UK data protection law update – October 2022
19/10/22 – After the uncertainties regarding post-Brexit transfers of data from the UK to third countries, the International Data Transfer Agreement (IDTA) finally came into force on 21st March 2022. Since then things have been a bit calmer. Or at least until a couple of weeks ago when the Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan, announced at the Conservative party conference that the government proposes to replace GDPR with a ‘consumer-friendly British data protection system’.
This update looks at the changes to UK data protection law that are currently being considered by Parliament and recent progress being made with post-Schrems II transfers of personal data to the U.S., and finishes with some thoughts on Michelle Donelan’s announcement.
Data Protection and Digital Information Bill
Last year the government announced a plan to create an ‘ambitious, pro-growth and innovation-friendly data protection regime’ for the UK, and following an extensive consultation the Data Protection and Digital Information Bill (‘DPDI Bill’) was introduced to Parliament on 18 July 2022.
The DPDI Bill proposes a number of changes to the UK GDPR and Data Protection Act 2018. Despite the government’s lofty goals, most if not all of the changes can probably best characterised as relatively minor adjustments and, with the exception of changes to the law on cookies, will make little difference to the majority of businesses. Changes proposed by the DPDI Bill include:
- Clarification of the definition of ‘personal data’. Whether an individual is or can be identified is to be determined only from the perspective of the controller, the processor and any third party who will likely receive the information, rather than by absolutely anyone in the whole world. Also, when assessing whether data has been sufficiently anonymised (and not just pseudonymised), only additional information that is available ‘by reasonable means’ needs to be considered, rather than all information that could be obtained irrespective of effort.
- When a controller is considering legitimate interests as a lawful basis for processing personal data and, as part of that exercise, assessing whether the controller’s interests outweigh those of the data subject, the controller may now rely on a list of ‘automatic’ legitimate interests. Although the list may be extended by the Secretary of State, it is currently limited to ‘public interest, national security, public security and defence, emergencies, safeguarding vulnerable individuals and democratic engagement’. Until it is extended the list will therefore be of limited help to most businesses.
- A new test for the transfer risk assessment carried out before transferring personal data from the UK to a third country. Instead of verifying whether the level of protection required by UK law is applied in the third country (the ‘essentially equivalent’ test), controllers can take a risk-based approach based on outcomes, assessing whether the level of protection in the third country is ‘not materially lower’ than that provided in the UK. The new test will also apply to the Secretary of State when making an adequacy determination.
- The requirement for certain organisations to designate a Data Protection Officer (DPO) is replaced with an obligation for public bodies and organisations carrying on ‘high-risk processing’ to a appoint a Senior Responsible Individual (SRI), who must be part of the organisation’s senior management. For most organisations this will simply be a rebadging exercise.
- The requirement to carry out a Data Protection Impact Assessment (DPIA) to determine whether proposed processing may result in a high risk to data subject and, if so, to consult with the Information Commissioner’s Office (ICO) is replaced with a requirement to carry out an ‘assessment of high-risk processing’, with a consultation with the ICO being voluntary.
- Controllers may currently refuse to respond to a data subject request which is ‘manifestly unfounded or excessive’. This test is replaced in the DPDI Bill with ‘vexatious or excessive’. I expect I’m not the only one wondering how much of a difference this will make in practice.
- The ICO is renamed is renamed the Information Commission, and is given a broad range of new duties, including to promote innovation and competition.
- Website operators are currently required to obtain user consent for all cookies unless they are ‘strictly necessary’ for the functioning of the website. This is extended to cookies used for installing necessary security updates, ensuring user preferences are followed, and collecting information for statistical purposes to make improvements to the services, with a right for the user to opt out.
Progress of the DPDI Bill has however stalled. Its second reading in Parliament was postponed on 5th September 2022 following the announcement of Liz Truss’s leadership victory. And, in light of Michelle Donelan’s recent announcement, the bill could of course be abandoned altogether.
Transfers of personal data to the U.S.
Perhaps the thorniest issue for controllers and processors since the CJEU’s Schrems II decision is whether – and if so how – they can lawfully transfer personal data to the U.S. By way of a reminder, the CJEU in Schrems II invalidated the U.S.-EU Privacy Shield as a transfer mechanism, and then made it clear that EU data exporters cannot rely on Standard Contractual Clauses (SCCs) for transfers to the U.S. without addressing the lack of safeguards for data subjects as a result of U.S. signal surveillance activities. The UK in effect inherited the Schrems II problem under the EU-UK Withdrawal Agreement.
The EU and the U.S. have however now made good progress. On 7th October 2022 President Biden signed an Executive Order (EO) which adopts a number of measures to limit the activities of U.S. signals surveillance activities, provides individuals with the right to have such activities reviewed and creates a mechanism for individuals to obtain redress. The EO also implements the EU-U.S. Data Privacy Framework announced earlier this year, in effect a relaunch of the Privacy Shield as a transfer mechanism for EU-U.S. data transfers. In response the European Commission stated that the actions set out in the EO will “address the concerns raised by the Court of Justice of the European Union in the Schrems II decision”, and the Commission is now expected to make the EU-U.S. Data Privacy Framework the basis of an adequacy determination for the U.S.. Pending the adequacy determination, the new safeguards confirmed in the EO are already helpful to EU organisations carrying out a transfer impact assessment to assess whether they can use SCCs to transfer EU personal data to the U.S..
On the same day as the EO was signed, Michelle Donelan and the US Secretary of Commerce, issued a joint statement announcing ‘significant progress on UK-US data adequacy discussions’. In particular, the UK will continue to work to conclude its adequacy determination for the U.S., and the U.S. will work to designate the UK as a qualifying state under the EO, which would give UK data subjects equivalent protections to those that are now afforded to EU data subjects. No indication was given how long this work will take, but it will almost certainly be months rather than weeks. In the meantime, UK organisations proposing to export personal data to the U.S. will want to consider the progress being made on the UK-U.S. data adequacy discussions when carrying out their Transfer Risk Assessments.
Replacing the GDPR
Michelle Donelan’s announcement that the government will be replacing the GDPR, adding for good measure that ‘it is time we seize this post-Brexit opportunity fully and unleash the full growth potential of British business’, went down well with the audience at the Conservative party conference. It’s perhaps unlikely however that many people in the audience were familiar with the detail of the GDPR, and the challenges of creating a data protection regime which achieves the right balance between freedom to use individuals’ personal information and the privacy rights of those individuals.
The reality is that the GDPR is now considered internationally to be the gold standard for data protection and privacy, with the GDPR model being adopted by a number of countries implementing or updating their own data protection laws (at least 17 countries according to one commentator). Having a data protection regime which is ‘essentially equivalent’ to the EU GDPR is also a condition for securing (or in the case of the UK maintaining) an EU adequacy status, which in turn allows the free flow of personal data to and from the EU. Any new ‘British data protection system’ which diverges significantly from the EU GDPR would jeopardise the renewal of the UK’s EU adequacy status in 2025. So whilst Michelle Donelan’s announcement may have gone down well with the pro-Brexit diehards, and we may see further adjustments along the lines of those proposed in the DPDI Bill, I expect the GDPR will be with us for a while yet.