On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.

The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.

Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent.  The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same.  But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.

Processing activities with a ‘recognised legitimate interest’

Schedule 1 to the Bill sets out the types of processing activities which the Government has determined have a “recognised legitimate interest”, and which will not require a legitimate interest balancing test to be carried out. This list may come as a disappointment to some as it is not as broad as the UK Government’s original consultation envisaged. The list includes processing personal data for the purpose of detecting, investigating, or preventing crime; disclosures to people carrying out tasks in the public interest (e.g., responding to non-binding requests for data from law enforcement authorities); and a fairly broad category of processing necessary for the purposes of “democratic engagement”.

This list is not static, however, as the Bill grants the Secretary of State for Digital, Culture, Media & Sport the power to amend or add to this list of recognized legitimate interests through secondary legislation.

Amended rules on “compatible” processing, including purposes deemed compatible with the original purpose

Section 6(3) of the Bill indicates that where a controller wishes to process personal data for a new purpose, and determines that the new purpose is compatible with the original purpose(s), they will still need to establish a valid legal basis. This is a departure from the current position under the UK GDPR, where Recital 50 expressly states that no new legal basis is necessary in these circumstances. This could increase the burden on controllers, who in some circumstances would need to assess (a) whether a new use of data is compatible with the original purposes, and (b) conduct a separate legitimate interests assessment.

In addition, Schedule 2 to the Bill introduces a list of processing purposes which will by default be considered compatible with the original processing purposes. These purposes are similar to those which are considered to be ‘recognised legitimate interests’ mentioned above, meaning that in addition to these purposes being deemed “compatible” controllers will not need to conduct a balancing test in relation to them. The list also contains some additional purposes, including processing for the protection of vital interests of data subjects or processing that is necessary for compliance with a legal obligation (in addition to the existing presumption that processing for scientific and historical research, archiving, and statistical purposes is compatible).

Broad scientific research definition

At the heart of the UK Government’s approach to data protection reform was the idea that data protection rules should not restrict scientific research and development. The consultation response indicated that the UK Government would create a statutory definition of “scientific research” based on the language of Recital 159 GDPR. The Bill does this, but reframes the language from Recital 159 in a way that arguably broadens the scope to cover “privately funded…technological development or demonstration” (s. 2). It is possible that private companies’ internal product development and improvement could, therefore, be captured by this definition. This could give companies greater scope to use existing data for product development, as Article 6(4) GDPR presumes that scientific research will generally constitute a compatible purpose.

Less prescriptive GDPR accountability obligations

As previewed in the Government’s consultation response, the Bill removes the requirement for companies to appoint a data protection officer (“DPO”), and replaces it with a requirement to appoint a “senior responsible individual” (“SRI”) (s. 14). The SRI has similar tasks and position to a DPO under the GDPR, but without, for example, such strict independence requirements. In addition, the SRI is only required to be appointed where there is processing that is likely to result in a high risk to the rights and freedoms of individuals. In any event, John Edwards, the Information Commissioner, has stated the ICO will still take account of whether companies have appointed a DPO when conducting investigations, and that he expects companies whose activities involve a lot of data processing to appoint such a DPO.

The Bill also replaces existing obligations to conduct data protection impact assessments and maintain records of processing with similar, but arguably less prescriptive requirements (ss. 17-18). For example, an “assessment of high risk processing” will need to contain only “a summary of the purposes of the processing”, and not “a systematic description of the envisaged processing operations and the purposes of the processing”, as is required under the EU GDPR. In addition, the content requirements for records of processing are arguably more flexible, although controllers and processors must assess what is appropriate in light of, among other things, the nature, purposes, scope and risks of the processing.

Notably, the Bill replaces the obligation to consult the ICO if an assessment reveals a high risk arising from the processing with an option to do so (presumably because, as the UK Government noted in its response to the consultation, compliance with the obligation is patchy).

Specified situations where cookies can be used without consent

Section 79 of the Bill introduces one of the most discussed reforms to the UK’s Data Protection regime, permitting the use of cookies for what the Explanatory Notes term “purposes that are considered to present a low risk to people’s privacy”. The Bill will allow the use of cookies without consent (albeit subject to certain conditions) for ‘non-intrusive’ specific purposes, namely first-party analytics, enabling website functionality, software security updates, or for emergency assistance (and with scope for the Secretary of State to expand that list). Although this does not do away with cookie consent entirely, the Bill empowers the Secretary of State to require a specific person to develop or make available a mechanism that allows users’ consent choices to be honored across different websites or services.

The purposes for which cookies can be used without consent are similar to those set out in the proposed EU ePrivacy Regulation. Unlike the Council of the EU’s proposals for the ePrivacy Regulation, the Bill does not include any provisions that would enable electronic communications service providers to use communications data for additional purposes.

Greater penalties for PECR breaches and additional direct marketing-related obligations on communications service providers

As set out in the consultation response, the Bill will align the potential penalties for breaches of PECR–including direct marketing rules–with those set out in the GDPR. In addition, the Bill would require providers of services that enable direct marketing to inform the ICO if they have “reasonable grounds to believe” that their service is being used to infringe these rules. It is not clear, however, the circumstances in which such grounds would arise.

Removing the prohibition on automated decision-making in Article 22 GDPR

The Bill will amend Article 22 GDPR, to grant data subjects’ rights to specific safeguards over covered automated decision-making (e.g., rights to human review and to contest decisions), rather than an outright prohibition with exceptions (s. 11). This may give controllers more scope to rely on the legitimate interests legal basis for automated decision-making, but there is also a specific obligation for controllers to provide information about specific decisions to data subjects, which arguably goes beyond the existing requirements.

A new Information Commission, and new approaches to enforcement

Consistent with the Government’s consultation response, the Bill would scrap the current Office of the Information Commissioner as it is currently constituted and replace it with a body corporate called the Information Commission, with the same functions as the current Information Commissioner, but with a different structure and subject to greater oversight from the Government (ss. 101 and 102). Interestingly, the Commissioner, John Edwards, has reportedly indicated in recent speeches that the Commission may take a new approach to enforcement, and may focus on restoration for victims of infringements, and may look to make binding rulings about business practices or questions of law outside the context of an investigation.

Additional provisions

The Bill also covers matters quite separate from the UK GDPR, the DPA and PECR, including rules around digital verification services (ss. 46-60), how overseas trust services will be recognised (ss. 87-91), and how the Government can create rules through secondary legislation to mandate Open Data schemes such as Open Banking (ss. 61-77). It also empowers the Secretary of State to pass regulations to implement data sharing agreements for law enforcement purposes (s. 93).

Next steps

The Bill was formally introduced to Parliament on the 18 July, and has not yet been the subject of any scheduled debate. Parliament is now in recess, and will return on 5 September 2022, by which point there will be a new Prime Minister, so there is scope for the Bill to change as it progresses through Parliament. The Bill is expected to take around 9 months to achieve its full passage through Parliament, meaning it will potentially receive Royal Assent in Spring 2023. The Covington team will monitor developments and can answer any further questions about the Bill or the legislative process.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Tomos Griffiths

Tomos Griffiths is a Trainee who attended Durham University