The 200-page Data Protection and Digital Information Bill could be a formative step in the United Kingdom’s tryst with tech policy-making. Laid in Parliament in July this year, the Bill largely seeks to streamline and reform existing data protection frameworks. It may help businesses save a little as they comply with the law—even if some critics believe that it dilutes statutory safeguards in existing data protection regimes.
Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation. — Nadine Dorries, Digital Secretary.
Aside from introducing some privacy protection measures and safeguards, the Bill also expands the grounds to ‘reasonably process’ data and target consumers through ‘soft opt-in’ marketing techniques, among other amendments.
The United Kingdom has been making noises about the European Union’s ‘cumbersome’ GDPR for a while now. The government is clear that the GDPR’s ‘one-size-fits-all’ approach disregarded the data processing abilities of small businesses (which include start-ups). This led to cursory compliance with the complex law allegedly leading ‘to an over-reliance on ‘box-ticking’ to seek consent from individuals to process their personal data’.
However, with Brexit came the opportunity to junk the GDPR and EU-like data protection laws. Even the Queen confirmed this sentiment in her ‘most gracious speech’ to the UK’s Houses of Parliament this year.
Why it matters: The second reading of the Bill in the House of Commons—due to take place on September 5th—was postponed after Liz Truss cleared the finish line first in the Prime Ministerial race. It will have to clear multiple hoops to ever be passed. Regardless of the outcome, the UK is in a unique position—it has the ability to forge a new path in data protection regulation that may deviate from the strictures of the EU’s GDPR. This Bill—with its expanded exemptions for personal data processing and marketing, among others—may be an example of what non-European tech policy from the Global North can look like.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Part 1: Amendments to the UK GDPR and Data Protection Act
Part 1 introduces amendments to the Data Protection Act (2018) and UK General Data Protection Regulation (GDPR) to make the laws easier to interpret and comply with for smaller businesses, as flagged by a House of Commons report.
A clarified scope for personal data
What the 2018 Act says: Personal data is ‘information relating to an identified or identifiable living individual’. This data does not extend to non-personal data. An identifiable person may be identified by name, location data, an online identifier, or physical factors.
What the Bill says: The Bill clarifies the type of data falling under personal data. It confirms that a living individual can be identified either directly or indirectly through various means—data collected on such a person would count as personal data.
Expanding ‘Legitimate Interests’ for Processing Personal Data
What the UK GDPR says: Personal data can be processed if it is in the exercise of six ‘legitimate’ interests. However, organisations have to carry out ‘balancing tests’ before processing personal data. This test needs to indicate that the need for processing overtakes the rights of the data subjects themselves.
What the Bill says: The Bill adds a new clause that makes data processing for ‘recognised legitimate’ interests lawful—these interests can be amended through regulations issued by the United Kingdom’s Secretary of State. They include processing for:
- Protecting national and public security;
- Responding to emergencies;
- Investigating crime;
- Safeguarding children and vulnerable, at-risk adults;
- And ‘democratic engagement’ (processing of data of people of voting age).
Reforms to subject access requests
What the UK GDPR says: Data subjects have a ‘right of access’ or ‘subject access’ to ask an organisation what information they have on them, where and how they got it from, and how they’re using it. Data subjects are not charged a fee to request this information. Organisations have a month to respond to these requests, but can refuse to entertain them if they are ‘manifestly unfounded or excessive’. In the latter case, organisations can charge the data subject a fee for the administrative costs incurred.
What the Bill says: ‘Vexatious and excessive’ is the new threshold for rejecting a subject access request. Data controllers can charge fees when rejecting such requests—although the Secretary of State is empowered to devise limits for these. This widened scope aims to filter out ‘unreasonable and/or disproportionate’ requests from data subjects. The following parameters can be used to determine what is vexatious or excessive:
- The nature of the subject access request;
- The nature of the relationship between the data subject and data controller;
- The kind of resources available to the data controller;
- The number of times the same subject access request has been made;
- How long ago any subject access request by the subject was made;
- Whether the subject access request intersects with other requests made to the data controller.
Addressing the harms of automated decision-making
What the UK GDPR says: The law safeguards individuals from automated decision-making by AI systems (this can result in outcomes like an online credit application being refused by a non-human). It also gives subjects the right to understand the potential outcomes of these decisions, as well as to object to their use in certain cases. Organisations cannot use such decision-making systems if they may affect the data subject’s legal rights. This caveat can only be bypassed if:
- Doing so is part of a contractual obligation between the data subject and the organisation;
- The organisation is authorised by law to do so to prevent tax evasion or fraud;
- The data subject has given explicit consent.
What the Bill says: A new clause will substitute this legal safeguard such that automated decision-making is not limited to the three parameters listed above. Now, significant decisions (with legal or other major consequences for the data subject) cannot be taken using automated systems unless:
- The data subject gives their explicit consent;
- Doing so is necessary to fulfil a contractual obligation between that data subject and organisation, or is necessitated by law, or has substantial public interest.
The Secretary of State is empowered to amend what constitutes significant decisions. In the case that a significant decision has to be undertaken through automatic decision-making, the following safeguards state that:
- The data subject should be notified once the decision is taken;
- The data subject should be enabled to ‘make representations’ on the decision;
- The data subject should be enabled to secure human intervention from the organisation regarding the decision;
- The data subject should be enabled to contest the decision.
Personal data processing for scientific research
What the UK GDPR says: The law permits personal data processing for research types (such as scientific, historical, public interest, and statistical). This research is ringfenced by safeguards that may include pseudonymising the dataset in question.
What the 2018 Act says: Data processing for research cannot be carried out if it is used to make decisions on behalf of the subject, or cause them substantial stress or damage.
What the Bill says: The Bill clarifies the various kinds of research falling under ‘scientific research’. The law also introduces an amendment for a data controller to obtain consent in cases when ‘it was not possible to identify fully the purposes for which the personal data was to be processed at the time of collection’. The data subject must be notified if the data controller intends to process the data for new purposes other than those originally intended. An exemption to this new clause can be granted in cases where doing so would impose disproportionate costs, and if the new research is conducted within existing safeguards. New safeguards included in the Bill include ensuring that:
- The data processing does not substantially damage or distress the data subject;
- Principles of data minimisation are adhered to;
- The processing should not be conducted to take decisions on behalf of the data subject, unless specifically for medical research.
Revised obligations for data controllers and processors
What the UK GDPR says: Data controllers and processors must appoint a data protection officer to enforce and oversee privacy initiatives. They should conduct periodic data protection impact assessments to evaluate the potential impacts and risks of personal data processing. They must also keep records of data processing activities.
What the Bill says: Data protection officers have been granted more flexibility in the approaches they can take to implement data protection principles. Importantly, data controllers outside the UK now do not need to appoint a data protection officer within its jurisdiction. Many responsibilities of these officers would fall to the newly introduced ‘senior officer’ in the case of data controllers or processors engaging in high-risk processing practices. Low-risk organisations (that is, small businesses) need not appoint such staff. New guidelines on record-keeping, as well as assessment frameworks for impact assessments, have also been introduced.
Transferring personal data abroad
What UK GDPR says: ‘Data adequacy’ is a status assigned by the UK to countries with strong personal data privacy protections in place. If a country is granted this status, the personal data of UK citizens can be freely transferred. Adequacy is measured by evaluating whether the UK GDPR’s level of protection is undermined when data is transferred abroad. Currently, the EU, Argentina, New Zealand, Switzerland, and Israel are some of the countries and blocs that have been granted this status.
What the Bill says: Introduces three new scenarios where personal data can be lawfully transferred abroad:
- If the Secretary of State has issued regulations approving the free transfer of personal data to that country;
- If appropriate safeguards are in place (for example, through contracts);
- If the transfer can be held under the limited exemptions to adequacy status listed under Article 49 of the UK’s GDPR.
The Secretary of State is empowered to design regulations regarding data transfers to ‘third countries’ or international organisations. However, the country or international organisation’s data protection standard should not be ‘materially lower’ than the UK’s. Assessing whether this is the case or not depends on:
- Respect for law and human rights;
- Existence of a data protection authority;
- Availability of grievance redressal for data subjects;
- The rules on international data transfers governing the country or international organisation;
- The international laws the country or international organisation abides by;
- And ‘the constitution, traditions and culture of the country or organisation’.
If after approving such a transfer the data protection standard of the country or organisation weakens, then the Secretary of State will either have to amend or lapse the regulation governing it.
Redefining the Information Commissioner’s role
What the 2018 Act says: The Information Commissioner’s Office is an ‘independent public body with responsibility for overseeing and enforcing data protection law in the UK’. Its powers are described in Parts 5 and 6 of the 2018 Act.
What the Bill says: The Bill redefines the roles and powers of the Information Commissioner. They would have to secure an ‘appropriate’ standard of personal data protection keeping in mind the interests of all stakeholders. They would also have to strengthen public confidence in personal data processing. These standards need to promote innovation and competition, prevent and resolve criminal offences, and safeguard national and public security. The Commissioner will have to publish reports on their strategy to achieve these standards and the steps they’ve taken in the process. A new clause will rename the Office the ‘Information Commission’. John Edwards, the UK’s current Information Commissioner, has ‘welcomed the Bill’s proposed reforms’, according to the House of Commons report.
Part 2: Digital Verification Services
The Bill provides a new regulatory framework for establishing ‘trusted’ providers of online digital identity verification services. ‘This includes a “trust mark” for organisations that have been certified against the framework, a register of providers, and an information-sharing gateway,’ says the House of Commons report. ‘The “information gateway” would enable “public authorities” to share government-held personal data with trusted providers for the purposes of identity and eligibility verification.’
Part 3: Amendments to how personal and business data is handled
What the UK GDPR says: Through the right to data portability, consumers have the right to request businesses to provide their data to third-party providers in a ‘commonly used format’. ‘Smart data’ expands on these rights by empowering consumers to securely share their data with third-party providers in exchange for service provision. An example of this is Open Banking—which requires large banks to share customer transaction data (with the consumer’s consent) with third parties through APIs. The online services developed through Open Banking include tools to monitor monthly expenditure and assess mortgage eligibility. The Department of Business, Energy and Industrial Strategy has argued, however, that the current model locks away consumer data—to the detriment of innovation in service delivery and business.
What the Bill says: Part 3 of the Bill empowers the Treasury and Secretary of State for Business, Energy and Industrial Strategy to issue regulations that require data holders to make customer and business data available to third parties. They are also empowered to issue regulations on processing this data. The Secretary of State or the Treasury are also empowered to issue regulations that require data holders to provide customers or an ‘authorised person’ with their data based on a request. ‘The authorised person would be best able to make use of the data on the customer’s behalf,’ says the House of Commons report, citing the Bill. These regulations may also provide for the retention of data so that smart data schemes can operate ‘consistently and effectively’.
Parts 4 and 5: Other amendments
Cookies: Currently, information collected by cookies cannot be stored or accessed unless the subject has been provided with clear information on the storage of or access to that data, and has granted their explicit consent. Consent is exempted in cases where cookies are ‘strictly necessary’ to provide a service. The Bill extends the situations where cookies ‘could be used to store or access information on people’s devices without their express consent’. The Secretary of State is empowered to issue further exemptions.
Unreceived communications: The Bill empowers the Information Commissioner to take action against unsolicited direct marketing attempts, regardless of whether received by the intended recipient or not. A new amendment also directs public electronic communication service providers and public communication network providers to inform the Commissioner of unlawful direct marketing within 28 days of becoming aware of it.
Soft opt-in: Existing customers of a commercial organisation often ‘soft opt-in’ to receive electronic marketing—this is material sent to them based on inferences made from their purchasing or browsing data. The Bill extends this provision to non-commercial entities like charities or political campaigns.
Public service delivery: The Bill also extends the sharing of personal data between authorities to improve service delivery to businesses (and not just individuals).
Birth and death registration: The Bill does away with the mandate of maintaining paper registers of birth and death certificates. This opens the doors for all such registrations in England and Wales to be stored electronically.
Health and social care: The Bill imposes an obligation on IT stakeholders dealing with health data to ‘meet specified open data architecture standards to improve patient outcomes’.
Biometrics and Surveillance: The Bill abolishes the office of the Biometrics Commissioner, transferring these responsibilities to the Investigatory Powers Commissioner. This is being done to facilitate streamlined oversight over how the police use biometrics. The Bill also abolishes the Surveillance Camera Commissioner, transferring the regulation of surveillance to the Information Commissioner.
National DNA Database: The scope of its regulatory board has been widened to improve oversight over the project. The Secretary of State is empowered to add or remove databases used for policing.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.