Autor

Debbie Heywood

Senior Counsel – Knowledge

Read More
Autor

Debbie Heywood

Senior Counsel – Knowledge

Read More

27. März 2023

International update 2023 – 1 von 6 Insights

Take two for the DPDI Bill

What's the issue?

The UK GDPR is substantially the same as the EU GDPR but the government has long targeted it for reform, arguing that the GDPR is unnecessarily complicated and a burden on businesses.

The government introduced the Data Protection and Digital Information Bill (DPDI1) to Parliament in July 2022 after a lengthy consultation process.  It covered reforms to the UK GDPR, Data Protection Act 2018 and PECR, but also:

  • access to customer and business data
  • electronic signatures, seals and other trust services
  • disclosure of information to improve public service delivery
  • sharing of data for law enforcement
  • information standards for health and social care
  • biometric data
  • the role of the Information Commission.

The second reading of the Bill was postponed during the Truss government so that "Ministers [could] consider this legislation" after which the then DCMS Secretary of State Michelle Donelan hinted it would be changed.  You can read more about DPDI1 here.

What's the development?

The newly created Department for Science, Innovation and Technology (DSIT), has published the Data Protection and Digital Information (No.2) Bill (DPDI2).  DPDI2 is largely similar to its predecessor with mostly minimal changes and clarifications.  Unfortunately, it still operates by amending existing legislation rather than producing a complete piece of draft new legislation which makes it hard to digest – we hope a Keeling schedule will be published soon which would effectively show tracked changes.

Points to note about DPDI2 compared with DPDI1 include:

  • Definition of scientific research – DPDI1 included a definition of scientific research lifted largely from the UK GDPR recitals.  Under DPDI2, the definition has been further clarified to specify that it applies whether the scientific research is "carried out for commercial or non-commercial purposes" as well as whether publicly or privately funded.  There is a non-exhaustive list of types of scientific research which has been moved from the recitals to the body of the legislation. Further clarification is added to the concept of research into public health which is only included as scientific research where it is in the public interest.  As before, controllers are not required to notify data subjects that their data is being used for research, archival or statistical purposes where the data has been collected directly from the data subject and to notify them would be impossible or require disproportionate effort.
  • Recognised legitimate interestsDPDI1 provided that in cases of "recognised" legitimate interests, there would be no requirement to carry out a balancing exercise against the rights and freedoms of individuals.  The types of interests which were recognised under DPDI1 were public interests including national security, defence and crime prevention.  DPDI2 does not change this approach but it moves a non-exhaustive list of the types of processing which may be necessary for the purposes of a legitimate interest from the recitals to the body of the new Bill.  This includes direct marketing; intra-group transfers where necessary for internal administrative processes; and processing necessary for ensuring the security of networks and information systems.  The Explanatory Notes further clarify that any legitimate commercial activity can be a legitimate interest provided the processing is necessary and subject to meeting the requirements of the balancing test.
  • Records of processing (ROPAs) – DPDI1 aimed to simplify the current UK GDPR requirement to keep ROPAs, not only in terms of the information to be recorded, but by providing an exemption for SMEs not carrying out high-risk processing.  DPDI2 goes significantly further.  It removes the SME exemption and provides instead that ROPAs are only required where high-risk processing is being carried out.  The ICO is required to publish examples of processing likely to pose a high risk to the rights and freedoms of individuals. 
  • Automated decision making – DPDI1 introduced a new definition of solely automated decision-making to the effect that it was solely automated processing involving no human intervention.  DPDI2 adds that when considering whether or not there is meaningful human involvement in taking a decision "a person must consider, amongst other things, the extent to which the decision is reached by means of profiling".  There is provision for the Secretary of State to make regulations on this subject. This addition is somewhat unclear as to what the role of profiling plays and whether, in itself, it indicates an automated decision subject to Article 22 restrictions. 
  • International data transfers – DPDI1 introduced a new data protection test for assessing adequacy.  This has not changed but the government has further clarified that that transfer mechanisms lawfully entered into before the new Bill comes into effect will continue to be valid and can be relied on going forward so there will be no need for updates. 
  • PECR, direct marketing and cookies the provision of soft opt-in for direct marketing for non-commercial activities and other changes introduced under DPDI1 remain, including a new duty on providers of public electronic communications networks to notify the ICO of any reasonable grounds of suspicion of unlawful direct marketing, with penalties for non-compliance,  The ICO is required to publish guidance on what constitutes reasonable suspicion, and the Explanatory Notes make it clear that this does not constitute a monitoring duty or an obligation to intercept or inspect communications.  There are no changes to DPDI1 proposals on cookies.  Significantly increased fines for breach of PECR-equivalent regulations are also retained.

The government has also published a summary of key EHCR issues under the Bill and information standards for health and social care.

What does this mean for you?

The more than six month delay between publication of DPDI1 and DPDI2 does not seem to have resulted in significant changes, therefore pleasing neither those who thought the Bill did not move far enough away from the UK GDPR, nor those who wanted to see less divergence.

For those organisations already compliant with the UK GDPR, few changes will be necessary, although in some cases, they may be desirable, especially where businesses are not also required to comply with the EU GDPR.  Nonetheless, there are significant changes and cross-EU border businesses will need to adapt to parallel regimes.

The government continues to assert that the planned changes to the UK data protection regime will not jeopardise EU adequacy although no confirmation of that has been made by the EU. The Secretary of State has considerable scope in the area of data exports so much will depend on whether the government chooses to effectively grant UK adequacy (although the terminology is not the same as the EU's) to countries not similarly approved by the EU.

DPDI2 is considered likely to have a relatively smooth path to enactment given some of the government's original, more radical proposals were dropped following the initial consultation period, and is likely to pass this year. The application date will be set out by the Secretary of State with enabling provisions coming in immediately and a number of sections (including in relation to representatives of controllers or processors not established in the UK) coming in two months after the Bill becomes law.

In dieser Serie

Technologie-, Medien & Kommunikationsrecht

Take two for the DPDI Bill

Debbie Heywood looks at the latest proposals for changing UK data privacy law following the publication of a second Data Protection and Digital Information Bill.

27. March 2023

von Debbie Heywood

Daten & Cyber-Sicherheit

China: A practical insight into China SCCs and their impact on businesses

Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.

24. April 2023

von mehreren Autoren

Daten & Cyber-Sicherheit

Preparing for 1 July 2023 in the USA: two new state privacy laws come online, are you ready?

Liisa Thomas of Sheppard Mullin Richter & Hampton LLP summarises the complexities of the USA's patchwork approach to privacy regulation.

15. May 2023

Daten & Cyber-Sicherheit

Rewriting India's decades-old technology laws in 2023

Trilegal's Nikhil Narendran and Karishma Sundara look at the changes ahead for India's data and technology regulatory framework.

15. May 2023

Daten & Cyber-Sicherheit

Canada's 2023 data privacy landscape

Borden Ladner Gervais' Elisa Henry, Candice Hévin, and Marguerite Rolland look at the laws which make up Canada's data privacy regulatory framework.

15. May 2023

The most sweeping reforms to Australian privacy law in over twenty years

MinterEllison's Sonja Read, Susan Kantor, Christina Graves, Helen Lauder and Paul Kallenbach look at the proposed reforms to Australia's Privacy Act 1988.

10. May 2023

Call To Action Arrow Image

Newsletter-Anmeldung

Wählen Sie aus unserem Angebot Ihre Interessen aus!

Jetzt abonnieren
Jetzt abonnieren

Related Insights

Technologie-, Medien & Kommunikationsrecht

Data and cyber security - 2023 roundup

11. Dezember 2023

von Debbie Heywood

Klicken Sie hier für Details
Technologie-, Medien & Kommunikationsrecht

Radar - 2023 roundup

11. Dezember 2023

von Debbie Heywood

Klicken Sie hier für Details
Technologie-, Medien & Kommunikationsrecht

ICO publishes final guidance on data protection and monitoring workers

Can employers monitor their workers, how and to what extent?

23. Oktober 2023

von Debbie Heywood

Klicken Sie hier für Details