All News

union jack flag next to big ben with the data protection logo as a watermark

The Changes to Data Protection in the UK

On July 18, 2022, the U.K. government introduced the Data Protection and Digital Information Bill to Parliament. Previously known as the Data Reform Bill, it is the result of a consultation from 2021 and its aim is to update and simplify the U.K.’s data protection framework. According to the U.K. government, the new legal framework created by the DPDI Bill will reduce burdens on organizations while maintaining high data protection standards.

 

A document published by iAPP breaks down the proposed changes to data protection in the UK as a result of the DPDIB. Currently our laws mirror the EU GDPR, so with this new framework, there will be elements that move away from the EU legislation, but how much will it deviate from it? We’ll discuss some of the more important differences in this article, however we’ll also link the full document by iAPP at the end of the article, which will list all of the changes.

 

In addition to highlighting the differences between the old and the new, the iAPP document also provides some analysis as to what the changes might mean. In doing so, they have considered three questions:

 

  1. Whether the U.K. approach is more or less onerous than the EU provision. 
  2. Whether applying the EU interpretation in the U.K. will be compliant. 
  3. Whether there is an advantage in relying on the U.K. approach.

 

They have also categorised the changes in to three, which are:

 

  1. Positive impact for ease of compliance 
  2. Neutral impact for ease of compliance
  3. Negative impact for ease of compliance

 

We’ll take a look at the positive impact changes first.

1. Definitions 

 

 

EU Law Provision

 

Article 4 and Recital 26 (Definition of personal data):

 

The EU GDPR applies to ‘personal data.’ Personal data is defined as any information relating to an ‘identified or identifiable’ individual. An identifiable individual is one who can be identified directly or indirectly. To determine whether an individual is indirectly identifiable, account should be taken of all the means ‘reasonably likely’ to be used, such as singling out, either by the controller or by another person. Anonymous data is data that is not related to an identified or identifiable natural person, and is not in scope of the Regulation.

UK Approach

 

Clause 1(3) (Definition of personal data):

The DPDI Bill retains the same basic definition. However, it further clarifies when data is related to an identified or identifiable individual and when it should be considered anonymous. Information will only be considered as identifiable by a person other than the controller or processor if that other person will, or is likely to, obtain the information as a result of the processing. If they are not or are not likely to obtain the information, this will be considered anonymous information.

 

Practical Analysis

 

The U.K. approach reduces uncertainty as to when data is anonymized in a manner which is likely to benefit the controller. Applying the EU interpretation in the U.K. will be compliant. There would be a marginal advantage in relying on the U.K. approach.

     

2. Principles and lawful grounds of processing

 

 

EU Law Provision

 

Article 6(1)(e) and (f) (Lawfulness of processing):

 

 The EU GDPR requires that all processing has a lawful ground. One of these lawful grounds is that the processing is necessary for the purposes of the legitimate interests of the controller or a third party, and those interests are not overridden by the interests or fundamental rights of the data subject. Relying on this lawful ground requires conducting a balancing test on a case-by-case basis. 

 

An alternative legal basis is where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

UK Approach

 

Clause 5 and Schedule 1, Annex 1 (Lawfulness of processing):

 

The DPDI Bill removes the need to assess whether processing for certain ‘recognised’ legitimate interests is overridden by the interests or rights of the data subject. 

 

These ‘recognized’ legitimate interests are laid out in Annex 1. A procedure is set out for the U.K. government to add to this list in the future. The current list focuses on ‘public interests’ such as national security, public security, defense, emergencies, preventing crime, safeguarding and democratic engagement.

 

Practical Analysis

 

The U.K. approach removes the requirement to conduct a balancing test when processing for a legitimate interest specified in Annex 1. Applying the EU interpretation in the U.K. will be compliant. The U.K. approach makes it simpler to process data for recognized legitimate interests.

 

Next, we’ll look at some examples of those that are having a neutral impact.

 

     

1. Definitions

 

 

EU Law Provision

 

Article 4 and Recital 33 (Consent for scientific research):

 

The EU GDPR requires that where consent is relied on as the lawful basis for processing, the consent must be given for a specific purpose of processing. 

 

This can cause challenges in the context of exploratory scientific research, where it may not be possible to fully identify the objective of the research at the outset. 

 

The main body of the EU GDPR does not provide a solution to this, although recital 33 notes that individuals should be allowed to consent to areas of research where in keeping with recognized ethical standards, and when individuals are given the option of consenting only to part of the research where practical.

 

UK Approach

 

Clause 3 (Consent for scientific research): 

 

The DPDI Bill moves the substance of the recital into the body of the U.K. GDPR but does not substantively alter its meaning. 

 

Practical Analysis

 

The U.K. approach provides legal certainty but does not alter the intent of the existing EU recital. Applying the EU interpretation in the U.K. will be compliant. The U.K. approach provides additional legal certainty.

   

2. Data Subjects Rights

 

 

EU Law Provision

 

Article 22 (Automated decision-making):

 

The EU GDPR provides data subjects with a right not to be subject to decisions based solely on automated decision-making, including profiling, which have legal or similarly significant effects, but this is subject to certain exemptions. 

 

A controller carrying out solely automated decision making under this provision must also implement certain measures to safeguard the data subject, such as providing the right to obtain human intervention.

 

UK Approach

 

Clause 11 (Automated decision-making):

 

The DPDI Bill substitutes the whole of Article 22 with a new provision by which processing based solely on automated decision-making is only restricted and subject to certain conditions where it involves the processing of special category data. 

 

The safeguards that apply to solely automated decision-making have been clarified and arguably expanded, to include an obligation for controllers to provide the data subject with information about the decisions. Measures also must be put in place to enable the data subject to make representations about the decisions, obtain human intervention and contest the decisions. 

 

The definition of solely automated is also clarified to mean decision making that involves no meaningful human involvement.

 

Practical Analysis

 

The U.K. approach relaxes the restrictions on the use of solely automated decision-making but makes the safeguards that apply to data subjects more explicit. The EU approach would be broadly compliant in the U.K., although organizations will need to consider whether they are providing sufficient information to data subjects about solely automated decisions. The U.K. approach makes it marginally simpler to comply with the rules on solely automated decision-making.



Finally, we’ll take a look at some changes that will have a negative impact on the ease of compliance.

 

1 Research Safeguards

 

 

EU Law Provision

 

Article 89 (Safeguards for processing for research purposes):

The EU GDPR contains various exemptions where personal data is being processed for scientific or historical research or statistical purposes. In order to benefit from these exemptions, ‘appropriate safeguards’ must be applied to the processing. 

 

The EU GDPR specifies that these safeguards must ensure respect for the principle of data minimization, for example by pseudonymizing and anonymizing data where possible, but leaves EU member states to further elaborate on what additional safeguards might be necessary.

 

UK Approach

 

Clause 22 (Safeguards for processing for research purposes):

 

The DPDI Bill maintains the focus on data minimization as a safeguard. It also mirrors existing provisions in the UK Data Protection Act 2018 by specifying that: The processing must not be likely to cause substantial damage or distress to the data subject, the processing is not carried out for the purposes of taking measures or making decisions with respect to a particular data subject (except for approved medical research). The DPDI Bill enables the U.K. government to introduce further safeguards.

 

Practical Analysis

 

The U.K. approach is more onerous than the EU provision, in that it introduces specific additional safeguards which must be complied with. Applying the EU interpretation in the U.K. will not alone ensure compliance. Controllers relying on the research or statistical exemptions in the U.K. will need to ensure they have applied the specified safeguards.

 

2. Privacy and Electronic Communications Directive 2002 as amended by Directive 2009/136/EC of the European Parliament and of the Council (ePrivacy Directive)

EU Law Provision

 

Article 15a (Duty to notify the Commissioner of unlawful direct marketing):

 

The powers of supervision and enforcement are delegated to member states to determine and therefore not specified at an EU-level.

 

UK Approach

 

Clause 85 (Duty to notify the Commissioner of unlawful direct marketing):

 

The DPDI Bill introduces a duty on providers of public electronic communication services and networks to report to the Information Commissioner suspicious activity relating to unlawful direct marketing. As a consequence, a new power is introduced for the Information Commissioner to issue fines of up to 1,000 pounds to service providers and network providers who violate the regulation. 

 

Practical Analysis

 

The U.K. approach goes beyond what is strictly required by EU law. Applying the EU position in the U.K. will not necessarily be sufficient for providers of electronic communications services and networks. U.K. providers of electronic communications services and networks will need to introduce new processes in order to detect and report suspicious activity relating to unlawful direct marketing.

 

We recommend that you check out the full document published by iapp, which gives more examples of changes and analysis. Click here to view the document in its entirety.

 

 

Search