involved in identifying the individual and the available technology and resources.
This clarification is similar to the EU GDPR Recital 26, which clarified that all objective factors such as the costs of and the amount of time required for identification, the available technology at the time of the processing, and technological developments must be taken into consideration to determine whether a person is likely to be identified by the datasets.
Definition of Research and Statistical Purposes
Recitals from EU GDPR continued to be applied similarly even after Brexit. The Consultation process suggested moving the supplementary interpretation of ‘scientific, historical and statistical research’ found under Recital 159 to be moved within the operative text of UK GDPR to improve clarity. The Data Bill amends the UK GDPR by introducing the definitions of the following:
- Scientific Research - processing for the purposes of research that is reasonably deemed scientific, including technological, fundamental, or applied research. Such research may either be privately or publicly funded.
- Historical Research - processing for genealogical research purposes.
- Statistical Research - processing for statistical surveys to obtain statistical results as long as the information from such results is not personal data. Moreover, the information and personal data should not be used to support or find out more about any particular person.
Automated Decision-Making
Amending Article 22 of UK GDPR- which deals with automated decision-making, including profiling - was in talks during the Consultation process. Concerns were raised regarding which processes should be considered ‘solely automated’ and how much human intervention would bring it within the scope of being so, as not all AI systems necessarily trigger the application Article 22. The Data Bill completely replaces the current text of Article 22 and provides clarity with regards to the definition, restrictions, and safeguards where automated decision-making is concerned.
As such, automated decision-making is referred to as the decision through processing where there is no “meaningful human involvement.” In addition, a significant decision is the one that has legal or any other significant effects on the data subjects.
Automated decision-making regarding special categories of personal data can only be undertaken when a data subject has given explicit consent or when there is a contractual or legal obligation.
The controller needs to take the following safeguards:
- Providing information about automated decision-making to the data subject,
- Allowing the data subject to express their opinions regarding such a decision,
- Allowing the data subject to ask the controller for his/her involvement in respect to such a decision, and
- Allowing data subject to contest to such a decision.
Technical and Organizational Measures
Article 24(1) of the UK GDPR made it mandatory for the controllers to take “appropriate technical and organizational measures” to ensure data processing is carried out in accordance with the law. Data Bill amends this by replacing the wording with “appropriate measures, including technical and organizational measures.
This minor change provides more flexibility to organizations and indicates that security measures do not necessarily need to be technical or organizational; they can also be physical measures.
Records of Processing Activities
Under the existing legal framework, organizations must maintain records of data processing activities (ROPAs). This obligation does not apply to companies with less than 250 employees unless they carry data processing that is likely to result in a high risk to the rights and freedoms of data subjects.
Organizations are still required to maintain data inventories as they are required to do so in the existing UK data protection framework. However, there is much more flexibility in terms of what needs to be put in the records. As per the proposed Data Bill, records must consist of where the personal data is, the purposes of the processing, sensitive personal data, and whom the data has been shared with rather than merely categories of data recipients.
Assessment of High-Risk Processing
Under both the existing legal framework and the proposed Data Bill, organizations must conduct assessments for high-risk data processing activities. However, the list of circumstances under which a Data Protection Impact Assessment is considered to be necessary under the existing framework has been removed.
As per the Data Bill, the assessment must include a summary of the purposes of the processing, an assessment of whether the processing is necessary for those purposes, an assessment of the risks to individuals, and a description of how the controller proposes to mitigate those risks.
Cookies Consent
With time and further exclusions for non-intrusive cookies, the Consultation proposed to switch from cookie consent to an opt-out model, given that the website gives proper instructions to the user on how to opt-out.
For now, cookies can be placed on users’ devices (websites, smartphones, smart TV, etc.) without obtaining their explicit and prior consent for minimally invasive purposes such as web analytics, enhancement of functionality, and automatic software update.
This means that the new UK framework still follows the opt-in consent principle for using cookies but adds new exemptions.
Under the Data Bill, prior consent is not required in the following situations:
- Where the person provides an information society service,
- Where the sole purpose of storing or accessing data (the sole purpose of using tracking technologies) is to collect information for statistical and improving services purposes (such as enhancing the display and functionality of websites etc.). For example, in order to enable how a website appears to reflect user preferences,
- If the installed software needs to be updated and ensure the security of the system, and
- To identify the geolocation of an individual in emergency cases.
For each of the above exemptions, organizations must provide clear and comprehensive information to the user at or before the point of collection of their personal data.
Soft Opt-In for Direct Marketing
Presently under the PECR, businesses are permitted to send direct marketing communications to existing customers, i.e., individuals whose details they obtained in the context of the sale of a product or service, without making them select an opt-in checkbox provided that the individual did not opt-out at the time of providing his/her personal data and a clear and distinct opt-out ability was provided to the individual.
The PECR allows you to send marketing communications to customers via an opt-out checkbox even if negotiations for sale have taken place with them or a customer has actively shown interest in buying the organization's products or services - for example, by requesting a quota or asking for more details of what it offers.
Therefore, this ‘soft opt-in’ did not require the customer’s explicit consent provided certain conditions were met. The Data Bill expands on this and allows for soft opt-in even for other non-commercial purposes such as charity, political purposes, etc.
Data Subject Access Request (DSAR)
The Consultation response admitted that DSARs are being misused and can be time- and resource-intensive. It proposed to change the current threshold for refusing DSARs or charging a reasonable fee for a subject access request from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’ threshold.
This is reflected in the Data Bill by adding a new Article 12A in UK GDPR that allows for a DSAR to be completely rejected if the controller finds and the onus is on the controller to show that they are vexatious or excessive. To determine where a DSAR lies within this threshold, controllers need to keep into account various factors, including:
- Nature of request,
- Relationship between the data subject and controller,
- Resources available to the controller,
- Whether any such requests were previously made by the data subject,
- How long ago such a request was made previously.
Controllers can refuse DSARs if they:
- intend to cause distress,
- not made in good faith,
- or which are an abuse of process.
Legitimate Interests & Lawful Grounds of Processing
As per the existing legal framework, data processing is permitted on lawful grounds (consent, the performance of a contract, compliance with the legal obligation, protection of vital interests, the performance of a task carried out in the public interest, and legitimate interests).
One of the grounds is the legitimate interests of the data controller. This is an appropriate legal ground for data processing if the following three tests are met:
- Necessity test: the pursuit of a legitimate interest by the data controller or by the third party to whom the data is disclosed.
- Purpose test: the specific purpose of data processing to process data for the legitimate interest pursued.
- Balancing test: balance the legitimate interest of the controller or third party against the fundamental rights and freedoms of the data subject.
The Data Bill retains these lawful grounds for data processing. It, however, introduces an annexure to the UK GDPR that lists down "recognized legitimate interests," which includes processing activities that automatically pass the legitimate interests balancing test. These comprise situations where processing is for the following purposes:
- Protecting national and public security
- Emergency situations
- Defence purposes
- Investigation and prevention of crime
- Safeguarding vulnerable individuals
- Democratic engagement
Purpose Limitation
The existing legal framework requires that personal data be collected for specified, explicit, and legitimate purposes. This principle is called purpose limitation.
Revising the purpose limitation principle restricts controllers from using data for new purposes unless they first conduct a test to ensure that the new processing is in line with the original one for which the data was collected.
The Data Bill presents several additional circumstances in which processing for a new purpose will be regarded as compatible with the original purpose. This list is also set out as an annexure to the UK GDPR, and the UK government is given a process to follow to add to this list in the future. The current list is lengthy and covers processing for several objectives, including:
- Scientific, historical, archive, or statistical purposes
- Ensuring public security
- Emergency situations
- Investigation and prevention of crime
- Safeguarding vulnerable individuals
- Taxation
- Other legal obligations
International Transfers
As per the existing UK framework, cross-border transfer of personal data can only occur to adequate countries or if safeguards are in place to ensure the level of data protection is equivalent to that currently guaranteed inside the UK. The ICO has also released an International Data Transfer Agreement to replace the EU SCCs for data transfers from the UK to non-adequate third countries.
The Consultation had suggested introducing an autonomous framework for international data transfers that will support contemporary commercial transactions and financial institutions and promote global trade and development. This flexible approach to international transfers aimed to make it easier for domestic companies to compete in global markets and attract foreign investment. The following are the main modifications supporting this strategy:
- Emphasis on risk-based decision-making and results while conducting adequacy assessments, assessing the possibility and gravity of apparent risks to the rights of data subjects.
- Implementation of a monitoring and reporting process to replace the necessity to complete a formal evaluation of adequacy regulations every four years.
The Data Bill incorporates all the changes proposed. The Bill also adds additional authority for the DCMS Secretary of State to publicly approve new innovative data transfer frameworks for nations not subject to an adequacy decision.
Instead, a ‘data protection’ test is introduced for this purpose. As per the “data protection test”, data transfer to that specific country is allowed, given that the standard and safeguard for processing of personal data is not materially lower than what is prescribed under PECR and DPA 2018.
The Secretary of State needs to specify standard data protection clauses for this purpose and publish a list of third countries and organizations considered adequate for the data transfer. The Secretary of State is also empowered to restrict any transfers that he/she deems necessary for reasons such as public interest.
Data Protection Officers (DPOs)
It was discussed in the Consultation to remove the requirement for removing a DPO. This was especially to remove the burden on small businesses that do not process much data or highly sensitive data. It was advised to instead have a senior responsible person designated to supervise and encourage a culture of data protection throughout the organization.
This is reflected in the Data Bill via an amendment to the UK GDPR and making it obligatory for the processors and controllers to appoint a Senior Responsible Person (SRI) who is part of the organization's senior management to overlook the processing activities. SRI is responsible for monitoring and ensuring compliance with the data protection legislation. The SRI does not need expert knowledge of data protection laws, unlike the DPO; it is up to the organization to determine what skills and qualifications the SRI should have.
Financial Penalties
The existing data protection framework imposes a fine of up to 500,000 pounds for violating cookies and electronic direct marketing rules under the PECR. The Data Bill has enhanced this fine to up to 20 million euros or 4% of annual worldwide turnover, whichever is greater.
Conclusion
The UK Digital Information Bill has introduced major changes, including the definition of personal data, the use of cookies, and cross-border data transfers to third countries. However, it is yet to be seen when the Bill gets passed before the UK Parliament and what practical implications it would have. Our experts at Securiti continuously monitor the legal developments in the UK to help you prepare for compliance.
The UK government aimed to reduce businesses' burdens and simplify data protection requirements, especially for small businesses. However, by adding more differences from the EU data protection framework, it appears that businesses that function on a global scale will have difficulty in compliance with both EU and UK data protection frameworks.
Securiti offers a wide range of AI-based solutions that can help you achieve compliance easily with the UK data protection framework. Ask for a DEMO today to understand how you can achieve compliance with multiple data protection laws that apply to your organization.
