On 23 October 2024, a new Data (Use and Access) Bill (Data Bill) had its first reading in the House of Lords - see here for a copy and here for the UK Government’s factsheets on the Bill.
On 24th October, the UK Information Commissioner’s Office (ICO) announced that they “welcome the introduction of the Data Use and Access Bill in the House of Lords and look forward to seeing it progress through parliament to Royal Assent”. John Edwards, Information Commissioner said: "This is an important piece of legislation which will allow my office to continue to operate as a trusted, fair and independent regulator and provide certainty for all organisations as they innovate and promote the UK economy. Our response to the bill will be published in due course.”
On first reading, our thoughts are that the Data Bill reintroduces numerous provisions of the previous Government’s Data Protection and Digital Information Bill (DPDIB), which was close to being passed into law before the General Election in July 2024, but didn’t quite make it in time.
Some of the, perhaps more controversial, provisions that were anticipated under the DPDIB have been dropped, and a number of new proposals have been added to the new Data Bill.
There is lots of information to ponder (260+ pages), and no doubt changes will spring up as this new Data Bill continues its journey through the parliamentary process. In the meantime, it appears, as the King's speech suggested it would, to introduce "targeted reforms".
We’ve highlighted our top 10 stand-out points below.
Watch this space for updates and please do get in touch if you would like to chat about how specific aspects of the proposed changes, might impact your business.
1. Personal Data, Legal Basis & Purpose Limitation
The Data Bill:
Gives powers to the UK Secretary of State to make changes to the types of data which are special category data. This may be intended to help future proof the legislation, but we suspect practitioners will be worried about the potential impact of this power.
Revives the concept of certain "recognised legitimate interests" being set out in law. Where this is the case, it is proposed that no Legitimate Interest Assessment will need to be carried out, as processing will be deemed to have been carried out for that recognised interest. These recognised legitimate interests, assumed to be "legitimate by default", are to include a smaller list than was previously proposed under the DPDIB but includes processing:
Where it is necessary for: safeguarding national security, protecting public security, for defence purposes, for the purposes of responding to an emergency (as set out in part 2 of the Civil Contingencies Act 2004), for the prevention, detection or prosecution of crime, or for safeguarding a vulnerable individual (see Schedule 4 of the Data Bill).
Of personal data for direct marketing, which is itself to be legally defined as the communication (by whatever means) of advertising or marketing material which is directed to particular individuals (see Sections 70(11), 109 (2) and Schedule 11 (2)(2) of the Data Bill.
For intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes (see Sections 70(11 and 12) of the Data Bill).
That is necessary for the purposes of ensuring the security of network and information systems (see Sections 70(11 and 12) of the Data Bill).
Suggestions under the previous DPDIB to include processing by political parties and elected representatives for the purposes of "democratic engagement" have been dropped.
Like the previous DPDIB, the Data Bill sets out conditions where a new processing purpose will be automatically deemed "compatible" with the original purpose for which the data was collected.
Proposes changes relating to processing personal data for research purposes, including the application of the purpose limitation to such research activities. It will take more time to digest these changes and consider how these might benefit our client organisations.
2. Privacy Notices and Transparency
Controllers often satisfy transparency requirements under Articles 13 and 14 of the UK GDPR by providing "privacy notices" to data subjects, to explain in detail how they process their personal data.
The Data Bill suggests that privacy notices will not need to be given in situations where personal data is collected directly from individuals, where providing the information "is impossible or would involve a disproportionate effort" and gives examples of factors that might be taken into account when considering whether there would be a "disproportionate effort". These include, e.g.
- The number of data subjects.
- The age of the personal data.
- Any appropriate safeguards applied to the processing.
Similar changes are proposed where personal data is collected indirectly about the data subject.
This is a fairly fundamental change to current requirements to provide such privacy notices. As such, the changes are likely to be subject to careful parliamentary scrutiny –especially in relation to:
- Ensuring EU adequacy for data transfers is not threatened by a perceived weakening of a data subjects right to information and to transparency generally. The existing UK-EU adequacy agreement, enables personal data to move freely between the UK and EU. This agreement is set to expire in 2025 and will require renegotiation. If it is perceived that the UK has diverged too far from the EU GDPR, this could threaten the existing pathway for compliant data transfers and would have an inevitable impact on controllers trying to do business across borders.
- Considering the impact of the changes in particular use cases, such as when using Artificial Intelligence (AI) e.g. web-scraping to train Large Language Models (LLMs).
3. Data Subject Access Requests (DSARs)
The DPDIB previously proposed to change the existing DSAR concept of "manifestly unfounded and excessive" to "vexatious", this change appears to have been scrapped.
However, the new Data Bill now plans to set out in law:
The "reasonable and proportionate search" obligations, which are currently set out in guidance from the ICO, and in previous court decisions. This should help organisations challenged by data subjects demanding an unreasonable level of searches.
Require data subjects to identify:
- Themselves as a requestor; and
- Which information or activities the search relates to, e.g. where a controller "processes a large amount of information concerning the data subject".
In these situations, the ‘clock would stop’ for controllers supplying responses to DSARS, until the information is received from the data subject. Although this is already commonly accepted practice, setting this out in law should help provide clarity for all parties.
4. Automated Decision Making (ADM) and Artificial Intelligence (AI)
The Data Bill (like the DPDIB before it) proposes changes to processing using ADM. The changes mean that organisations could potentially use ADM more easily than under the EU GDPR. Under the new Data Bill, organisations would, for example, only need to show consent or that the processing is required for a contract or legal compliance, where special category data is used. Individuals would retain existing rights to object to the processing and to require human intervention.
Proposed amendments are likely to be particularly relevant to the use of AI. The UK Secretary of State is to receive new powers to introduce additional safeguards required.
Some more analysis is required on what the impact of this is likely to be in relation to automated decisions made using other types of non - special category personal data.
5. International Data Transfers
The Data Bill retains the previous DPDIB proposals, to introduce a data protection test to assess whether the third country or international organisation that personal data is to be transferred to, has a standard of data protection which is not materially lower than that of the UK. The test will provide a set of criteria by which the UK Government will assess third-country data protection adequacy. Controllers and processors may also be able to refer to the test in certain circumstances. More detailed analysis of these changes will follow in a later article.
6. A new Complaints Procedure
The Data Bill introduces the concept of a new statutory complaints procedure which controllers would be required to issue to data subjects. Controllers would also be required to respond to complaints received within 30 days.
The new Bill also suggests that the Secretary of State could pass specific regulations to require controllers to notify the ICO of the number of complaints they've received. Only time will tell how challenging this could be. For instance, in situations where clients complain vexatiously, or without reasonable grounds. Query how useful this information would be to the regulator in practice?
7. The ICO
Following on from the previous proposals in the draft DPDIB, the Data Bill proposes that the UK’s current Information Commissioner (a "corporation sole") will become an Information Commission, with an appointed Chief Executive.
Perhaps more controversially, the Data Bill has also revived the proposal that the UK Secretary of State will have a considerable influence over the Commission e.g. in terms of the number of members, appointment of non-executive members and a requirement to be consulted on the appointment of any new Chief Executive.
8. What else has gone from changes previously suggested under the draft DPDIB?
Some readers will undoubtedly be wondering what other changes proposed by the previous UK Government under the DPDIB have now been dropped by the new UK Government.
It appears at this stage, that in addition to the changes already mentioned in this article, previous DPDIB proposals to remove (or modify) the following have been dropped:
Requiring the ICO to take account of the government's strategic priorities.
Changes to the definition of personal data, to the role of Data Protection Officers (DPOs), to Data Protection Impact Assessments (DPIAs), to the role of the UK Representative and to Records of Processing Activities (ROPAs).
Potential watering down of accountability provisions.
A number of the changes made to the previous DPDIB, will perhaps come as relief to those that were worried such changes could jeopardise EU Adequacy permitting data transfer.
For those in multinational organisations, who were likely to stick to then 'perhaps higher standard’ of the EU GDPR in aid of standardisation across their group companies, this will also help to keep their processes streamlined.
9. Amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003) (PECR).
There have been much anticipated amendments to the now very dated PECR, which have arguably been awaiting amendment and clarification since the UK GDPR came into force. Some key changes now look set to pull through into the proposed new Data Bill:
Cookies
The new Data Bill revives previous DPDIB proposals:
- Clarifying that cookies will be "strictly necessary" when used to protect information provided in connection with, or relating to, the provision of a service requested, for security purposes, fraud prevention or detection, for prevention or detection of technical faults or in certain situations to enable automatic authentication of the identity of the user or to maintain a record of selections made on a website, or information put into a website, by the user.
- Consent will not be required for first-party cookies (and similar technology) which are used only for website analytics and statistical purposes or in relation to website appearance or functionality.
The term “website” is to include a mobile application and any other platform by means of which an information society service is provided.
The Data Bill enables the UK Secretary of State to introduce regulations to set out other circumstances where cookies might be deployed without opt-in consent being required.
More detailed analysis of these cookie changes will follow in a later article.
SPAM
Currently, when "spam" emails or text messages etc. are sent to large volumes of recipients, those messages that are not actually received by anyone, do not count as potentially non-compliant communications. Under the Data Bill, these messages would be treated as being sent to a "recipient", risking greater enforcement action against those who send huge volumes of "spam".
Higher PECR Fines – of up to £17.5m
As has been anticipated for some time, the Data Bill also proposes to revive the previous DPDI proposal to increase the potential level of fine for breach of PECR to the same level as the existing fines under the UK GDPR - meaning the potential upper level of these fines goes up from £500K to £17.5M for the most serious infringements of PECR.
The Data Bill does not appear to contain provisions set out in the previous DPDIB to allow political parties, elected representatives, charities and not-for-profits more extensive rights to send electronic marketing under a soft opt-in extension.
10. Wider changes
It is worth noting that the Data Bill covers wider issues than data protection law reform. It revives from the previous DPDIB, a framework for smart data schemes and digital identity verification services, akin to the open banking movement, across e.g. energy and telecoms. It is also planned to simplify tasks such as home rentals, starting work, and registering births and deaths by legislating on digital verification services and removing the need for paper-based and in-person checks.
The Data Bill is also set to introduce:
Changes to certain law enforcement data access and retention rules.
A framework for information standards for health and social care in England, enabling patient personal data to be shared and updated more easily in real time via joined-up medical records and systems. This is likely to need significant investment in the interoperability and capability of the existing systems in place.
There will be wide implications to the proposed new data sharing rules, intended to enable greater innovation and create new opportunities while managing risks.
Pritchetts Law has worked extensively on helping our clients understand the potential impacts of legislative change to their organisations current and planned operations. We offer a pragmatic and commercial approach to balancing data protection requirements with commercial objectives. If you’d like to know more about how we could help, please get in touch.