Brexit shook up the European data privacy landscape, as the UK needed to unwind itself from GDPR member state obligations; since then multiple iterations have occurred affecting both UK residents and organizations collecting their data. Initially, the UK GDPR was drafted and applied alongside the Data Protection Act of 2018. Last year saw the proposal of the first version of U.K.'s Data Protection and Digital Information Bill, which made it all the way to its first reading in the House of Commons earlier this month, on the 8th of March, when it was also withdrawn and replaced with a second version, the same day. The aim of this new bill, according to the UK Government, is to seize Brexit’s benefits which created an opportunity for the updating and simplification of the UK's data privacy framework. According to the explanatory notes, in the opinion of the Government “some elements of current data protection legislation - the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018 - create barriers, uncertainty and unnecessary burdens for businesses and consumers” which is why it set out to ease organizations’ burden of compliance with both the UK GDPR and the UK’s Data Protection Act of 2018, and to also maintain high data protection standards.
Some of the intended goals of this Bill, as stated by the UK Government include the following points:
- reforming the regulating authority, the Information Commissioner, by providing what is currently missing, namely “a sufficiently clear framework of objectives and duties in relation to its data protection responsibilities, against which to prioritize its activities and resources, evaluate its performance and be held accountable by its stakeholders.”
- establishing a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents.
- increasing fines for nuisance calls and texts under the Privacy and Electronic Communications Regulations (PECR).
- updating the PECR to cut down on ‘user consent’ pop-ups and banners.
- allowing for the sharing of customer data, through smart data schemes, to provide services such as personalized market comparisons and account management.
- reforming the way births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.
- facilitating the flow and use of personal data for law enforcement and national security purposes.
- creating a clearer legal basis for political parties and elected representatives to process personal data for the purposes of democratic engagement.
Same as Bill No. 1, it consists of six parts and thirteen schedules, making changes to UK’s data protection framework, regulating the way digital services are provided, or determining the fines applicable.
With this in mind, the Bill proposes to advance a series of changes or clarifications to both the UK GDPR application and the Data Protection Act of 2018, as follows:
- The definition of ‘personal data’ will include pseudonymised data only if it can be re-identified via reasonable means, understood to mean “any means that the person is reasonably likely to use.”
- Data protection impact assessments will be replaced by what is now called an “assessment of high risk processing” which will need to include “a summary of the purposes of the processing; an assessment of whether the processing is necessary and the risks it poses to individuals; and a description of how the controller intends to mitigate any risks.”
- Both the Data Protection Officer and the UK representative for controllers/processors not established in the UK will no longer be required, with the former being instead replaced by a “senior responsible individual” who must be designated only in cases where high risk processing is conducted.
- Data subjects access requests may be refused or may be charged with a fee if they are vexatious, which is to mean instances such as where a request is “intended to cause distress”, “not made in good faith”, or “an abuse of process.”
- Unless an organization conducts high risk processing, it no longer has to keep records of data processing.
- In the case of data processing for scientific purposes the meaning is now expanded to “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.”
- In the case of adequacy decisions by the UK, the standard of protection of the country or international organization for the general processing of personal data must not be “materially lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018.”
At the time of this article, the Data Protection and Digital Information Bill No. 2 has passed the first reading and is now at the second in the House of Commons, having gone one step forward towards approval, compared to its predecessor, which only made it through the first reading before being withdrawn. If it passes all five stages in both the House of Commons and the House of the Lords, Bill No. 2 will then move on to Royal Assent and will go into effect.