Following the UK Government’s publication of its response to the DCMS consultation on the Data Reform Bill last month (see our blog post on this here), the UK Government has published and introduced to Parliament a 192-page draft text which now has a new name: the Data Protection and Digital Information Bill. The new bill is accompanied by a set of Explanatory Notes.
The new bill is broken up into six parts (data protection, digital verification services, customer data and business data, other provisions about digital information, regulation and oversight and final provisions) and as promised in last month’s consultation response, it contains provisions which serve to amend rather than replace the existing UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003.
Clarification of existing legislation
In terms of the drafting itself, the new bill largely reflects the UK Government’s plans set out in the consultation response and so there are few surprises. Our overall impression is that it seeks to clarify the existing legislation in ways that are sometimes welcome. For example, Article 12A (relating to data subject rights) replaces the vague concept of “manifestly unfounded or excessive” with “vexatious or excessive” and provides examples of requests that meet this threshold. In addition, Article 22 (relating to automated decision making) now defines what amounts to a “significant decision” and what a “decision based solely on automated processing” is by making explicit reference to meaningful human involvement.
Accountability and governance provisions
In contrast, the sections which serve to amend a number of the “accountability and governance” obligations currently set out in the UK GDPR are surprisingly cumbersome given that they are intended to streamline compliance for UK organisations. The requirement to appoint a DPO has been replaced with the requirement to designate a “senior responsible individual” in relation to which the qualifying threshold is lower and the requirements for the role are almost just as prescriptive. The requirement to maintain records of processing activities have been replaced with a requirement to maintain “records of processing of personal data” which cover very similar ground. While the concept of “assessment of high risk processing”, which replaces the requirement to conduct data protection impact assessments, is less prescriptive about what needs to be addressed in the document recording the assessment, such documents are likely to cover very similar ground to existing forms of data protection impact assessment conducted by organisations caught by the UK GDPR.
Flexibility for change
Perhaps symptomatic of the short timescales within which the new bill has been drawn up, the UK Government has given itself some flexibility in relation to the contents of the legislation by giving the Secretary of State the power to amend certain aspects of the legislation directly and to set out variations through secondary legislation. Areas which might see further change during the lifetime of the new bill include the scope of what amounts to a significant decision for the purposes of Article 22, the current exemptions set out in Schedule 1 of the DPA 2018 (no changes to these have been proposed in the current version of the new bill) and the list of recognised legitimate interests set out in Schedule 1 of the new bill (which currently reads as an uncontroversial list of circumstances in which processing personal data is essential e.g. where it is necessary for safeguarding national security, preventing crime and safeguarding children/vulnerable adults).
We intend to follow the progress of the new bill through Parliament and provide more detailed commentary on all of the provisions (including the proposed changes to the structure of the ICO) in due course.
Proposals to regulate AI
In parallel with the new legislation, the UK Government is also unveiling a set of proposals to regulate the use of AI and machine learning to sit alongside the new bill. The first of the papers to be released as part of these proposals is a new AI paper, which is intended to outline the UK Government’s approach to regulating the technology in the UK. We will be covering these proposals in a separate blog post.