Immediately after Brexit, the UK emulated the General Data Protection Regulation (“GDPR”). The UK Parliament is currently debating the replacement for the UK GDPR, known as the Data Protection and Digital Information Bill (“DPDI”, "the Bill").
The Bill is approaching its final stages of review in the House of Lords, having successfully passed the third reading in the House of Commons on the 29th November 2023.
We will be conducting a comparative analysis of the new reforms as they currently stand and assessing their potential impacts on the UK’s data privacy landscape.
Key reforms:
The UK Parliament is currently debating a number of reforms the Bill will introduce. We have outlined the key changes below.
1. Definitions:
The Bill introduces nuanced changes to certain definitions. For instance, it redefines 'personal data' to specifically refer to 'living individuals' and makes a clear distinction between 'identified' and 'identifiable' information. This revision, found in Clause 4 of the GDPR and Clause 1 of the DPDI, provides clearer guidelines for organisations on pseudonymisation and anonymisation, aiding in compliance. While these changes offer more clarity in some areas, they are largely cosmetic and do not fundamentally alter the understanding of personal data.
2. Cross-Border Data Transfers:
The European Commission has the power to determine whether a country outside the EU offers an adequate level of protection (Article 45 of the Regulation (EU) 2016/679). The adequacy test considers if the country’s standard of data protection is “essentially equivalent” to that found under the GDPR.
No reference is made to the “Adequacy Decision” under the new Bill. Instead, the Secretary of State will consider if the standard of protection in the relevant country is “materially lower” than that of the UK (Clause 45B(1)). In comparison with the “Adequacy Decision” under the GDPR, the Secretary of State will be able to use broader factors in their assessment, including, under Clause 45(A)(3), the “desirability of facilitating transfer of personal data to and from the United Kingdom” as well as the usual rule of law and human rights considerations.
It is hoped that in providing more flexibility, the test will streamline low-risk international transfers, overall reducing the compliance burden for companies.
3. Senior Responsible Individuals:
Article 37 of the GDPR specifies the circumstances in which a DPO should be appointed which is the case for the majority of companies. Article 38 of the GDPR clarifies the nature of the DPO as being fundamentally impartial and independent, and Article 39 of the GDPR outlines the tasks of the DPO.
Under the proposed UK law, DPOs will be replaced with the “Senior Responsible Individual”. Differing from the GDPR standard, the Senior Responsible Individual must be a member of an organisation’s senior management. However, their main tasks align with those found under Article 39 of the GDPR where they will monitor compliance with data protection legislation, handle data breaches and organise employee training. The independence and impartiality requirement remains fundamental to the role of a Senior Responsible Individual as is for the DPO under the GDPR.
As it stands, therefore, the role of the DPO appears similar to the new proposals under the Senior Responsible Individual’s tasks. However, it will be seen whether the independence and impartiality requirements can be upheld where the DPO is closely integrated with the organisation and even more so, a part of senior management.
4. Records of Processing Activities
Under Article 5(2) of the GDPR, the controller is required to demonstrate its accountability with the Regulation. One aspect is providing requisite documentation, where necessary, to show compliance with the principles and provisions of the GDPR.
A key tenet of this is the controller and processor’s obligation to maintain a Record of Processing Activities (“RoPA”) with the exceptions outlined in Article 30(5) of the GDPR. These obligations do not apply to an organisation employing fewer than 250 persons unless the processing is likely to result in a risk to the rights and freedoms of the data subjects, the processing is not occasional, the processing includes special categories of data as referred to in Article 9(1), or personal data relating to criminal convictions and offences referred to in Article 10.
Under the new Clause 61A of the DPDI, each controller and processor must maintain appropriate records of the processing carried out. This stands in the absence of the exceptions outlined in the GDPR’s Article 30(5).
Overall, therefore, a more stringent standard has been proposed.
5. Data Protection Impact Assessments
Similarly important under the GDPR is the requirement for a Data Protection Impact Assessment (“DPIA”). Under Article 35 of the GDPR, organisations undertaking processing likely to result in a high-risk to the rights and freedoms of natural persons must conduct a systematic and extensive evaluation of the processing to mitigate risk.
The DPDI replaces the use of “DPIA” with “Assessment of high-risk processing”. Regarding the requirements, a “systematic and extensive evaluation” has been replaced with a “summary of high-risk processing”. Furthermore, the previous mandatory rule to consult the Information Commissioner’s Office (“ICO”) for unmitigated high risks has been replaced with an optional ability.
It remains to be seen how a “summary” compares with a “systematic and extensive evaluation”. If it indeed requires less detail, the impact of processing on data subjects may not be adequately considered. The risk is exacerbated by the removal of the mandatory consultation with the ICO on the mitigation of risks is now optional.
6. Recognised Legitimate Interests
Under Article 6 of the GDPR, there are six lawful bases for processing including, “legitimate interest” which requires a balancing test concerning the legitimate interests pursued by the controller or third party and the interests or fundamental rights of data subjects. This balancing test can be assessed within organisations by a Legitimate Interest Assessment (LIA).
For organisations, the Bill provides more legal certainty to controllers by clarifying the types of data processing that can be considered “legitimate”. Under Clause 6(9), data processing such as intra-group transfers will be considered “legitimate”. Further reform includes the proposed introduction of “recognised legitimate interests” under Clause 6(1)(EA). These interests crystallise legitimate interests as the lawful basis where the processing is necessary for disclosure to another person, i.e for national security purposes or emergencies. The Secretary of State has broad powers to introduce new exemptions to legitimise the use of data.
Overall, the new rules for companies, do negate the need for a Legitimate Interest Assessment (LIA) to be conducted in certain circumstances.
7. Data Subjects’ Rights:
Under Articles 12-23 of the GDPR, data subjects have been accorded individual rights. Organisations can reject a request or charge a fee where the request is considered “manifestly unfounded or excessive”, or if otherwise permitted by Member State law. The consensus on the meaning of “manifestly unfounded or excessive” is that such requests have not been made in good faith or are unreasonable.
Under the DPDI, a data subject’s rights request can be declined where its “vexatious or excessive”. As yet, there is no confirmed definition of this phrase and, in the absence of one, it stands to be vague, ill-defined, and open to interpretation, potentially making it easier for organisations to refuse requests.
Certain commentators have echoed these fears stating that the interests of data subjects are being neglected, by making it more difficult to make complaints or challenge decisions. This can be further evidenced by the ICO having been granted the discretion to dismiss complaints and organisations being able to reset the clock on the one-month time limit, by requesting further information. Even where a method of legal recourse exists, the combination of these changes will mean that complaints will take longer to resolve, and many data subjects may not see the vindication of their rights as worthwhile.
A government spokesperson has defended their stance claiming that this was a factually inaccurate statement, and this proposal would in fact, provide greater clarity to both companies and data subjects (The Guardian). It remains to be seen how the new provisions will be applied in practice.
8. Automated Decision-Making
Under Article 22 of the GDPR, a data subject cannot be subject to a decision based solely on automated processing where legal or similarly significant effects are produced. This restriction does not apply where there is a contractual obligation, an authorisation by Union or Member State law, or if the data subject has explicitly consented.
The Bill is similar to the GDPR. Under Clause 22A, Clause 22B, and Clause 22C of the Bill, solely automated decision-making is permitted unless there is a “significant decision”. This is the equivalent of producing legal or similarly significant effects on the data subject. Furthermore, when special categories of data are being processed, solely automated processing cannot be used unless there is a contractual obligation, an authorisation by the local Member State law, explicit consent from the data subject or a substantial public interest.
This differs from the more stringent approach found under Article 22(4) of the GDPR. Under the GDPR, where special category data is being processed, a solely automated decision can only take place on the basis of explicit consent and substantial public interest. The Bill’s new rules on automated decision-making will thus allow organisations to use the technology more permissively than under GDPR rules. In this way, the reform to Article 22 can be seen more as a “restriction” on solely automated decision-making rather than as a “right”.
9. Processing in a manner that is incompatible with initial purposes
As clearly set under Article 5(1)(b) of the GDPR, data cannot be further processed “in a manner that is incompatible with these purposes”. Under the GDPR, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are not considered “incompatible” with initial purposes however, only this statutory exception exists.
The new Bill introduces a list of purposes for data processing which are deemed as “compatible” with their initial collection. Clause 8A(4) of the new Bill aligns with the conditions found under Article 5(1)(b) of the GDPR where further processing can take place for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Annex 2 of the Bill however extends the circumstances of further processing to public security disclosures, emergency response, safeguarding vulnerable individuals and complying with legal obligations.
The main point of difference between the GDPR and the Bill is thus that the recognised purposes seem to be clearly set out in the statutory text.
10. Direct Marketing and Cookies
The Bill proposes certain reforms impacting the Privacy and Electronic Communications Regulation (“PECR”). As stated in Regulation 6(2A-2C) of the Bill, the use of cookies will be allowed without the need for consent from the user for the purposes of web analytics to optimise content display or for automatic software updates.
Currently under PECR, it is a requirement to have consent from individual subscribers (individual consumers including sole traders and other organisations e.g., types of partnership) to send electronic marketing for example email or text marketing messages unless the requirements of the “soft-opt in” exemption have been met. This exemption is available where the data is used for commercial purposes to individual subscribers. For organisations such as charities and political parties therefore, the cases of “soft opt-in” are restricted to the context of sale or a negotiation as opposed to receiving donations for example.
The Bill’s proposes amendments allowing non-commercial organisations to benefit from the “soft opt-in” where contact details have been obtained in the course of the individual expressing interest in the organisation or providing support. This rectifies the somewhat discriminatory approach found under the current PECR as now organisations such as charities and political parties can benefit from such marketing in the case of donations.
Under the current system, the UK ICO’s powers to enforce ePrivacy stem from the Data Protection Act of 1998, with penalties capped at £500,000. The new proposals allow the UK ICO to issue fines under both the Bill and the Data Protection Act 2018, potentially attracting higher penalties of up to £17,500,000 or 4% of worldwide turnover, as stipulated under Regulation 31 and the new Schedule 1.
11. The New Information Commission
The Bill proposes significant changes to the structure and governance of the ICO. Firstly, the role of Information Commissioner has been replaced by the corporate Information Commission. Primarily, the Information Commission will consist of non-executive members led by the chair and executive members led by a chief executive who will be appointed by non-executive members. This means that the commissioner will no longer delegate to other members at their discretion, rather a greater role will be established for non-executive members.
Currently, the ICO has a clear line of distinction with the government as an independent and impartial body. However, the Bill introduces a closer interaction between the government and the ICO. For example, the government will issue strategic priorities to the Information Commission and require approval for issuing any Codes of Practice, potentially affecting the ICO’s independence.
As it is widely known, the ICO’s written guidance is imperative in providing guidance to organisations, other Data Protection Authorities, and individuals alike on how to implement data protection. The ICO has stated that this will continue to be the case and has commented that the Bill continues to ensure the ICO’s status as an independent regulator that is also accountable to Parliament and further necessity for this comes from the fact that it is a necessary tenant of UK adequacy.
The Information Commission's enforcement powers will be expanded, including the authority to request specific documents and issue interview notices, compelling responses from current and former employees. This intensifies the compliance burden for organisations.
A Business Perspective
So, what does this mean for businesses? The data industry is an increasingly growing one with data-driven trade having generated around 85% of the UK’s total service exports, contributing to nearly £259 billion to the economy in 2021.
The Department for Science, Innovation and Technology has assured that the DPDI will be easier to comply with, meaning businesses will not have to surmount the red tape of the GDPR. If this does indeed become a reality, then this will reduce costs and burdens for businesses. The UK Government has contended that the strengthened data regime will unlock more than £4.7 billion in savings for the UK economy over the next ten years. It remains to be seen whether this will be the case.
The Bill is currently passing through the House of Lords and is expected to receive Royal Assent early this year (2024). With the EU conducting a review of the UK’s adequacy in June 2025, some commentators have suggested that the relaxing of the GDPR standard could put the UK’s adequacy decision at risk. It is vital that this does not occur as many businesses in the UK rely on the adequacy decision for operation of their day-to-day business, such as ensuring transfers to their European subsidiaries.
Although the proposed regime seems to be less stringent than that of the GDPR, it has not substantially or substantively deviated hugely from the GDPR regime through retaining the same obligations and overall structure. The UK government has considered the need to preserve the UK’s adequacy status, keeping any reforms within the small amount of room to manoeuvre.
Thus, for any business operating across Europe and being compliant with the GDPR regime, adherence to the European standard will continue to be sufficient for the UK as well.