In a previous article we discussed the changes that occurred within the UK’s data privacy framework following Brexit, with an emphasis on the first and second versions of U.K.'s Data Protection and Digital Information Bill. While the first version made it all the way to its first reading in the House of Commons, the second version moved through the first reading and onto the second in the House of Commons at the time of our discussing key takeaways.
Currently, the Bill has moved to the Committee Stage within the House of Commons, which seems to show promise for its moving forward. The aim of the new Bill, according to the UK Government, is to seize Brexit’s benefits which created an opportunity for the updating and simplification of the UK's data privacy framework. This came in light of the fact that UK needed to UK needed to unwind itself from GDPR member state obligations, which resulted in multiple iterations which affected both UK residents and organizations collecting their data, on the one hand, and the fact that, in the opinion of the UK Government, “some elements of current data protection legislation - the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018 - create barriers, uncertainty and unnecessary burdens for businesses and consumers.”
Because many organizations have constructed their data privacy processes around the EU's GDPR, this new Bill may come with challenges but it may also make life easier, which is why the below are some points to consider when comparing the two pieces of legislation. The degree of difficulty of each aspect discussed below is based on the opinions of a piece of research by the International Association of Privacy Professionals (IAPP) which we find to be insightful.
Controller obligations
- Legitimate interest: according to the Bill, controllers should be able to determine whether the purposes for which they are processing data are legitimate, in light of more examples provided in Article 6 (9) as well as in Schedule 1. Some examples include disclosures to public bodies in the interest of fulfilling a task of public interest; safeguarding of individuals that are vulnerable; or emergencies. See our Guide to Understanding Legitimate Interest in 2024.
Degree of difficulty when compared to the EU’s GDPR: Somewhat easier
- Purpose limitation: the Bill restates this GDPR principle and offers in Schedule 2 a list of purposes that are considered to be compatible to the original one. Some examples include disclosures to public bodies in the interest of fulfilling a task of public interest; safeguarding of individuals that are vulnerable; emergency responses; the protection of vital interests; tax assessments; or compliance with legal obligations.
Degree of difficulty when compared to the EU’s GDPR: More difficult
- Complaint handling: data subjects have the right to lodge a complaint directly with the controller under Bill No. 2, which means that controllers have an obligation to facilitate this, to implement technical measures for this, and to inform data subjects of this right. Additionally, controllers may be obliged to report to the ICO on the number of complaints received, and the ICO itself may decide to refuse a complaint lodging until it has had a chance to conduct an investigation of the complaint process of the relevant controller.
Degree of difficulty when compared to the EU’s GDPR: Slightly more difficult
- Data protection impact assessments: as previously mentioned, data protection impact assessments (DPIAs) will be replaced by what is now called an “assessment of high risk processing” which will need to include “a summary of the purposes of the processing; an assessment of whether the processing is necessary and the risks it poses to individuals; and a description of how the controller intends to mitigate any risks.” What this means for controllers is that only controllers whose entire business focuses around high risk processing activities will need to keep data processing records, and the obligation to consult with the ICO regarding unmitigated high risks now becomes optional.
Degree of difficulty when compared to the EU’s GDPR: Easier
International data transfers
According to the Explanatory Notes, international data transfers “can drive commerce, support research and innovation, and help people to stay socially connected to one another” which is why the Bill aims “to facilitate international trade by providing a clearer and more stable framework for international transfers of personal data, [...] to continue ensuring high standards of protection when people’s data is transferred overseas,” which entails that “the data protection tests will focus on the data protection outcomes provided for data subjects, irrespective of form.”
For that reason, in the case of adequacy decisions by the UK, the standard of protection of the country or international organization for the general processing of personal data must not be “materially lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018.” At the moment most organizations rely on SCCs for their transfer of personal data, but Bill No. 2 would change that by allowing organizations to broaden the scope of consideration of safety of low-risk data transfers. Instead of a standard adequacy decision, the Bill offers the option of a data protection test based on an assessment made by the secretary of state who must decide whether the standard of protection is materially lower than that of the UK GDPR, based on more flexible factors such as respect for the rule of law and the rights of humans, the presence of and powers granted to a supervisory authority, or any relevant international obligations. What is more, factors such as a country’s traditions or culture, or the desirability of a data transfer to and from the UK may be considered when conducting the data protection test.
Degree of difficulty when compared to the EU’s GDPR: Easier
e-Privacy
- Cookie consent: Cookie consent requirements are changed by the Bill to allow certain types of processing for situations where this would pose a low risk to the users’ data privacy. As such, Regulation 6 of the PECR would be modified to allow processing for the following:
For the purpose of analytics that would help improve website performance or the quality of the information society service (ISS), defined the same way as in the EU’s GDPR - “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”
For the purpose of optimizing the display of the content in line with the user’s preferences, such as when content display is adjusted to the screen size.
For the purpose of updating software installed in the terminal equipment, where the update in question is necessary “to ensure the security of the terminal equipment, [...] the update will not result in an alteration of a setting affecting the privacy of information stored, [...] and the subscriber or user is provided with clear and comprehensive information about the purposes of the update.”
Degree of difficulty when compared to the EU’s GDPR: Easier
- E-Mail Marketing: Regulation 22 of the PECR allows for email marketing only to existing customers on the basis of an opt-out, where the contact details of the data subject are obtained in the context of a sale or a negotiation with the goal of a sale. What this means is that charities and non-commercial organizations risk being penalized as their obtaining of contact details does not fit the PECR’s context. What the Bill changes as regards this, is that charities and other non-commercial organizations will be able to make use of the soft opt-in mechanism as long as their contact details have been obtained “in the course of the recipient expressing an interest in or offering or providing support for the furtherance of that objective or a similar objective” of the charity or non-commercial organization.
Degree of difficulty when compared to the EU’s GDPR: Easier