Data protection law reforms set out in the UK

Jonathan Kirsop, Kathryn Wynn and Rosie Nance of Pinsent Masons, who specialise in data protection law, were commenting after the Data Protection and Digital Information (No. 2) Bill was introduced into the UK parliament on Wednesday.

Compared to the existing UK data protection framework – which is built around the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 predominantly – the Bill envisages a shift in the UK’s approach to data protection, with proposed changes to core issues such as the definition of personal data and some rules governing its processing, as well as to provisions that concern data rights, governance and accountability.

However, many of the provisions of the new Bill are the same or similar to those contained in the original Data Protection and Digital Information Bill introduced into parliament in July 2022. Among the main differences are proposals that promote the use of personal data in commercial research and proposals that would limit business’ record keeping obligations.

Currently, UK data protection law contains special rules for specific contexts – including in the sphere for scientific research. A number of data protection exemptions apply to the processing of personal data for scientific research. These include provisions that otherwise provide data subjects with rights such as the rights to rectification and to restrict or object to processing. However, the government said the existing legislation is “unclear on how scientists can process personal data for research purposes”.

The new Bill contains an updated, broader definition of ‘scientific research purposes’, which clarifies that the provisions will apply to the processing of personal data for the purposes of any commercial research activity “that can reasonably be described as scientific” – and not just non-commercial research such as that carried out by universities. According to the Bill, this will apply to processing for the purposes of technological development or demonstration, fundamental research or applied research – provided the initiatives meet the ‘reasonably be described as scientific’ test.

The Bill also makes clear that the rules on processing for scientific research purposes will also apply to studies in the area of public health – but only if those studies meet the ‘reasonably be described as scientific’ test and it can be shown the study is conducted in the public interest.

On record keeping, the new Bill would reduce existing responsibilities on businesses.

The current law requires controllers and processors to maintain a written record of processing activities under their responsibility, with limited exemptions for organisations that employ fewer than 250 people.

In the original Bill last July, the government proposed to limit the record keeping duties to what is “appropriate”, but it has now gone further in the new Bill to split record keeping duties between controllers and processors and limit the duty on controllers to maintain ‘appropriate’ records to cases where the processing is “likely to result in a high risk to the rights and freedoms of individuals”. Risk is to be assessed by reference to the nature, scope, context and purposes of the processing.

Kathryn Wynn said: “During party conference season in the autumn, it appeared that the government – then under the leadership of Liz Truss – was intent on changing the original Bill to much greater extent than it has done now under the leadership of Rishi Sunak.”

“This perhaps reflects the reality that any changes made to the UK data protection framework need to be within the bounds of what the European Commission would endorse under an ‘adequacy’ agreement, given the costs to businesses in the UK if the UK regime were to fail the EU’s adequacy assessment,” she said.

The new Bill is the product of a targeted consultation exercise the Sunak government ran with stakeholders in recent months. It also follows a reorganisation of government departments that has seen responsibility for data protection policy shift from the Department for Digital, Culture, Media and Sport – now revised to Department for Culture, Media and Sport (DCMS) – to a new department, the Department for Science, Innovation and Technology (DSIT).

Jonathan Kirsop said: “Businesses will welcome reforms that promote innovation – like new rules that should make it easier for them to use technologies like artificial intelligence (AI) systems in a way that supports automated decision making – as well as a reduction in some administrative burdens, like those around record keeping. However, they are also likely to look for simplifications and clarifications to emerge in some areas as the Bill passes through parliament – for example, businesses will be looking for clarity on whether or when their technological development could reasonably be described as scientific,” he said.

Rosie Nance said: “One area where the law is set to evolve is on rules on ‘legitimate interests’ processing. The government is keen to expand the circumstances in which businesses will be able to rely on their ‘legitimate interests’ to process personal data, avoiding the need for consent or another lawful basis for processing to apply. However, some businesses may consider the proposed new rules more complex to navigate. The new text introduces a three-tier approach of ‘recognised legitimate interests’, examples explicitly included in the Bill, and other activities that might be considered necessary for the controller’s legitimate interests. Controllers will still need to carry out the balancing test for all but ‘recognised legitimate interests’ and must now take the additional step of deciding which of these three tiers their activity falls under.”

“The move to list processing that is necessary for the purposes of direct marketing as an example of processing that may be constituted as necessary for the legitimate interests of a business – provided the interests cited by the controller are not overridden by the interests or fundamental rights and freedoms of the data subject, this being the so-called ‘balancing test’, is a pro-business clarification. However, non-binding recitals to existing legislation already suggests, that direct marketing is a legitimate interest, and a recent ruling by a UK tribunal further supports that view. However, news that the Information Commissioner’s Office is to appeal the decision in the Experian case suggests there will be unanswered questions in this area for a while yet, particularly in relation to the balancing test,” Nance said.

The UK government has described the new Bill as a “common-sense-led UK version of the EU’s GDPR” and has estimated that the reforms will save businesses £4.7 billion in total over the next 10 years. While the proposals have been welcomed by business groups, including the CBI and techUK, the Open Rights Group, which campaigns on digital rights, said that if the Bill is passed it “could encourage irresponsible business practice and fuel a race to the bottom in regulatory standards, harming Britain’s global reputation”.

A date for the second reading of the new Bill in the House of Commons has still to be confirmed. It remains unclear how quickly the Bill will pass through parliament. It took less than a year following the Bill’s introduction into parliament for the Data Protection Act 2018 to be enacted.

The original Bill from July 2022 has now been withdrawn from parliament.