The UK’s latest effort to reform data protection law began on 23 October 2024 with the first reading of the Data (Use and Access) Bill in the House of Lords. Although less extensive than the previous government’s proposed legislation, the new Bill still envisages a significant number of changes to UK data protection law. Some of these will make data protection compliance slightly easier for organisations – removing the need for consent for analytics cookies is a good example. If the legislation goes through in its current form, some will impose more obligations. For example, privacy notices will have to be amended to refer to a new data subject right to complain and there is a possibility of more types of special category data being introduced. The Information Commissioner’s Office is also to be re-constituted and will be given strengthened powers – including in relation to enforcement of ePrivacy breaches.
We have set out a comprehensive summary of the changes to data protection law which are proposed below. Many organisations will have benchmarked their privacy programmes against GDPR, so we have indicated whether the changes will make life easier, or more difficult, by comparison with GDPR. For those who were following the (now defunct) Data Protection and Digital Information (No.2) Bill (“DP&DI Bill), we have indicated where the current Bill copies across those provisions, or where it makes changes to them.
The Bill contains a myriad of provisions which go beyond data protection – although these often overlap with privacy thematically. For example, the Bill re-introduces provisions which were contained in the abandoned DPDI Bill which relate to digital ID verification services, and provisions which aim to give customers real-time access to data processed by businesses – rather in the way that OpenBanking already operates. The Bill also proposes changes to the Online Safety Act. In the interests of brevity, these are not addressed in this note.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill includes a new mechanism to allow the introduction of more classes of special category data (s.74, adding new Article 11A to UK GDPR). This will be a power to be exercised by secondary legislation, under the affirmative resolution procedure. As there is a prohibition on processing special category data, if this provision is used it could have wide-reaching effect. One proposed amendment to the DPDI Bill before it was dropped was the addition of all children’s data as special category data. Proposals such as this could have dramatic impact with little legislative oversight.
This was not in the DP&DI Bill.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
When organisations transfer personal data to countries where there is no “adequacy decision”, they must undertake a detailed transfer risk assessment as well as putting safeguards in place, such as using standard contractual clauses. The Bill adjusts this. Exporters must instead consider if the standards of protection will be materially lower than those applicable in the UK and must act “reasonably and proportionately” in considering if this test is met, looking at all the circumstances including the nature and volume of personal data transferred (Art.46 (1A), 46(6 – 7)). This should give organisations scope to streamline transfer risk processes for low-risk data transfers – although existing guidance from the ICO already makes this a possibility in the UK, unlike the EU.
All the usual data safeguards (standard contract clauses, BCRs etc) remain. Some gaps in the current regime have been addressed. At present, mechanisms that are most suitable to public authorities (legally binding instruments and administrative arrangements) can only be used with other public authorities, not for transfers to private sector organisations; this is widened. In addition, a rule making power is introduced to allow the Secretary of State to approve new clauses which – of themselves – are capable of ensuring that the data protection test is met. If such clauses are introduced this would entirely remove the need for exporters to undertake transfer risk assessments.
In place of the somewhat condescending process to consider “adequacy”, the Bill introduces a more diplomatically tactful “data protection test”. The Secretary of State must consider if the standard of protection is not materially lower than that in the United Kingdom. The factors to be considered are more flexible, covering respect for the rule of law and human rights; the existence and powers of a supervisory authority; redress; onward transfer rules; relevant international obligations and the constitution, traditions and culture of the country. In addition, the desirability of transfers of data to and from the United Kingdom can be considered – although this does not remove the need to satisfy the data protection test.
All the current derogations are retained. The Secretary of State is given a rule-making power to specify situations when transfers will – or will not – be considered necessary on substantial public interest grounds. In addition, the Secretary of State is given powers to introduce do not transfer lists, when transfers to a particular third country may be restricted for important reasons of public interest.
The provisions are carried across from the DPDI Bill.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill provides that the cookie consent rules will now also apply to a person who “instigates” the storage or access to stored data – possibly allowing ICO to take enforcement action against website publishers, rather than the ad-tech vendors with whom the publisher works. The Bill also introduces exemptions from the cookie consent requirement for situations which pose a low risk to user privacy. These include processing:
ICO’s power to impose penalties under PECR – both for cookie and electronic marketing related breaches – is currently capped at £500,000. This anomaly is addressed and enforcement powers under UK GDPR and the DPA 2018 will apply to ePrivacy breaches. Most breaches will attract the higher maximum penalty cap of £17,500,00 or 4% of worldwide turnover.
Communications service providers are subject to a parallel personal data breach reporting regime. This is to be aligned with the 72-hour deadline under UK GDPR (although the requirement to notify all breaches remains). Lastly, there are obligations for the Commission to encourage representative bodies to produce Codes of Conduct which it is then required to review and potentially approve. There is also provision for accreditation bodies to be set up to monitor compliance with these Codes of Conduct.
These provisions are like those proposed in the DPDI Bill but the drafting has been reworked and in places shortened.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill contains relatively minimal changes to data subject rights. Proposals under the DPDI bill relating to vexatious requests have not been included.
The deadline for responding to requests is now more clearly spelled out in the legislation. It reflects ICO guidance that, if the controller reasonably requests further information to identify the processing covered by the request, then the “clock stops” until this information is provided. The Bill also makes clear that the controller’s obligation is to provide such data as it can provide after a reasonable and proportionate search. Prior case law had established that this would be the case, on the basis of the principle of proportionality under EU law. Brexit had cast doubt on whether this should still be considered - so this put the point beyond doubt. This echoes existing ICO guidance on the topic so will not come as a surprise to controllers but should provide comfort when dealing with aggressive data subjects. Further changes to subject access requests are made in respect of court procedure. Under the Bill if a court is required to determine whether a data subject is entitled to information under their right of access or portability the court can require the controller to make available this information for the court’s inspection although the court may not require it to be disclosed to the data subject or their representatives until after it makes a decision.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Data subjects are given a new right to complain to controllers (s.164A). This will require controllers to facilitate the making of complaints, to adopt measures such as an electronic complaint form, and to include information about this new right in privacy notices, Binding Corporate Rules etc.... Controllers may be obliged to notify the ICO of the number of complaints they have received. This is largely carried across from the DP&DI Bill. Provisions in the Bill that gave the Commissioner a right not to act on complaints have, however, not been re-introduced.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Solely automated decision making is substantially liberalised, and more clarity is given to the meaning of “solely” in this context with the Bill defining it as where there is no meaningful human involvement in the decision and providing factors to consider when assessing this. Broadly, the same restrictions as in GDPR are retained where the decision will rely on processing special category data. However, other significant, solely, automated decisions are now permitted, provided certain safeguards are put in place. These safeguards must include abilities for data subjects to make representations, contest the decision and require human intervention. This change reflects a similar approach to the UK’s position prior to the GDPR and will be welcomed as the existing prohibition on automated decision making is often problematic. These provisions are the same as those in the DP&DI Bill.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill makes it easier for controllers to know if the purpose for which they are processing data will be accepted as “legitimate”. Art.6(9) includes examples of this – direct marketing, ensuring the security of network and information systems and transfers of personal data intra-group (all already mentioned in recitals 47 - 49). In addition, the Bill formally “recognises” certain interests as legitimate, listing them in Annex 1. These include disclosures to public bodies who assert that they need personal data to fulfil a public interest task; disclosures for national or public security or defence purposes; emergencies; prevention or detection of crime; and safeguarding vulnerable individuals. For these limited purposes, the requirement to carry out and document a balancing test against the rights of individuals is effectively removed. In our experience, it is not usually difficult for controllers to determine that an interest is legitimate. It can be more difficult to determine if processing is “necessary". The “recognised legitimate interests” all depend on the processing being “necessary” for the specific purpose and the Bill does not alter this. The overall effect is that in some limited circumstances, falling outside the day-to-day processing of most organisations, any question of whether an interest is removed and there is no need to undertake a balancing test.
These provisions are largely unchanged from the earlier DP&DI Bill. Earlier provisions providing that processing by elected representatives amounts to a recognised legitimate interest have been removed.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill restates the GDPR provisions on purpose limitation whilst adding a new compatible purpose of ensuring or demonstrating compliance with Article 5(1). Annex 2 also introduces a list of purposes which are “deemed” compatible with the original purpose. These include disclosures to public authorities where the authority states it needs the data for a task in the public interest (which is also recognised by Art.23 UKGDPR); disclosures for public security purposes; emergency response; safeguarding vulnerable individuals; protecting vital interests; and preventing and detecting crime, assessing tax, and complying with legal obligations. (The last three now seem to be doubly accepted, as they already benefitted from specific exemptions under the DPA 2018). It also makes clear that purpose limitation is relevant when one controller wishes to use personal data for a new purpose. If controller B wishes to acquire personal data from controller A, controller A would have to consider how purpose limitation may affect disclosure of the data; however, controller B would be processing the data for its primary purpose so purpose limitation would not be relevant (Art.8A(1)). There is also an odd provision that provides that processing that is carried out to ensure that processing complies with GDPR, or to demonstrate that processing does so, will also be regarded as compatible.
If a controller originally relies on consent as its lawful basis, then the Bill writes into law the view held by ICO, that new consent will be required for further processing unless a derogation applies and the controller cannot reasonably be expected to obtain consent (Article 8A(4)). These provisions are the same as those in the DP&DI Bill.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill makes significant changes to the structure and governance of the ICO. The role of Information Commissioner as a “corporation sole” is replaced by a body corporate called the Information Commission. There are transitional provisions within the Bill to ensure that all powers and obligations of the Commissioner transfer to the Commission and that the present Commissioner will become the non-executive Chair of the Commission. The new structure is like that of the FCA, CMA and OFCOM.
The Information Commission will consist of non-executive members led by the Chair and executive members led by a chief executive who will be appointed by the non-executive members. In addition to the Chair, who is appointed by the Crown on the recommendation of the Secretary of State, the Secretary of State may appoint other non-executive members and the Commission can appoint one of the non-executive members as deputy to the chair. The executive members of the Commission are appointed by the non-executive members. The main change is a greater role for the non-executive members; by contrast the present model vests all authority with the Commissioner who delegates to other members of the organisation at his discretion. This change is re-enforced by the requirement that the Secretary of State must ensure, so far as practicable, that there are more non-executive members than executive members.
The proposed changes are unlikely to have any significant impact on ease of compliance. These provisions are largely identical to those in the DP&DI Bill.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The Bill sets out the Commission’s primary objectives which are to secure an appropriate level of protection for personal data and to promote public trust and confidence in processing of personal data. The Commissioner must have regard to other wider public interest factors – such as preventing and detecting crime and the desirability of promoting innovation and competition. The Commission must also consider the fact that children may be less aware of the risks of personal data processing and of their rights. This has been added by comparison to the DP&DI Bill. It may be helpful if a further addition was added, requiring the Commission to consider the public interest in freedom of expression. The Commission must publish and report on its key performance metrics annually and the regulatory action it has taken that year.
ICO was already required to produce stipulated Codes of Practice – such as the Childrens Code. The Bill has added enabling provisions allowing the Secretary of State to add to the list of Codes the Commissioner must produce. (UK-watchers may recall, that during the progress of the DP&DI Bill Codes on Ed-tech were suggested, so we may see a return of this). The Commission is also required to carry out and publish reports on the impact of any proposed Codes of Conducts.
Most of these provisions were in the DP&DI Bill. However, more contentious provisions in that Bill allowing the Secretary of State to set strategic priorities for ICO and requiring ICO to submit drafts of its Codes of Practice to the Secretary of State for consideration have been dropped.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Additional enforcement powers are granted to the Commission. The existing Information Notice powers are expanded to permit the Commission to require that specified documents be provided. This will give further ability for investigators to delve into suspected areas of non-compliance and remove some of the difficulty of having to ask for information without being sure which questions will elicit the most useful information. This will place a greater compliance burden upon recipients of Information Notices as documents will have to be located and provided in addition to lists of questions which need to be answered. Further, when organisations are required to provide information, then there are opportunities to shape the narrative and tone of responses; that is much harder when full documents must be shared.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
The assessment notice provisions are expanded to allow the Commission to require the recipient to instruct an approved person to prepare a report and provide it to the Commission. The Commission can dictate the content, form and date of completion of the report and the Controller/Processor must pay for it. Provisions are set out for determining who the approved person should be. Again, this will place a greater organisational and financial burden upon recipients of such notices and shifts the cost of analysis of data breach incidents from the regulator onto the affected organisation. One intended benefit is that there will be a single ‘version of the truth’ which may save time in disputes about the factual basis of any incident being investigated.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
There will be a new power to issue interview notices where the Commission can call an individual to be interviewed, either in their capacity of controller/processor or as a present or past employee (or otherwise worked for the controller/processor) or manager of the same and to require them to answer questions. Unlike the powers described above, which are expansions of existing ones, this is an entirely new investigatory tool. Whilst other regulators possess similar powers the ICO has not previously been able to compel individuals to speak to them. There are exemptions where parliamentary or legal privilege apply and in respect of self-incrimination but not in respect of potential offences under the Data Protection Act. It is an offence to knowingly or recklessly make a false statement and the Commission will have a power to impose a penalty notice for failure to comply with an interview notice, with significant fining powers aligned to those already available. The Commission must produce guidance on the factors to be considered when deciding to issue an interview notice.
These provisions are largely identical to those in the DP&DI Bill.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Researchers often want to re-use data for further research, not anticipated at the date of collection. Art.14(5)(b) provides that there is no need to provide a privacy notice to individuals in this case, if this would be impossible or involve disproportionate effort – in particular for processing for research purposes. However, this exemption only applies where personal data has not been collected directly from individuals. There is no equivalent exemption for directly collected data. This can be problematic where contact details have changed, or for large cohorts where the cost of providing new notice would make the research non-viable. A new exemption is introduced at Art.13(5); it is like the Art.14(5) exemption but is limited to processing for research purposes, which complies with research safeguards. Art. 13(6) notes that the age of the data, number of data subjects and safeguards applied should all be considered.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
Required safeguards for research were previously split between Art.89 and S.19 DPA 2018. These are now consolidated in one place, Chapter 8A UK GDPR. A new acronym of “RAS purposes” (for processing for scientific and historic research and archiving in the public interest and statistical purposes) is introduced. The substance of the existing law is, however, unchanged, so this is a case of redrafting for the sake of redrafting.
New Art.4(7) provides that consent to an area of scientific research will still be “specific”, provided that, at the time consent was given, it was not possible to fully identify the purposes, this approach was consistent with generally recognised ethical standards and, so far as possible, individuals were allowed to consent to only part of the research. This takes the existing succinct drafting from recital 33 but spreads it out over multiple sections and phrases it slightly differently.
There is a definition of “scientific research” which incorporates the existing text from recital 159 including noting that research can be either a commercial or non-commercial activity. A definition of statistical purposes is included, which is processing to produce statistical surveys or results, where the resulting information is aggregate and not personal data and where the resulting information is not used to take measures or decisions with respect to an individual whose data was processed to produce the results.
The change to purpose limitation – providing that processing originally relying on consent must almost always be based on consent (see purpose limitation section above) – is unhelpful. If researchers undertake a research project and base the processing on consent and then later want to make use of the data for further research, this will not be possible unless they go back and obtain new consent.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
These provisions are largely identical to those in the DP&DI Bill – save that the there is a new exception to the point on consent and purpose limitation mentioned above for processing for archival purposes.
The Bill acknowledges the “special” relationship between the UK and the USA by recognising the agreement between the two governments on requests to access data for the purposes of countering serious crime. Under the new provisions controllers may rely on legal obligation as the lawful basis or condition for processing personal and special category data where it is necessary to respond to such requests. This simplifies the rules for responding to law enforcement requests from US authorities but does not help multi-national organisations which need to comply with other types of legal obligations across different jurisdictions.
As there has historically been concern in the privacy community regarding access by US law enforcement to personal data it remains to be seen whether this move will impact the European Commission’s adequacy finding for the UK although it may be of some comfort that the UK-US agreement referred to was signed in October 2019, prior to Brexit and therefore would’ve been considered in the adequacy procedure.
*Source IAPP - https://iapp.org/resources/article/uk-data-protection-reform-an-overview/
A version of this article has also been published by the International Association of Privacy Professionals (IAPP), you can access the article via their website here.