Following Brexit, the UK implemented the General Data Protection Regulation (GDPR) in a form consistent with UK law, commonly called the UK GDPR. The UK GDPR is supplemented by the 2018 Data Protection Act (DPA) and 2003 Privacy and Electronic Communications Regulations (PECR).
Over the years, the UK Government saw a need for new rules regulating some previously overlooked areas. The central aims were to:
- Promote the country’s research and innovation;
- Reduce operational costs for UK businesses;
- Enhance the development of AI technologies and provide the necessary safeguards for this process.
Having that in mind, the UK Government has proposed a second version of the UK Data Protection and Digital Information Bill, which is currently still in draft form. If the new law passes, it will amend the UK GDPR (as well as the DPA and the PECR), creating an updated privacy framework for companies working with data from UK residents.
In this article, we’ll present the key changes introduced by the UK’s new Bill, compare it with the previous regulation, and explain what it means for businesses.
What is the UK Data Protection and Information Bill
The first Data Protection and Digital Information Bill, now called “the No. 1 Bill,” was introduced on July 18, 2022, and paused in September 2022. On March 8, 2023, the UK Government introduced a new version of the Bill, known as “the No. 2 Bill”, for review by the UK Parliament.
The Bill is now due to have its report stage and third reading, but the dates are yet to be announced. While amendments can still be made during these stages, passage of the Bill is predicted to happen in 2024.
The second version of the UK Data Protection and Information Bill would cover:
- Organizations that process personal data as part of their operations in the UK, including organizations located there but not limited to them;
- Outside organizations that process the personal data of UK residents to offer them services or monitor their behavior.
It means that the Bill will apply to any business that processes data of UK residents, no matter its location.
Comparison between the previous Bill and its new version
The new law changes many definitions from the previous regulation. Most of the amendments clarify the meaning of specific terms or give more context to each specification.
The Bill updates the definitions of personal data, purpose limitation, and legitimate interests. It also applies new rules to data transfers, processing data related to scientific research, or the role of the information commissioner’s office (ICO) and data protection officer (DPO). In addition, it clarifies which organizations the new law will apply to.
Furthermore, the updated Bill gives organizations more flexibility regarding compliance by introducing a simple, clear, and business-friendly framework that will be easy to implement. It is less strict than EU GDPR rules, making it easier for organizations to comply.
Also, the reform is expected to unlock £4.7 billion in savings for the UK economy over the next ten years. In comparison, in 2021, data-driven trade generated an estimated £259 billion. At the same time, the law is raising concerns among privacy watchdogs, who claim it prioritizes the needs of business over the rights of individuals.
Below, we describe the most important differences between the different versions of the UK law and explain their impact on your business.
Personal data
Personal data used to be defined as any information relating to an identified or identifiable person. The updated version has amended this definition to help determine if the information relates to an “identifiable” individual.
It limits the assessment in two ways. First, it leaves the identification to the controller, processor, or any third party who will likely receive the information. Second, identification needs to be performed only by “reasonable means.”
These rules are much less restrictive than GDPR, especially regarding the definition of personal data. This amendment will most certainly be welcomed by businesses, but organizations focused on privacy compliance may not be in favor of this change.
Legitimate interest
The term “lawful bases” refers to the grounds that make the processing of personal data legitimate. Lawful bases are commonly used to restrict processing personal information. One of them is legitimate interest.
Data that can be processed based on legitimate interest may include:
- Processing necessary for direct marketing communication of advertising materials directed to particular individuals;
- Processing necessary for internal administration;
- Processing necessary for the network and information system security of the network.
Remember that processing data requires some serious assessment, so relying only on legitimate interest to justify all direct marketing activities might be very risky, or even impossible.
When applying legitimate interest, you must perform a three-part test and document the outcome. This test is usually called a legitimate interest assessment (LIA).
The assesment consists of:
- The purpose test, in which you identify your purpose and decide whether it counts as a legitimate interest;
- The necessity test, in which you consider whether the processing is actually necessary for your identified purpose;
- The balancing test, in which you consider the interests and fundamental rights of the individual and whether these overrule your identified legitimate interests.
To decide the outcome, you need to weigh all the identified factors and decide if your interests should be prioritized over any risk to individuals. You should be as objective as possible. You can also prove the benefits that can justify any risks you have identified.
The updated UK Bill will include a new “recognized legitimate interests” legal basis for specific important public interests, such as democratic engagement, national security, public security and defense, processing data necessary to the public interest, safeguarding vulnerable individuals, and detecting, apprehending, or investigating crime.
Controllers will most probably add additional purposes over time as Parliament passes the UK Data Protection and Digital Information Bill.
Cookies
Consent for using cookies and similar technologies is required in all circumstances unless their use is strictly necessary. Common examples include cookies:
- Used to remember products a user wishes to buy;
- Essential to comply with the UK GDPR;
- Ensuring that the content of a page loads quickly and effectively;
- Used for analytics purposes;
- Used to recognise a user when they return to a website.
Under PECR, consent is required unless you meet the so-called “soft opt-in” exemption requirements. Currently, this is only available for commercial purposes or non-profits. However, it’s important to note that a charity cannot use it when collecting donations.
In the new Bill, the soft opt-in exemption will be extended to non-commercial organizations, covering consent:
- Given to further charitable, political, or other non-commercial objectives;
- Where contact details have been obtained while expressing interest;
- Where the recipient is given a clear and simple instruction to object.
As for cookies, a new list of exemptions to the requirement to obtain consent includes:
- Installing necessary security updates;
- Ensuring user preferences are followed;
- Collecting information for statistical purposes about how the website is used to make improvements.
This change will be crucial to many businesses who use analytics cookies in particular – as they have dealt either with the data loss or have been taking a risk-based approach to the possibility of enforcement action.
It remains unclear how the many exceptions to the requirement for explicit consent will be implemented.
Direct marketing
The previous Bill allowed non-commercial organizations to rely on soft opt-in for direct marketing purposes if they had obtained contact data from a person expressing interest.
The term “soft opt-in” is sometimes used to describe the rule about existing customers. If they have bought something from you, shared their contact details, and did not opt-out of marketing activities, they might want to receive promotional information from you. However, they need to have a clear opportunity to opt-out. This rule does not apply to new customers or non-commercial promotions (such as charities or political campaigns).
On the other hand, the opt-out approach is to collect and process personal data freely until the user decides to take affirmative action to prevent the further processing of their personal information.
The updated Bill introduces new obligations for providers of electronic communication networks. Specifically, they must notify the Information Commission (IC) of “any reasonable grounds” for suspecting a breach of the direct marketing rules. If organizations fail to comply, it could result in penalties.
What “reasonable grounds” means will be detailed in IC guidance. For now, the explanatory notes accompanying the Bill confirm that providers will not be required to intercept or examine communications.
While this provision will only apply to electronic communication service providers, it will likely increase awareness of non-compliant direct marketing communications. It could result in more enforcement action being taken in cases of direct marketing breaches.
International data transfers
The principles regarding international transfers of personal data under the Bill are the same as those under UK GDPR: data can only be transferred outside the country if the recipient is located in an adequate third country, the transfer is subject to appropriate safeguards, or the transfer is made in reliance of a derogation.
These amendments provide more flexibility for the UK government when considering UK adequacy decisions.
The EU may, however, raise concerns about the UK’s own adequate status, especially if onward transfers are subject to different protections than those provided in GDPR. The EU Commission must monitor if the country continues to provide an equivalent level of data protection, and if the issues cannot be resolved, it can amend, suspend, or repeal the decisions. Also, the EU Court of Justice will decide if the UK has provided adequate data protection to EU data subjects.
The EU and the UK have signed an adequacy decision facilitating data transfers. That’s why the EU Commission is monitoring compliance with these rules. If the UK starts applying loose data transfer standards, it may not be possible to maintain this decision.
Sarah Pearce
Partner at the law firm Hunton Andrews Kurth
“The proposals around international data transfers are encouraging but somewhat unclear. If it means the UK would no longer require an analysis of the third country to which personal data is being transferred, it is potentially worrying from an adequacy decision perspective. It isn’t clear to me at this stage that this is what they are suggesting, we need more detail.”
This significant change will allow transfer risk assessments to consider proportionality and may provide organizations with options for a light touch review, such as where there is minimal or non-sensitive personal data.
Any mechanism used before the Bill takes effect, such as standard contractual clauses, will remain valid as appropriate safeguards. Therefore, the UK International Data Transfer Agreement and the UK International Data Transfer Addendum will continue to operate as mechanisms for transferring UK data.
If you want to know more about data trasnfers, especially between the UK and the US, read our article: Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0)
Processing data for scientific research
The Bill clarifies the meaning of scientific research and its purposes. It includes processing data for any research that can reasonably be described as scientific. It applies to publicly or privately funded research and research carried out commercially or non-commercially.
Automated decision-making and profiling
The UK GDPR defines automated decision-making as the process of deciding by automated means without any human involvement, based on factual data, as well as on digitally created profiles or inferred data. It includes decisions such as granting an online loan or assessing a skill test for recruitment that uses pre-programmed algorithms.
Automated decision-making often, but not always, involves profiling. Under the UK GDPR, profiling refers to any automated processing of personal data that involves evaluating certain aspects of personal life. Companies use profiling to learn about people’s preferences, predict their behavior, and make data-driven decisions.
In the updated Bill, the definition of an automated decision means involving no human intervention. Also, a right to human intervention will only be possible in the case of significant decisions, not ones that have legal effects concerning data subjects or affecting them.
Furthermore, profiling alone is not considered automated decision-making. When determining whether there was meaningful human involvement, it is necessary to consider the extent to which a decision was based on profiling.
For the new UK Bill to be applicable, there must be no human involvement in tailoring marketing to someone’s needs. Also, any legal or similarly significant effect on the individual is forbidden if profiling or automated decision-making is used.
The role of ICO and DPO
The new Bill changes the name of the ICO to the Information Commission (IC) and recreates its role as a corporate body. Changes are also proposed in practical areas, such as its governance structure, duties, and enforcement powers.
It establishes the IC’s principal objectives, which are:
- Securing an appropriate level of personal data protection regarding the interests of data subjects, controllers, and matters of general public interest
- Promoting public trust and confidence in personal data processing
There will be valid concerns regarding the risk to the IC’s independence. The Secretary of State will be required to publish their reasoning for approving or not approving a statutory code or guidance produced by the IC to try and counteract this.
Julia Lopez
Minister for Data and Digital Infrastructure
“The Secretary of State will have greater powers when it comes to some of the statutory codes that the ICO adheres to, but those powers will be brought to this House for its consent. The whole idea is to make the ICO much more democratically accountable (…) and I don’t believe that the concerns around ICO’s independence were justified or legitimate.”
Also, instead of a data protection officer (DPO), the new Bill stipulates that organizations should appoint a senior responsible individual (SRI) who is a part of the organization’s senior management. SRI would be responsible for data protection matters within an organization, with mandatory tasks including dealing with data breaches and complaints related to data processing.
New concepts included in the second version of the Bill
In addition to some changes in the existing definition from the previous Bill, the second version also introduces a few new concepts – the most important ones are detailed below.
Digital identity
Digital verification services (DVS) are defined as services provided to any extent via the Internet at the request of an individual, such as:
- Establishing or verifying data about the individual from information provided otherwise than by the individual;
- Confirming to another person that the data about the individual has been established or verified from the information provided.
At this stage, individuals would apply to use the digital verification services, including creating a reusable digital identity that could then be shared in whole or in part with organizations requiring such information.
Smart data
The Bill proposes introducing smart data schemes in consumer markets. Generally, a scheme would allow a customer to require a data holder, such as a business or trader or its owner, to provide certain customer data to the customer or a third party. An existing example of such a scheme is open banking.
The Bill would give the Secretary of State and the HM Treasury powers to create more schemes like this, which are intended to create a wider open data economy that the UK government believes should benefit consumers and businesses.
At this stage, it needs to be clarified how these provisions will be applied, including, for example, which industry or industries they would focus on.
Julian David
TechUK CEO
“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU.”
What does the new UK Data Protection and Digital Information Bill mean for your business
The reforms to the Bill are intended to simplify data protection legislation for businesses. Although the Government states that the Bill is a new data protection system, it still holds on to the fundamental obligations, structure and principles of the UK GDPR.
Businesses already compliant with the UK GDPR will not be required to make any changes because of the Bill. Instead, it will clarify the existing framework and attempt to tackle some issues that can arise based on five years of experience with GDPR in practice.
However, organizations operating globally and with operations in the EU may need to update their data protection frameworks to take advantage of the changes proposed in the Bill. For example, they need to determine whether UK data can be separated from EU data to ensure that the changes proposed by the Bill do not apply to their entire data collection setup. This segregation may be difficult for companies that have treated UK and EU data similarly under one data protection governance framework for decades.
The new UK Data Protection and Digital Information Bill is more business-friendly than focused on supporting customers’ privacy rights. Its main goal is to decrease the amount of paperwork UK companies deal with regarding compliance with privacy regulations, which will save billions of pounds for the country’s economy. Also, it aims to support international trade by giving businesses more flexibility regarding compliance with the privacy framework. The law also wants to simplify rules regarding data used in scientific research, especially by increasing trust in AI technology, which would lead to new developments in the UK.
Michelle Donelan
The UK Secretary of State for Science, Innovation and Technology
“This new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs. Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain.”
What’s next?
Currently, the Bill is with the UK Parliament in draft form. The third reading is still ahead and the final version may see more changes. Therefore, the timeline for implementing this version of the Bill, or any other amended version, is yet to be determined.
The legislation pushes the responsibility of data privacy onto organizations themselves. Still, most UK companies will welcome the changes, as the new regulation lowers friction and compliance costs. It will take some time to evaluate the true impact of the new Bill. However, it would be good for businesses to proactively share and appropriately protect sensitive information.
Critics of the legislation believe the Bill undermines fundamental rights to data privacy. They claim that it restricts data subjects’ rights, limits their right to review automated decisions, and turns the ICO into a government-controlled agency. There’s also a possibility that the new Bill will impact the UK and EU data adequacy agreement, as the EU may revoke this agreement if they feel the revised legislation fails to implement adequate safeguards.
Piwik PRO Analytics Suite allows you to collect data following the UK Data Protection and Digital Information Bill, GDPR, CCPA, and many other privacy laws. Read our blog for updates on this legislation and other privacy news. If you’re interested in learning more about privacy-compliant analytics, contact us.
