Back to the Future – UK Government publishes new Data Protection and Digital Information Bill

After a stuttering start to its legislative existence, the Data Protection and Digital Information Bill (No.2) (the “Bill”) has been introduced to the UK Parliament by Michelle Donelan, the Secretary of State for Science, Innovation and Technology.

The UK government’s intention is that the Data Protection and Digital Information Bill will provide a “simple, clear and business-friendly framework that will not be difficult or costly to implement”. As an example of this, the Bill would do away with the need for organisations to keep records of data processing, unless that processing is “high risk”.Whilst UK business will welcome the potential reduction in paperwork, the business community remains concerned that the UK should remain an “adequate” country to receive frictionless transfers from the EU. To this end, the Bill is intended to retain enough GDPR elements to ensure that UK data laws are essentially equivalent to those in the EU. The hope is that the UK will therefore remain on the EU “whitelist” for international data transfers.

Data professionals are currently poring over the 200-plus pages of provisions in the Bill and their potential implications. In the meantime, here is a quick summary of what the Data Protection and Digital Information Bill proposes:

• Changes that facilitate scientific research The Bill amends the concept of consent so that it can include scientific research purposes that were not fully identified when the original consent was sought from the data subject.
• Changes that simplify legitimate interests as a basis for processing data The Bill introduces a list of “recognised legitimate interests”. Organisations that can rely on these recognised legitimate interests would not then have to conduct and record a balancing test before they can rely on the relevant legitimate interest.
• An increase in fines for direct marketing The maximum fine for direct marketing would be increased considerably, from the current £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher), with the government intending to crack down on nuisance calls and texts in particular.
• Goodbye “DPO”, hello “SRI” The role of the Data Protection Officer will be replaced with that of the Senior Responsible Individual (“SRI”). Organisations will only need to appoint a SRI where they are a public authority or otherwise are engaged in high-risk processing. As the name implies, the SRI must be a senior person in the organisation but can carry out this role in addition to other functions (as is currently the case with many DPOs).
• Continuity on international data flows Organisations that transfer data outside the UK will be relieved that the Bill does not significantly change the status quo in this area. Where an organisation has implemented mechanisms to safeguard data, those mechanisms would remain valid after the Bill becomes law.
• Cookies rules to be relaxed As part of the drive to cut “red tape”, the Bill relaxes the currently strict rules around website cookies. A website operator would be able to place certain types of statistical, security and location cookies without the need for obtaining the current “pop-up” consents.
• Reform to the UK Information Commissioner’s Office The Bill would abolish the UK Information Commissioner’s Office (“UK ICO”) in its current form and create a new “Information Commission” in its place. The Information Commission will assume the responsibilities of the UK ICO.

For its part, the UK ICO has welcomed the re-introduction of the Bill, saying that it supports the Bill’s ambition to enable UK organisations to grow and to innovate whilst maintaining high standards of protection for the data rights of individuals.

The Bill is in the early stages of its legislative development and must clear several more hurdles before it enters force. There remains scope for the Bill to be amended before it becomes law.It remains to be seen whether the Data Protection and Digital Information Bill achieves the government’s goal of saving £4.7billion for British business over the next 10 years. We shall continue to monitor the Bill’s progress and will provide further comments as it makes its way towards gaining Royal Assent.

---

If you have any questions about the new Data Protection and Digital Information Bill, or any other data queries, please contact Luke Dixon or Will Richmond-Coggan in our Data and Information Team.