Data Protection and Digital Information Bill: Evolution not revolution

The Data Protection and Digital Information Bill (the "Bill") was initially proposed in order to reduce the compliance burden on organisations by updating and simplifying the UK's data protection framework. The Bill was first introduced on 18 July 2022, however, the parliamentary review of the Bill was put on hold following the introduction of Liz Truss as the new Prime Minister, and it is not yet clear whether it will be pushed through again under Rishi Sunak's government, and if so, when this will take place.

In any event, it is still expected that the Bill will be reintroduced in the near future. Whilst we cannot say for certain what the Bill will look like when it is finally approved, there are certain aspects of it which are generally understood to be key within the Bill and therefore these are points which organisations should be aware of and may warrant consideration and planning for once the certainty of the Bill is confirmed.

Cookies and Tracking Technologies ('Cookies')

The Bill seeks to introduce a change to current Cookie legislation which would permit organisations to place analytics Cookies on users' devices (which would gather statistical information on the user e.g. Google Analytics) without their consent, where such information is to be used with a view to improving the service provided by that organisation (such as the functionality of the organisation's website). At present only "strictly necessary" Cookies can be placed on devices without consent. Users will still need to be given the opportunity to object/opt out to such Cookies.

Currently Cookies can be a compliance headache for organisations, however this change may allow them to make use of aspects of data which they may not have previously accessed to benefit both their businesses and their customers.

International Data Transfers

Proposals made in the Bill indicate that organisations will be permitted to take a risk-based approach when assessing the impact of transferring personal data internationally, as well as permitting the Department for Digital, Culture, Media and Sport (DCMS) to make new adequacy decisions on behalf of the UK, utilising the same risk-based approach. The intention is to simplify the process surrounding international data transfers, which in turn could incentivise international trade from and to the UK.

When the Bill was announced it was made clear that the DCMS would be prioritising an adequacy decision for the US (Privacy Shield 2.0), along with other jurisdictions such as Australia and Singapore.

Data Subject Access Requests

The Bill provides for amendments to the grounds on which organisations will be able to refuse to respond to, or charge fees for responding to, data subject access requests (DSARs) in their entirety, where it is determined that such requests are "vexatious or excessive". This would replace the current threshold of "manifestly unfounded". Additionally, the Bill included examples of "vexatious" and "excessive" DSARs, however there is not sufficient detail for organisations to clearly understand when a DSAR meets this threshold, and we expect further guidance to be issued by the ICO once the Bill has been passed.

The hope is that the Bill will make dealing with DSARs more manageable for organisations in the future, however the current draft fails to provide organisations with much of a lifeline in dealing with the high volumes of broad DSARs that we are seeing.

Accountability Framework

Several changes have been proposed under the Bill in an attempt by the government to reduce certain administrative burdens on organisations in complying with the UK GDPR. These changes include:

  • Replacing the requirement for organisations to have a DPO (where relevant) with an individual responsible for management of that organisation's privacy framework.
  • Removing the need for data protection impact assessments (DPIAs) and allowing organisations to assess privacy risks in their own way.
  • Raising the threshold four requiring organisations to report data breaches to the ICO.

The Bill also seeks to introduce a requirement for organisations to maintain "privacy management programmes", which is something that organisations have not previously had to have. However, the government has said that in most instances if an organisation is already complying with its obligations under the UK GDPR, the organisation would not need to make any changes to comply with the Bill.

Legitimate Interests

The lawful basis of legitimate interests is to be reformed under the Bill, with a recognised "white-list" of legitimate interests being provided by the government which, when relied on,  would not require a legitimate interest assessment to be carried out. However, the list that has currently been proposed is limited and organisations will still have to carry out legitimate interest assessments for processing activities for the majority of their processing activities which rely on legitimate interests as a lawful basis.

In addition to the points raised above, there are some more technical changes being proposed in the Bill, such as an amendment to the definition of "personal data" which, if implemented, could be beneficial to organisations by making it easier to achieve anonymisation. There is also a proposal to reform the Information Commissioner's Office by renaming it the Information Commission and providing it with new duties such as safeguarding public and national security.

It is worth noting that the changes proposed in the Bill are not huge departures from the UK GDPR in its current form. Departing too far from the position in the European GDPR runs the risk of the UK losing its EU adequacy status, which would dramatically impact on the flow of data between the UK and Europe.

It is not clear how much of the Bill, as we have seen it, will come to fruition when it is brought back for Parliamentary review, however it is highly likely that it will bring about changes to the data protection landscape and organisations need to be ready for when that happens.

We will provide further guidance on the status of the Bill when it is available, however if you have any questions, please do get in touch with our privacy team.