Once more, with feeling: the return of the Data Protection and Digital Information Bill

The Data Protection and Digital Information (No.1) Bill was announced in the Queen’s Speech 2022, introduced to the House of Commons in July 2022 but withdrawn before its second reading following the ascension of Liz Truss. Ministers took the opportunity to tinker with the text (“co-design process with business leaders and data experts”) and the Data Protection and Digital Information (No.2) Bill was introduced to the House of Commons on 8 March 2023. The narrative behind the Bill remains that of seizing “the post-Brexit opportunity to ‘create a new UK data rights regime tailor-made for our needs’”, boosting the economy by £4.7 billion over the next decade by reducing regulatory burden.

The changes introduced by the Bill can be tricky to discern, because it is not self-contained but rather amends the Data Protection Act 2018 (‘DPA 2018’), the UK General Data Protection Regulation (‘UK GDPR’) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’). A few of the highlights include:

• Amending Article 6 (1) of UK GDPR to introduce defined ‘recognised legitimate interests’ (including for ‘democratic engagement, ‘[preventing/detecting] crime’ and ‘safeguarding vulnerable individuals’) as a lawful basis for processing, which do not need to then be balanced against the rights and freedoms of subjects;
• Providing examples of ‘legitimate interests’ (which do require a balancing exercise to be conducted) including direct marketing without explicit consent (but with the customer retaining the right to object to marketing). These interests are not novel, but their specific enumeration is intended to give additional confidence and certainty to data controllers;
• Simplifying the rules around the use of personal data for scientific research and technological development. In line with Artificial Intelligence being in the news, the Bill also further addresses restrictions on automated decision making;
•  Adding section 12A to UK GDPR which allows a controller facing a “vexatious or excessive request” (usefully, a non-exhaustive list of factors to identify such a request is provided) under Articles 15-22 and 34 (which importantly include data access, rectification and erasure requests) to charge a reasonable fee for dealing with the request or to refuse to act on the request;
• Amending PECR: (i) to require public electronic communication service and network providers to report (reasonably suspected) unlawful direct marketing activity and (ii) to cut down on consent ‘pop ups’ on websites;
• Increasing the fines for nuisance calls and texts to be either up to four per cent of global turnover or £17.5 million, whichever is greater;
• Cutting down the duty to keep records of personal data processing to ‘high risk’ processing only.

The Government suggests that controllers already compliant with data protection legislation will not need to do more to comply (e.g. existing mechanisms for international data transfers remain valid), and compliance in the future will be easier. The Bill must walk the tightrope between being sufficiently interventionist not to be dismissed as mere ‘tinkering’, but also not so radical as to risk the EU’s crucial adequacy decision in respect of the UK’s data protection regime. Some industry organisations (e.g. the Data and Marketing Association) and the Information Commissioner have welcomed the reintroduction of the Bill, but how it fares (in its current form) during the Parliamentary process remains to be seen. The Government states that this new regime “maintains data adequacy with the EU”, but the final call in that respect will be made in Brussels, not London.

---

Authors

Alex Ustych

Call 2010

Aaron Moss

Call 2013

Other articles in this edition

S166: concerned with the journey, not the destination 

---