It is party conference season for the political classes in the UK. For the uninitiated, this means bold policy statements and speeches setting out each party’s stall with the prospect of a general election on the not-too-distant horizon.
On Monday 4 October at the Conservative Party Conference, the Minister for Digital, Culture, Media & Sport (DCMS) took to the stage. In her speech, Michelle Donelan stated that the government would be ‘replacing GDPR with our own business and consumer-friendly, British data protection system’.
No prior warning had been given, nor further details provided to accompany this landmark announcement that the fundamentals of the UK’s current data protection regime since 2018 were about to be shaken up, possibly even placing the EU Commission’s adequacy decision in favour of the UK, which guarantees frictionless data transfers with the EEA, at risk.
The speech caused a stir in the privacy and tech community, not least because the statement seemed to conflict with legislation that the government was itself currently progressing through Parliament.
The Data Protection and Digital Information Bill
On 18 July 2022, the government introduced a Bill in the House of Commons, called the Data Protection and Digital Information Bill (DPDI). It amends (but does not replace) the UK’s current data protection and e-privacy regime, in particular the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations (PECR).
This Bill followed on from DCMS’s consultation on the future direction of data laws in the UK (Data: A New Direction), and it was intended to create an ‘ambitious, pro-growth and innovation-friendly data protection regime’.
The consultation was launched on 10 September 2021, therefore the DPDI had been progressed for over a year through consultation and Parliament (where it was on its second reading) before the announcement from the DCMS Minister on Monday night.
Key features of the Bill
There are a number of key features of the DPDI which are worth drawing attention to, including:
- A new, revised definition of ‘personal data’, including further context about the boundaries of this impacting on anonymisation and pseudonymisation, in the form of a new definition of a ‘identifiable living individual’.
- A new ‘recognised legitimate interest’ ground for lawful processing, allowing reliance on a ‘whitelist’ of specified legitimate interests.
- Further provisions around determining ‘compatible new purposes’ for reusing data for a new purpose, whilst complying with the purpose limitation principle.
- The lowering of the threshold for rejecting data subject rights requests from ‘manifestly vexatious and excessive’ to merely ‘vexatious and excessive’.
- A new regime for data subject complaints, requiring the controller to deal with these in the first instance (rather than the ICO).
- Recast and enhanced provisions around automated decision making in Article 22, with the ability for the Secretary of State to make further regulations in this area (in particular, to define what a ‘significant decision’ qualifying for certain safeguards would be).
- The removal or revision of a number of obligations of controllers and processors, such as the requirement to have a Data Protection Officer (replaced by a ‘senior responsible individual’, as defined) or a representative (if not established in the UK).
- Changes to the regime governing cookies, including further types of cookies which would not have to require prior consent (such as analytics cookies for statistical purposes and those which record preferences/enhancements). The Bill also laid the groundwork for consent to be provided through browser settings.
- A new exception to the prior consent rule for direct marketing, where the direct message is solely for the purposes of furthering a charitable, political or non-commercial objective.
- As well as including provisions to make the Information Commissioner the Chair of a new organisation called the ‘Information Commission’, the Bill contains a number of further new duties for the ICO (such as considering the ‘desirability of promoting innovation’) and new powers (such as requiring attendance at interviews, and the alignment of powers for breaches of e-Privacy rules, including the level of fines, to those available under GDPR).
The future of the Bill (and of GDPR?)
It has been reported that DCMS confirmed work will be ‘paused’ on the DPDI for the government to rethink the provisions and revise the Bill. It is unclear whether any of the above provisions mooted in the original Bill will therefore be brought back before the House of Commons.
Alternatively, the intention may be to entirely repeal the underlying law (the GDPR) which the Bill was seeking to amend – as part of a ‘bonfire of regulations’ or otherwise.
However, it would be surprising if the amendments currently contained in the DPDI did not return in some form in a new, revised data protection bill – especially given that the aim of some of the provisions (e.g. new limited accountability requirements for controllers and processors, cookies consent through browser settings) were clearly intended to be ‘business and consumer friendly’ – aligning to the new DCMS Minister’s own aims.
Either way, the future of data protection law in the UK (and the ease of global data transfers to and from the UK to the many jurisdictions which have, or are planning, a GDPR-like law) hangs in the balance.
The privacy and tech community will be watching eagerly for any indications of the future direction of the government.