data sharing code of practice

On the 8th March 2023, the Data Protection and Digital Information (No. 2) Bill was introduced to Parliament by Michelle Donelan, Secretary of State for Science, Innovation and Technology, but what does this mean for UK businesses?

This replaces the previous draft of the Bill, which was introduced back in July 2022, and is said to provide a ‘simpler and clearer’ data protection and privacy regime for businesses to navigate. The government has also boldly claimed that this new regime will save British businesses “billions”.

With many businesses having already invested heavily into their data protection and privacy practices in recent years, many will ask what this new Bill proposes. This article aims to summarise the key takeaways.

Does this bill propose a wholesale replacement of our current data regime?

Rather than replacing the existing UK framework, this bill seeks to amend the UK GDPR, Data Protection Act 2018 and Privacy of Electronic Communications (EU Directive) Regulations 2003 (PECR) and will need to be read along side those retained laws.

Definition of Personal Data

As with version one, the new bill seeks to amend the definition of personal data by introducing additional elements for qualification as follows:

  1. The information must identify an individual by reasonable means at the time of processing; or
  2. The controller or processor “knows, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing and the individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing.

This amendment places more credence on the position of the controller or processor when assessing if the data constitutes personal data.

Record of Processing Activities

The Bill removes the requirement for many data controllers to keep records of their processing activities. Instead, the requirements for record keeping will only apply to data controllers that carry out processing activities that are a ‘high risk to the rights and freedoms of data subjects’.

Legitimate Interests

The Bill varies how legitimate interests can be applied as a lawful basis. At present, a three-part test needs to be met to rely on the lawful basis of legitimate interest. The new bill removes the need to conduct this test for certain ‘recognised’ purposes covering national security; emergencies; crime; safeguarding; and democratic engagement. In addition to this list, certain activities are identified as “necessary for the purpose of a legitimate interest” but still require a balancing test.

Subject Access Requests

The Bill allows a controller to refuse to comply with data subject requests in circumstances where it is ‘vexatious or excessive’ which aims to replace the threshold of ‘manifestly unfounded’ or ‘excessive’ requests. As with the current law, a controller may still impose charge a fee for handling such requests.

Examples of requests that may be vexatious under the Bill include requests that are intended to cause distress, are not made in good faith or are an abuse of process.

Research

The Bill aims to clarify language in the UK GDPR with a view to helping researchers in their use of personal data. It would allow for the re-use of personal data for the purpose of longer-term research studies.

Privacy and Electronic Communications Regulations (PECR)

The Bill would change to the Privacy and Electronic Communications Regulations 2003, relating to confidentiality of terminal equipment (e.g. cookie rules), unsolicited direct marketing communications (e.g. nuisance calls), and communications security (e.g. network traffic and location data).

For example, the requirement to obtain consent for the use of cookies and other tracking technologies has been removed in the circumstances where cookies are used for certain improvement, functionality and security/emergency reasons.

The fines for a breach of PECR could also increase to match the fines of a severe breach of the UK GDPR. In practice, this could, in extreme circumstances, result in fines of 4% global annual turnover or £17.5m (whichever is highest) for nuisance calls and texts.

Transfers Mechanisms

As a reassurance to organisations that are already making international data transfers, the Bill states that any transfer mechanisms lawfully entered into before the Bill is introduced will still apply.

The Information Commission

The Information Commissioner would be replaced by a board of executive members appointed by the Secretary of State and non-executive members appointed by executive members. Although the Bill includes provisions to ensure no conflicts of interests with government, it still raises concerns that the relationship will compromise independence of the commission.

We’ve invested in UK GDPR compliance, will we need to spend more on compliance?

It is true that if you are currently compliant with the UK GDPR, then you will also be compliant with this new Bill. That said, the Bill itself has just been introduced to parliament and is therefore still subject to change. Furthermore, it is unlikely that compliance with the UK regime will lead to compliance in the EU. Therefore, controllers and processors will need to assess the suitability of applying any new domestic regime. For example, if a business is subject to both EU and UK regimes, it may opt to comply with the one EU standard for consistency purposes (rather than try and manage two differing regimes).

Whatever the future is for data protection in the UK, it is clear that the government are pushing for a business-friendly regime post-Brexit. How this regime will look at royal assent remains to be seen.

In short, we shall see what happens! On to the second reading we go…