On 18th July 2022, the Data Protection and Digital Information Bill (Bill 143 2022-23) was introduced in the British House of Commons. If enacted, this new bill would amend the current rules on data protection and privacy in the United Kingdom (UK), by easing the burden on operators.
The second reading of the bill, which was scheduled for 5th September 2022, was postponed due to the sudden change in the leadership of the UK government, that saw Liz Truss taking over from Boris Johnson; in the meantime, Rishi Sunak replaced Liz Truss in government. In an official note, the new executive announced that the postponement was essentially due to the decision to give the new team of ministers the opportunity to analyse the issue and the bill itself in greater depth. As a consequence, as of today, it is clear the UK's intention to change the data flow management regime inherited from the European Union (GDPR), whereas the form that this initiative will take in practice is not yet defined. The new bill does not aim to make a tabula rasa of the European discipline, but intends to push the latter towards a regulatory liberalisation and simplification while still ensuring high standards of protection and security.
The project looks very ambitious and, to date, it is difficult to predict its success since the bill is still at a preliminary stage, considering that it was only submitted for a first reading in the House of Commons. Nevertheless, the goals the British government wants to achieve were openly stated in the Impact Assessment conducted by the Department for digital, culture, media and sport (DDCMS) published on 6th July 2022. More precisely, the bill aims to create a data protection regime that:
1) Supports and promotes competition and innovation in a way that fosters economic growth;
2) Maintains high standards of data protection without creating unnecessary obstacles;
3) Keeps pace with the rapid innovation of data-intensive technologies;
4) Helps businesses in using data responsibly, without uncertainties or risks, both in the UK and internationally;
5) Makes it easier for public bodies to share vital data, improving the delivery of public services.
In concrete terms, the bill, to realise the above objectives, proposes the following major innovations:
1) A new regime on the review of data access requests, so-called ‘DSARs' (DSARs are requests made by individuals to know which of their personal data have been collected by a particular organisation). Specifically, the aim is to allow organisations to refuse ‘vexatious or excessive' DSAR requests or charge a fee for replying. This would depart from the EU's current GDPR framework, which requires organisations to respond to all requests except to those that are ‘manifestly unfounded'.
2) A new accountability regime. Indeed, the bill proposes the replacement of ‘Data Protection Officers' with ‘Senior Responsible Individuals' (SRIs). SRIs must be members of the organisation's management. The SRI will have to carry out security assessments of data processing based on the risk posed by the individual processing operation. This would allow privacy to be managed more flexibly, taking into account the specifics of the activities carried out by each single organisation, as well as the nature of the data processed. In addition, foreign organisations subject to the extraterritorial provisions of the new bill should no longer need representatives in the UK.
3) A new regime on the regulation of cookies. Consent requirements for cookies would be relaxed in certain circumstances, minimising the ‘pop-up' consent requests that appear to internet users on a daily basis;
4) A new definition of personal data. The bill proposes a new section that would limit the definition of personal data to the circumstances characterising every specific data transfer. Thus, data would be considered to be personal in the following scenarios:
(a) The controller is able to link and identify a person through the processing of information;
(b) The controller knows or should know that the third party receiving the information following the transfer might be able to identify the person to whom the data belong.
It is therefore evident that the proposed amendment would confine the assessment of the identifiability to the controller and the third party receiving the data following the transfer, departing from the ‘anyone in the world' criterion, currently envisaged by the GDPR. This is an often-debated point, although the proposed amendment only seems to implement the position that the CJEU took in Patrick Breyer v. Bundesrepublik Deutschland in 2016;
5) A new discipline for international data transfers. The DDCMS will have much more discretion in determining whether a foreign jurisdiction offers a comparable level of protection to that guaranteed by the UK data processing legal framework. If so, the UK will be free to establish free data trade regimes with new jurisdictions by issuing ‘adequacy decisions'.
It is exactly this last point to raise the greatest concerns. After Brexit, the EU issued an ‘adequacy decision' towards the UK under which free trade of data was maintained between the two.
The fact that the UK may in the near future, in its attempt to liberalise its data protection regulation, recognise as adequate jurisdictions that the EU does not consider as such, could push the latter to revoke the ‘adequacy decision' mentioned above. If this were to happen, the impact of disrupting the free exchange of data with the EU would cost the UK an estimated £210 million to £410 million in lost revenue from data exports. These losses would outweigh the gains that the reform would bring, which, in the DDCMS Impact Assessment, were estimated to be between £80 million and £160 million per year.
Likewise, it could also be the case that the reform currently being approved by the UK will lead to a simplification of requirements for operators and that, if this ensures a good level of protection for personal data, the EU may take some cues from it in the next updates of the legislation.
At the moment, all that is left to do is wait for the first moves in this regard by the government led by Rishi Sunak.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.