The Government's proposal to update the UK data protection framework through the introduction of the Data Protection and Digital Information Bill (No. 2) has been championed as a key part of the Government's post-Brexit strategy to move away from burdensome EU laws and create a more competitive, pro-innovation environment in the UK.
However, if the UK position moves too far away from the EU standard, it risks losing its data protection "adequacy" status which allows organisations move data seamlessly between the EU and the UK.
Therefore, rather than bring about a wholesale reform of the UK data protection regime, the Bill introduces a set of clarifications to give businesses and other organisations more certainty in specific situations. For example, organisations that use personal data for research or journalism will now have more clarity on how they can use personal data lawfully for these purposes.
The Bill also aims to reduce the administrative burden on organisations relating to:
- record keeping (which would now apply only to organisations conducting high risk processing),
- the requirement to appoint a data protection officer (which would be replaced by a requirement to appoint a "senior responsible individual" for businesses carrying out high risk processing), and
- the requirement to appoint a representative in the UK for international businesses (which would be removed altogether).
Some of the biggest changes in the Bill relate to automated decision-making. In particular, the Bill seeks to make it easier for business to use automated decision-making without meaningful human involvement in low-risk scenarios (such as personalising user's experience), while providing safeguards for situations where the automated decision could have a significant effect on the individual (such as whether they proceed to a next stage in a recruitment process).
However, possibly the most significant development for businesses and individuals alike introduced by the Bill is increasing the maximum level of fines for nuisance calls and messages from £500,000 to £17.5 million or 4% of the global annual turnover (whichever is higher). The Information Commissioner's Office (ICO) which enforces data protection legislation in the UK has previously not shied away from fining businesses that make nuisance calls and send nuisance messages and emails.
It is therefore likely that the ICO's beefed up powers might focus the attention of marketing teams on ensuring compliance with the UK direct marketing rules.
Many individuals might also welcome the proposed changes to cut down on the number cookie banners online. This change might benefit not only individuals fed up with the constant pop-ups seeking their consent, but also businesses that are already familiar with configuring their cookie banners for users in different countries to comply with local requirements.
The Bill has received a generally positive feedback from the industry because the Government has sought to reassure businesses which invested resources to comply with the current data protection regime (such as to comply with increasingly complex rules on cross-border data transfers) that they will not need to duplicate their efforts by having to overhaul their compliance programmes to comply with the changes introduced by the Bill.
However, the proposals in the Bill will primarily benefit smaller, UK focussed businesses, who will welcome the additional clarity about the circumstances in which personal data can be processed and the proposed reduction in the onerous record keeping requirements (and the associated compliance costs) that existed under the old EU GDPR.
For most larger, particularly international businesses that aim to run their global data privacy compliance programs in a joined up, standardised way, this latest development is unlikely to bring many benefits and represents yet another change that they will need to address in the constantly evolving international data privacy landscape.
Finally, the Bill also paves the way for the Government to recognise more countries as offering an "adequate" level of data protection and therefore making it easier for businesses to transfer personal data to such countries. The Government has showed its eagerness to incorporate discussion about data adequacy into its post-Brexit trade deal negotiations.
However, the biggest challenge on the data protection front remains to be solved – how to make it easier to send personal data from the UK to international jurisdictions such as the USA, India, China and other places without prejudicing the UK's ability to conduct data transfers with the EU.
Originally Published by Business Reporter, 5 May 2023
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.