Data Reform Bill take 2: How could this affect your business?

2022 saw the proposed reform of the UK’s data protection regime, but fast-forward a few months and the original Data Reform Bill (the Data Protection and Digital Information Bill) has been withdrawn. The Government decided to revisit the original bill in order to adopt a more business and consumer-friendly approach.  

In its place, on 8 March 2023 the Government introduced the revised Data Reform Bill (the Data Protection and Digital Information (No. 2) Bill) (the “Bill”).

The Bill has not departed significantly from positions under the previous bill, with only some limited additions. The content of the Bill has attracted both praise and criticism. Many UK businesses are expected to welcome the changes, with the Bill reducing bureaucracy and providing more autonomy in relation to the use of personal data, with potential cost and time savings as well. However, some are sceptical about whether the Bill goes far enough to achieve its aims and instead are of the view that it creates unjustified complexities by diverging from established GDPR positions without any meaningful reform.

EU data protection legislation will still apply to businesses operating within Europe or processing personal data of EU data subjects. As a result the proposed changes are unlikely to reduce the administrative burden for international organisations or those UK businesses that process EU citizen data. These companies would need to continue complying with the current GDPR framework. Keeping abreast of the two distinct regimes could actually end up creating an increased workload.

We highlight some of the key proposed changes under the Bill, together with their practical impact on businesses that are subject to UK data protection laws. Many of these changes will look familiar from last year’s Data Reform Bill.

Increasing business autonomy

• Data subject requests. Currently businesses can only refuse or charge a reasonable fee for complying with a data subject request if the request is “manifestly unfounded and excessive”. Under the proposed Bill, businesses will instead be able to refuse or charge a reasonable fee for complying with requests on the basis that they are “vexatious and excessive”. Allowing data controllers to refuse or charge for requests because they are vexatious directly addresses one of the key criticisms of the existing data subject request regime – that data subjects can exploit the regime and make requests solely to cause distress or disruption rather than with good faith intentions to exercise their legal rights.
  
  This amendment would be a useful protection for businesses, but it will be interesting to see how it will be utilised in practice. There is a risk that data controllers will be quick to categorise a request as vexatious simply because they consider it a nuisance, whilst at the other end of the spectrum some businesses could be hesitant to argue that a request is vexatious in fear of failing to comply with their legal requirements to facilitate requests from data subjects to exercise their legal rights.
  
  Consideration should also be had for data subjects here; this update could impact the ability for individuals to access their personal information and hold companies to account. Giving data controllers greater scope to refuse or charge for requests may mean that it becomes more challenging for data subjects to exercise their legal rights.  

• International transfers. The Bill formalises taking a risk-based approach to international transfers of personal data, by requiring data exporters to act reasonably and proportionately in applying the “data protection test”. This means that in addition to implementing safeguards such as ICO approved transfer clauses, businesses would need to assess whether the protection provided for data subjects after the transfer has taken place is “not materially lower” than the standard of protection afforded under UK data protection law. The reference to the data exporter acting proportionately when applying the “data protection test” is particularly useful. What is reasonable and proportionate would be determined with reference to the circumstances and the nature and the volume of the personal data being transferred, recognising that the level of analysis required for a lower-risk transfer will be less than that needed for a higher-risk transfer. This aligns with the ICO’s current transfer risk assessment template and supporting guidance.
  
  Although this risk-based approach would help businesses to navigate transfer risk assessments more easily, where businesses are subject to both the UK and EU data protection regimes their international transfer risk assessments will still need to comply with EU requirements. The ICO’s current transfer risk assessment guidance clarifies that it is happy for organisations to carryout their transfer risk assessments in line with EU requirements and so for as long as this remains the case, businesses may well opt for an EU-compliant assessment rather than properly utilising the reformed UK process.  

• Data protection impact assessments. The requirement to complete data protection impact assessments has been replaced with the requirement to complete assessments of high risk processing. The threshold for when an assessment needs to be completed remains the same: when a type of processing is likely to result in a high risk to the rights and freedoms of data subjects. However the fields of information that an assessment must include have been simplified, which would provide businesses with greater opportunity to create a risk assessment process that is tailored to their operations.

Reducing bureaucracy for businesses

• Processing records. The requirement to keep records of data processing would only apply to processing activities which are likely to result in a high risk to the rights and freedoms of data subjects. Previously businesses employing 250 or more individuals were required to keep records for all data processing, something that businesses have struggled to grapple with and keep up-to-date. With records focussed only on high risk processing going forward, businesses would have more resources available to properly record these processing activities and the quality of processing records should improve.
• Data Protection Officers. The Bill removes the requirement to appoint an independent Data Protection Officer (“DPO”). Instead, businesses must appoint a Senior Responsible Individual (“SRI”) to carry out data protection compliance tasks, who must be a part of senior management.
  
  On the face of it, removing the requirement for independence would open up more options for businesses. However, it may also increase pressure for members of senior management who could be expected to take on the role on top of existing responsibilities. Additionally, a SRI is required if the business is a public body, or carries out processing of personal data which is likely to result in a high risk to the rights and freedoms of individuals. This is a lower threshold than the previous circumstances which required a DPO, meaning the requirement to appoint a SRI would apply to more businesses.

Empowering businesses

• In an attempt to tackle the “cookie-banner fatigue”, reform of cookie consent requirements has been high on the agenda for some time. At the moment businesses must collect consent from data subjects in order to deploy any cookies or similar tracking technologies unless they are “strictly necessary” to provide the service requested. Under the Bill, businesses would be able to deploy an increased number of cookies without collecting prior consent, including cookies which collect data for statistical purposes with a view to improving the service or website. Data subjects would still need to be given comprehensive cookies information and the opportunity to opt out, which is essential to ensure that data subjects are fully informed about how their online behaviours could be tracked and how they can prevent this.
• Legitimate interests. The Bill provides some examples of processing that may be necessary for the purposes of legitimate interests (the “legitimate interests examples”) and also introduces a list of pre-determined legitimate interests (the “recognised legitimate interests”).
  
  Looking first at the recognised legitimate interests: provided that the processing activity is necessary for one of the recognised legitimate interests, businesses would no longer be required to apply the legitimate interests balancing test (i.e. balance their legitimate interest against the data subjects’ rights and freedoms). As it stands, the list of recognised legitimate interests includes processing necessary for emergencies, democratic engagement, prevention of crime, safeguarding vulnerable individuals and national security, public security and defence. The legitimate interests lawful basis would automatically be available for any processing carried out for these purposes. This will allow businesses to make quicker processing decisions with confidence in these circumstances.
  
  Turning to the legitimate interests examples: these are, as the name suggests, examples only. There is not a pre-determination that they will be a legitimate interest, just acknowledgement that they could be depending on the circumstances. Data controllers will still need to apply the legitimate interests balancing test to reach a final decision. However, the examples given are routine commercial activities undertaken by a high proportion of businesses: processing necessary for direct marketing, intra-group transmission of personal data for internal administrative purposes and processing necessary for the security of network and information systems. Clarifying that the legitimate interests lawful basis can be utilised for these processing activities would further empower business to make assured processing decisions in these spaces.     

Enforcement and regulatory oversight

• PECR fines. The majority of the fines that the ICO issues are for breaches of the Privacy and Electronic Communications Regulations 2003 (“PECR”). PECR governs direct electronic marketing, as well as the use cookies. At the moment the maximum level of fine that the ICO can issue for a breach of PECR is £500,000, which is significantly less than fines under the UK GDPR. The Bill would increase the maximum fines that can be awarded under PECR so that these are in line with the UK GDPR. For the most serious breaches this would mean fines of up to 4% of global turnover or £17.5 million, whichever is greater. Amongst other things, this will increase the importance of ensuring that direct marketing strategies are fully compliant, as there will be a risk of significantly higher fines for nuisance calls and texts.
• The ICO. Under the Bill the Information Commissioner’s Office would become the Information Commission and the Secretary of State would have increased oversight over the Information Commission’s activities. This raises some concerns regarding the independence of the Information Commission going forward.

Final takeaways

The revised Bill has not lived up to the promises that were made when the initial Data Reform Bill was paused. Many hoped that it would be replaced by more bespoke privacy rules for the benefit of both businesses and consumers. However, there are still positive changes within the revised Bill (many of which were also present within the previous version). These changes will reduce the administrative burden for some businesses, and for those that do not directly feel this benefit because they still need to comply with diverging EU standards, at least the UK data protection regime will be somewhat simplified and easier to navigate.

It is sensible for the UK Government to have taken a cautious approach to data protection reform, to avoid the European Commission rethinking the UK’s adequacy decision so soon after it was granted and putting the free-flow of personal data between the EU and UK at risk.

Businesses should avoid viewing the increased flexibility of the reforms in isolation and ensure that, despite the increased autonomy, they are still exercising sound judgment. As one example, while businesses may no longer need to keep such extensive data processing records, they should consider the consequences of not doing so and whether this would make other tasks more difficult, particularly responding to data subject requests or dealing with a security breach. Businesses must also still ensure they are in compliance with all applicable aspects of privacy legislation, which will ultimately require businesses to have a comprehensive understanding of their data flows.

The Bill will be subject to a debate in the House of Commons at a date to be confirmed and will need to be approved by both Houses of Parliament before it can be adopted into law. Ashfords will continue to monitor the progress of the Bill.

For more information, please contact Hannah Pettit or Heidi Brown in our Data Protection team.