On 17 June, the UK government introduced in the House of Commons the Data Protection and Digital Information Bill, a 192-page document containing numerous amendments to the country’s data protection laws. If implemented, the intended changes would make the UK data protection law more attuned to the needs of businesses. In contrast, privacy activists are likely to see the reform process as an erosion of protections considered fundamental and for that reason untouchable.
Reforms about to take place in the UK could influence the future shape of the data protection legal framework in the EU and, consequently, in countries striving for EU membership, such as Serbia, Montenegro, and Bosna and Herzegovina. As European Data Protection Supervisor Wojciech Wiewiórowski recently put it, “the Commission could regard the U.K.’s moves toward a more flexible GDPR as a kind of “sandbox” experiment to see how the rules could be changed and possibly improved.”
Given the potential significance of the reform, it is worth an effort to examine the key changes, especially those applicable to all types of data controllers and data processors – not only the big ones or those with sophisticated business processes.
Submission of the Bill is a result of a process that started in September 2021, when the Department for Digital, Culture, Media and Sport published the document “Data: A new direction“. After that, the public consultations ran for 10 weeks, and the government response was published on 23 June 2022.
Bill’s redefinition of identifiability, DPO, prior consultation, cookie consents, and transfer adequacy
The Bill introduces clarifications that are of relevance for the determination of whether certain data are personal data, or not. Under the UK GDPR, “personal data” means any information relating to an identified or identifiable natural person (i.e., in Bill’s terminology, “identifiable living individual”). The issue, then, is when is the living individual “identifiable”.
The Department for Digital, Culture, Media and Sport stated, in the consultation document, that, if identification would require unreasonable time, effort, or resources, the data should not be considered personal data. Where the relevant means of identification are in the hands of a third party and the controller cannot reasonably obtain those means, the data are anonymous.
The Bill expresses that idea in the following way:
The first case [in which data relate to an identifiable living individual] is where the living individual is identifiable (…) by the controller or processor by reasonable means at the time of the processing. [A]n individual is identifiable by a person “by reasonable means” if the individual is identifiable by the person by any means that the person is reasonably likely to use. [W]hether a person is reasonably likely to use a means of identifying an individual is to be determined taking into account, among other things—(a) the time, effort and costs involved in identifying the individual by that means, and (b) the technology and other resources available to the person. (…).
Under this definition, data could not be considered personal data if the controller or processor could only in the abstract, with the help of third parties (e.g. the internet service provider where the data is an IP address) identify the person.
The government has included in the Bill several proposals aimed at “reducing the burden on businesses and delivering better outcomes for people” (as the government dubbed it in the consultation document and the June 2022 response). One specific proposal is to remove the requirement for the appointment of a data protection officer (DPO), as defined by the UK GDPR. Companies, including those engaged in low-risk processing, should instead appoint a so-called senior responsible individual (or individuals) to oversee the organisation’s data protection compliance. The main difference between such an individual and the DPO is that the senior responsible individual does not have to have expert knowledge of data protection law. Instead, it is left to the controller, i.e. processor, to determine what skills and qualifications the senior responsible individual should have, taking into consideration the volume and sensitivity of the personal data and the type of data processing carried out. Organisations undertaking high-risk processing will probably continue to designate a position similar to that of a DPO.
Also to reduce the burden on businesses, the government decided to remove the mandatory requirement for prior consultation with the Information Commissioner’s Office (ICO). Organisations rarely use prior consultation after completing a data protection impact assessment, presumably because the relevant provision in the UK GDPR (Article 36) authorizes the supervisory authority to use its enforcement powers against the organisation which initiated the consultation. Under the new UK model, even if there is a residual risk for the rights of the data subjects, prior consultation will be optional. On the other hand, organisations will be incentivised to ask for guidance, because in the event of a potential investigation ICO will consider a consultation as a mitigating factor and demonstration of a proactive approach to accountability.
In the consultation document, the government raised the issue of the use of cookies and proposed two options considering the consent requirement for low-risk online activities.
- Option one was to permit organisations to use analytics cookies and similar technologies without users’ consent. The law would treat analytics cookies the way the current legislation treats “strictly necessary” cookies.
- Option two would be to permit organisations to use cookies or other tracking technologies, without users’ consent, not only for analytics but for other limited purposes as well. The use of cookies would be based on the legitimate interest of the data controller, where there would be minimal impact on the privacy of an individual.
Most of the respondents expressed a preference for option two. In the Bill, the government does not require consent for the placement of cookies for a small number of non-intrusive purposes, such as web analytics, enhancement of functionality, and automatic software updates, In the future, the government intends to implement a general opt-out model for cookies placed by a website, meaning that cookies could be set out without consent. Of course, clear information on how to opt-out will have to be provided to the users. Exceptionally, websites likely to be accessed by children will be able to place cookies only with the consent of the visitors (opt-in model).
The Bill contains several proposals concerning the future data transfer regime, and of particular interest is the proposal concerning the power of the Secretary of State to approve transfers by regulations. The Bill does away with the term “adequacy”, but in essence, the Secretary of State will make what under the GDPR (Article 45) is called adequacy decisions.
In the September 2021 consultation document, the Department for Digital, Culture, Media and Sport proposed forming a data adequacy regime that would account for “actual” risks in the target countries to data subjects’ data protection rights, rather than “academic or immaterial” risks. The document did not further elaborate, but targets were likely the CJEU (Schrems II judgment) and the European Data Protection Board (post-Schrems II guidelines), as entities purportedly preoccupied with “academic or immaterial” risks. It was also emphasized in the consultation document that in the given country the practices undermining data subject rights may indeed exist in some specific sectors, but not in others, so the transfer to the sectors in which the risk to the data subject is low or immaterial should not be impeded. The United States seems to be the unmentioned example that the government had in mind here. Respondents in the consultation process for the most part seconded the government’s approach, and the Bill reflects it.
Another change the Bill proposes with the aim of relaxing transfer-related rules is the acceptance of administrative redress, as sufficient when assessing the third country for adequacy. In the opinion of the government, “effectiveness of redress is more important than its form”, so judicial redress does not have to be available to the data subjects if non-judicial redress is effective.
What the government almost decided to change – but in the end didn’t
The government initially proposed but considering the consultation feedback ultimately dropped the plan to limit the obligation to report data breaches to the supervisory authority. Under the UK GDPR Article 33 (1), all breaches, including those which present a low risk, must be notified, with the resulting over-reporting and the significant workload on the part of the supervisory authority. The government proposed to increase the reporting threshold to a material risk to the individuals. Respondents in the consultation for the most part disagreed, arguing that the true severity of a breach may not be known from the start, or that minor breaches in one organisation result in a serious breach if the whole sector repeats the same mistake.
Most respondents in the consultation process did not share the government’s view that repetitive use of derogations for specific situations should be permitted. Respondents were concerned that flexible use of derogations may negatively impact data subject rights. The government decided not to pursue this reform.
In the September 2021 document “Data: A new direction”, the government did not include the processing of personal data necessary for human resources (HR) functions in the limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the so-called balancing test. Some respondents suggested however that HR functions should be added to the list. In the response on 23 June 2022 to its data consultation, the government stated that it would not go beyond the initially limited number of processing activities. That means that for other processing activities, including HR processing, undertaking the balancing test will continue to be required.
Comment
Although some commentators have tended to downplay the reach and importance of the changes pursued by the UK government in the regulation of data processing, the changes – as embodied in the Bill – seem to be substantial. The Bill introduces major changes in the matters much discussed and of real-life importance, including the definition of personal data, the freedom of the data controllers to decide whether to consult with the supervisory authority, the management of internal data protection activities, the use of cookies on an opt-in or opt-out basis, and the permissibility of data transfers to third countries. If these provisions become the law, it will be very interesting to see whether the changes will gradually prod lawmakers in other jurisdictions into following the path.