UK data protection: the relaunched reforms

The UK's current data protection regime – found in the UK GDPR and the Data Protection Act 2018 – reflects the provisions of the EU regime. However, the UK Government has long viewed the ability to make amendments to the current regime as a clear Brexit benefit. Rather than undertaking a wholescale reworking of the regime, the Government, mindful of the need to keep data flowing and ensure the UK regime is seen by the EU as "adequate", has targeted its reforms in areas where it perceives it can ensure business efficiencies and incentivise growth. 

In September 2021, the then Department for Digital, Culture, Media & Sport (“DCMS”) announced plans to reform the UK's data protection laws. Following completion of a consultation process, in July 2022 a new bill was introduced to Parliament called the Data Protection and Digital Information Bill. This bill was due for a second reading in the House of Commons in September, but following the changes of Prime Minister (and responsible Secretary of State) this was postponed. 

Technology and innovation is seen as a key focus for growing the UK economy, and last month the Prime Minister announced that there would be a reshuffle of responsibilities amongst departments and the creation of new departments, including the Department for Science, Innovation & Technology (now known as DSIT). Into the department moved, among other things, responsibility for data protection; however, the new Secretary of State for DSIT – Michelle Donelan – already had responsibility for this area as the Secretary of State in DCMS. 

Bill number two

Data reform remains on the agenda, and in March a new Data Protection and Digital Information (No 2) Bill was laid before Parliament. It replaces the one published in July 2022. The changes between the two bills result from a number of further consultations that the Government has taken behind closed doors and reflection on previous concerns raised; however, the new bill is very similar to that put forward last July.  

The Government has listened to concerns around the need to comply with two different regimes (i.e. EU GDPR and UK GDPR), and has been very keen to stress that compliance with EU GDPR will also mean compliance for UK GDPR purposes, i.e. there should be no additional compliance costs from these changes.  

The proposals in the bill do not radically change the fundamental elements of the current UK regime. Some of its more notable aspects are: 

• Clarification of the "legitimate interests" purpose. There will be a list of recognised legitimate interests where no further assessment needs to be made. Current suggestions for the list include national security, preventing crime, safeguarding, and democratic engagement. There will be a procedure to add to the list where appropriate. 
• Data controller’s interest. The new bill also makes provision for activities which may be regarded as within a data controller's legitimate interest, such as direct marketing or intra-group transfers. The question of whether a commercial interest can ever be a legitimate interest is currently being considered by the European Court of Justice under the EU GDPR. There still needs to be a balancing of the data controller's rights against the data subject's rights and interests, but in principle, a commercial interest can be a legitimate interest for these purposes.
• Removal of the need for most organisations to keep records of processing. Only those organisations that carry out processing activities likely to result in "high risk to the rights and freedoms of data subjects" will need to keep such records. Similarly, the scope of when a data protection impact assessment (DPIA) is required, and the information to be provided, is restricted. 
• Removal of the requirement to designate data protection officers, or DPOs. The role has been renamed “senior responsible individual”, or SRI, and will be someone appointed from senior management of an organisation who is not required to function independently from the organisation's decision-making, as a DPO does. The need for organisations based outside the UK but subject to the UK GDPR to appoint a UK representative will also be removed.
• Fee charging. Data controllers will be able to charge a reasonable fee for certain data subject access requests where the requests are vexatious or excessive, or else to refuse the request. These changes are intended to give greater scope for controllers in dealing with such requests.

Research purposes

The provisions around the use of personal data for research purposes have been clarified. The scope of what is covered by "scientific research" is "any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity". 

• Again examples of what would fall within scientific research are provided – moving wording from the recitals of the UK GDPR to the operative parts. A further clarification is that research into public health is only scientific research if it is in the public interest. 
• The bill also seeks to remove what the Government referred to as "unnecessary barriers to cross-border data flows", through promoting adequacy, or in UK terms "data bridges", where the standard of protection in the third country is not "materially lower" than under the UK GDPR, when "taken as a whole". Again, detail is given of the types of provisions which the UK Government can take into account in making this assessment.

Free flow of personal data between the UK and EU/EEA is crucial in terms of trade, and in June 2021 the EU Commission ruled that the UK offers an "essentially equivalent" data protection to that of the EU, and therefore has "adequacy" status. The UK's adequacy status is up for full review by the EU in 2025, and despite the Government's assurances, there remain concerns that the UK's plans will allow data protection to diverge too greatly from the EU for the UK to be able to maintain adequacy. The bill has just begun its parliamentary process, so we are unlikely to see any new provisions in force before the end of 2023, and there is a long way to go and much discussion yet to be had before a final version is in force.