The UK Government recommenced its efforts to reform the UK data protection regime by introducing the aptly named “Data Protection and Digital Information Bill (No.2)” (“Second Draft Bill”) to Parliament on 8 March 2023. The full text of the Second Draft Bill can be found here and an accompanying set of Explanatory Notes can be found here.
The Second Draft Bill supersedes the version of the Bill that was introduced in July 2022 (see our blog post on this here) (the “First Draft Bill”) but was paused in September so ministers could rethink their approach and engage in a co-design process with businesses, promising to devise a more “tailored”, “truly bespoke” and “business-friendly” British system of data protection.
So, what changes have been made to the Bill since we last saw it in July? Despite ministers hinting that significant amendments would be made to the draft text (or even that the whole draft text would be scrapped), the Second Draft Bill serves to fine-tune and clarify a number of the proposed amendments set out in the First Draft Bill to existing UK data protection laws, namely the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which will continue to form the overall UK legal framework (subject to the Retained EU Law (Reform and Revocation) Bill receiving Royal Assent – see below).
We outline the further changes proposed in the Second Draft Bill below:
- Legitimate Interests condition
Schedule 1 of the First Draft Bill set out a list of recognised legitimate interests where the balancing test did not need to be undertaken. This list read as an uncontroversial list of circumstances in which processing personal data is essential (e.g. in the context of safeguarding national security and preventing crime) and has not been expanded in the Second Draft Bill. Instead, examples of types of processing that may be “processing that is necessary for the purposes of a legitimate interest” (and in relation to which the balancing test will still need to be undertaken) have been added to the front end of the Second Draft Bill. This list includes processing necessary for the purposes of direct marketing, intragroup transmission of personal data for internal administrative purposes and ensuring the security of network and information systems. The inclusion of “direct marketing” in this list has not been accompanied by a consequential change to PECR, meaning that all of the rules that currently apply to electronic marketing under PECR, including the obligation to obtain consent or rely on soft opt-in consent for email marketing, will still apply.
- Scientific Research
UK data protection laws include an exemption which allow organisations to disapply certain provisions of the UK GDPR when processing personal data for scientific research purposes and a new definition of “scientific research” was introduced under the First Draft Bill, which included anything that “could reasonably be described as scientific”. The Second Draft Bill expands the definition of “scientific research purposes” to explicitly include both commercial and non-commercial activities, which will be helpful to research businesses.
- Record Keeping
Despite the UK Government’s promise to cut down “pointless paperwork for businesses” with its data protection reforms, the First Draft Bill replaced the requirement for organisations to maintain records of processing activities with a requirement to maintain “records of processing of personal data” which covered very similar ground. Under the Second Draft Bill, however, controllers and processors will be exempt from the duty to keep records of processing unless they are carrying out high risk processing activities. We will need to wait for ICO guidance to provide examples of processing activities that are deemed to be high risk but it is likely that will be determined with reference to the nature, scope, context and purposes of the processing.
- Duty to Report
The Second Draft Bill introduces a new and relatively limited obligation on electronic communication service providers to notify the ICO of any reasonable grounds they have for suspecting that a person is contravening or has contravened the direct marketing rules with potential penalties for non-compliance. We will need to wait for ICO guidance in order to determine what will amount to “reasonable grounds for suspicion” but the Explanatory Notes do confirm that electronic communication service providers will not be expected to intercept or examine the content of communications in order to comply with this obligation.
- Automated decision making
The reframed and slightly more flexible approach adopted in the First Draft Bill in relation to automated decision making has been retained in the Second Draft Bill (we have previously looked at the implications of these changes in a journal article, which can be found here). The Second Draft Bill adds a new provision which states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision.
- International Transfers
The Second Draft Bill makes clear that transfer mechanisms that were lawfully entered into before the new Bill takes effect will continue to be valid under the new regime.
The Second Draft Bill will now undergo a second reading in the House of Commons, before being submitted for Committee Stage, with exact timings unclear. Also unclear is whether the UK will able to maintain its EU adequacy status in the face of these proposed data protection reforms.
In parallel, it is envisaged that both direct retained EU law and EU-derived subordinate legislation will expire at the end of this year under a “sunset” provision in the Retained EU Law (Reform and Revocation) Bill, unless preserved by specific statutory instruments for a limited time, with final sunset at the end of 2026. Where “direct retained EU Law” principally covers EU Regulations that were incorporated into domestic law under the European Union (Withdrawal) Act 2018 at the end of the Brexit transition period, such as the UK GDPR, “EU-derived subordinate legislation” is domestic legislation made under primary EU legislation, such as PECR.
Government departments are continuing to prepare for these changes using the Government’s Retained EU Law Dashboard to record legislation that may be in scope. However, it remains to be seen whether the Second Draft Bill will continue to sit alongside the existing data protection framework (such as the UK GDPR) as is currently the case, or whether the Government may use the data protection reform as an opportunity to consolidate the existing framework and replace it in its entirety with the Second Draft Bill if the Retained EU Law Bill receives Royal Assent.