Maintaining data ‘adequacy’ – the UK’s new DPDI Bill
July 2023 | FEATURE | DATA PRIVACY
Financier Worldwide Magazine
July 2023 Issue
Data is fundamental to fuelling economic growth across the globe. Pervading all areas of society, data can unlock medical breakthroughs, help people travel, manage their finances and shop online. It is also vital to the development and use of innovative technologies.
In the UK, data is no less important. In 2021, data-driven trade generated 85 percent of the UK’s total service exports and contributed an estimated £259bn to the economy. Yet despite this muscle, to a large extent the UK remains shackled by legislation such as the European Union’s (EU’s) General Data Protection Regulation (GDPR).
In a move designed to reform the existing UK data protection regime following Brexit and unchain the UK from the shackles of the GDPR, on 8 March 2023, Michelle Donelan, the UK secretary of state for science, innovation and technology, proposed the Data Protection and Digital Information No. 2 (DPDI) Bill to the UK parliament – legislation that the government says will help businesses comply with new data laws while retaining the best elements of the GDPR.
Intended to be a more flexible and less burdensome regime, as well as easy and inexpensive to implement, the Bill will impact individuals and private and public sector organisations, and be of particular benefit to small and medium-sized enterprises (SMEs). It is also hoped that the legislation will entice organisations to bring more business to the UK and encourage innovation.
“Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs,” stated Ms Donelan. “Our system will be easier to understand, easier to comply with and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR.”
Indeed, the existing European version of the GDPR takes a highly prescriptive, top-down approach to data protection regulation which can limit organisations’ flexibility to manage risks and places disproportionate burdens on small businesses in particular.
“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy,” added Ms Donelan.
Indeed, over the next 10 years, these new laws are expected to unlock £4.7bn in savings for the UK economy as well as boost data protection standards so that businesses can continue to trade freely with global partners, including the EU.
Stuttering start
The introduction of the DPDI Bill in March 2023 was not, in fact, the first time the legislation has been presented to the UK parliament. In summer 2022 – amid political upheaval and major ministerial changes – the Bill was introduced but then paused, apparently so that ministers could engage in a ‘co-design’ process with business leaders and data experts.
“The pause was touted as an opportunity for ministers to rethink their approach and engage in a co-design process with businesses, with the promise to devise a more tailored and business-friendly British system of data protection,” explains Katie Hewson, a partner at Stephenson Harwood LLP. “However, the reintroduced Bill did not deliver significant amendments, but more a fine-tune of the first Bill, by clarifying a number of the previously proposed amendments.”
Also of the opinion that the second Bill is more a tweak than a redesign is JP Buckley, a partner at DWF Law LLP. “Some amendments have been made following targeted consultation between the first and second versions of the Bill,” he observes. “There had also been criticism that the changes to the data protection regime were not compatible with maintaining something called ‘data adequacy’ from the EU.”
As defined by the UK Information Commissioner’s Office (ICO), ‘adequacy’, in this context, is a term the EU uses to describe other countries, territories, sectors or international organisations that it deems to provide an ‘essentially equivalent’ level of data protection to that which exists within the EU.
Thus, an ‘adequacy’ decision is a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does.
“This EU ‘adequacy’ decision allows data about people to flow from the EU to the UK more easily, a significant part of the UK’s service economy,” adds Mr Buckley. “Without that adequacy decision, which was granted during Brexit negotiations, data flows to the UK would be harder to put in place with additional documentation required – thus being a barrier to trade with the UK.”
What has changed?
While perceived by some as being largely the same as its ‘paused’ predecessor, the new DPDI Bill does, however, contain a number of provisions that are expected to simplify the UK’s data protection regime and create a more data-driven and innovation-led economy in the UK.
In its analysis of the DPDI Bill’s provisions – ‘Back to the Future: UK Government publishes new Data Protection and Digital Information Bill’ – Freeths highlights the items listed below as key revisions.
First, facilitating scientific research. The Bill amends the concept of consent so that it can include scientific research purposes that were not fully identified when the original consent was sought from the data subject.
Second, simplifying legitimate interests as a basis for processing data. The Bill introduces a list of ‘recognised legitimate interests’. Organisations that can rely on these recognised legitimate interests would not then have to conduct and record a balancing test before they can rely on the relevant legitimate interest.
Third, increasing fines for direct marketing. The maximum fine for direct marketing would be increased considerably, from the current £500,000 to £17.5m or 4 percent of global annual turnover (whichever is higher), with the government intending to crack down on nuisance calls and texts in particular.
Fourth, replacing the role of a data protection officer (DPO) with senior responsible individual (SRI). The role of the DPO will be replaced with that of the SRI. Organisations will only need to appoint an SRI where they are a public authority or otherwise are engaged in high-risk processing. As the name implies, the SRI must be a senior person in the organisation but can carry out this role in addition to other functions, as is currently the case with many DPOs.
Fifth, preserving continuity on international data flows. Organisations that transfer data outside the UK will be relieved that the Bill does not significantly change the status quo in this area. Where an organisation has implemented mechanisms to safeguard data, those mechanisms would remain valid after the Bill becomes law.
Sixth, relaxation of cookies rules. As part of the drive to cut ‘red tape’, the Bill relaxes the currently strict rules around website cookies. A website operator would be able to place certain types of statistical, security and location cookies without the need for obtaining the current ‘pop-up’ consents.
Lastly, reform of the UK Information Commissioner’s Office (ICO). The Bill would abolish the UK ICO in its current form and create a new ‘Information Commission’ in its place. The Information Commission will assume the responsibilities of the UK ICO.
“The Bill addresses a number of areas, including, but not limited to, amending the existing UK GDPR version of the EU’s GDPR,” adds Mr Buckley. “Other topics covered outside the scope of the GDPR include setting up digital verification services, enabling more smart data sharing schemes, such as open banking, and setting up electronic-only birth and death records.
“Artificial intelligence (AI) is also being enabled more, with a default position on decisions taken about people automatically changing from being prohibited unless conditions are met to being allowed subject to some safeguards,” he continues. “Organisations struggling with the burden of vexatious data subject access requests will welcome a newly lowered exemption entitling them to refuse such requests, which are often disruptive and time consuming when ‘weaponised’ in a contentious employment or consumer context.”
Less convinced as to the depth of the changes is Chloe Kite, a managing associate at Stephenson Harwood LLP. “The Bill does not bring sweeping data protection reform and still closely follows the EU GDPR, as the UK tries to toe the line between maintaining its ‘adequacy’ status for the personal data it receives, while providing a more business-friendly data protection environment,” she contends. “Instead, it makes certain clarifications and specific carve outs to the existing regime and attempts to tackle some of the issues that can arise, based on five years’ experience of the GDPR in practice.”
More than ‘adequate’
Still in the early stages of its legislative development, the Bill is and must clear several more hurdles before it enters force, so scope remains for further amendments before it gains Royal Assent and becomes law.
For the moment, however, data professionals are closely examining the DPDI Bill’s 200-plus pages of provisions to determine the extent to which the proposed legislation will enhance data protection and privacy standards in the UK, boost the UK economy and, ultimately, consign shackling EU data laws to history.
“Organisations operating in the UK that process personal data about people in the UK and EU will still need to comply with both regimes, which are likely to diverge even more now, thus causing them potentially greater compliance costs,” suggests Mr Buckley. “We will wait and see how the Bill passes through parliament to see the changes which are finally agreed, and then examine how they can be applied into a global compliance regime which takes UK, EU and other countries’ data protection laws into account.”
For her part, Ms Hewson is confident but cautious. “The aim of the Bill is to update and simplify the UK’s data protection framework while still maintaining high data protection standards, and it looks like it could achieve this,” she opines. “But while the intention is obviously to reduce the burden on UK businesses, it may not make that much difference to those with cross-border operations that also need to adopt any higher EU GDPR standard.
“The question of whether the divergence from EU law will threaten the UK’s data ‘adequacy’ status also still remains; if so, this could also create huge administrative stumbling blocks for UK businesses operating in the EU,” she concludes. “So, while it may have a boost to the UK economy, the jury is still out on just how big that boost could be.”
© Financier Worldwide
BY
Fraser Tennant