The new UK Data Protection and Digital Information Bill
From our Head of Data and Systems, Nick Tusler
What’s happening?
The UK Government is planning to change some of the UK legislation that was inherited from the EU as part of its efforts to realise benefits of the EU exit.
The UK Government’s Data Protection and Digital Information Bill, proposes to make changes to the UK Data Protection Act, a piece of legislation that is currently closely aligned with EU GDPR law. The bill is expected to pass through the UK parliament in the Autumn / Winter of 2022.
Opportunities and risks
Changing the UK Data Protection Act is seen as an opportunity to reduce some ‘red tape’ for businesses and help drive innovation in the use of personal data, whilst keeping an appropriate focus on the rights of individuals over the control of their personal data.
The EU GDPR is a significant piece of legislation which ‘sets the bar high’ for the protection of the rights of individuals. However, it could be argued that some of the current EU GDPR and PECR rules are onerous for businesses and counter-productive for individuals. For example, the obligation of the business to comply with the prescriptive requirements of the accountability framework, increases time and cost for businesses. The website pop-ups to inform individuals about cookies can be frustrating and interfere with the speed and ease of online services.
However, by changing the UK Data Protection Act, there’s a risk of diverging too far from the EU GDPR. If the EU decides that the UK’s bill significantly dilutes the rights of EU citizens, then the UK risks losing its adequacy status from the EU. This would simply replace red tape with more red tape for UK and EU businesses that transfer and process personal data whilst doing business.
Our view on the likely changes
The proposed definition of personal data provides more certainty for business because the onus to pre-empt whether data becomes personal in the future has been removed, by limiting the definition to whether an individual can be identified at the time of processing, only by the controller or processor, rather than anyone in the world at any other time. However, does this leave a gap where data could be used in the future to identify individuals, for example by combining other data?
The reform of the accountability framework is welcome. We like the way that accountability remains but there is greater flexibility as to how assessments will be made and record keeping carried out. This is particularly beneficial for smaller agile businesses.
We also like the way that essential cookies will no longer require consent, potentially removing the need for pop-ups for some websites. This can only make those websites easier to use and a nicer place to visit for individuals.
We are of course supportive of the UK Government’s attempts to reach an agreement for transfers of personal data with the US, that satisfies the need to safeguard personal data of non-US citizens.
There are other changes in the bill that we don’t anticipate affecting our business, for example, a pragmatic approach to exempting some processing from the need for a business to carry out its own legitimate interest balancing test.
Like many businesses in the UK with important clients based in the EU, we are most concerned that the UK legislation stays sufficiently aligned with the EU legislation so that the UK maintains its status as an adequate territory. We understand that there is an intent to do this and an ongoing dialogue between the UK and EU with this objective in mind. Divergence too far will not be helpful for UK business and will not provide the same assurances for UK data subjects.
We are planning contingencies for the unexpected outcome that the UK Data Protection Bill is not deemed adequate by the EU. If this was to be the outcome, TCB is ready to provide alternative operating models to assure all our European clients that we will continue to be well-placed to provide our services in a fully EU legislation compliant way.
TCB continually stays on top of legislative changes and monitors how they impact our clients to ensure we provide the right support and advice in privacy and data protection matters.