Data protection reforms make their way through Parliament

The first major change to data protection law since Brexit has passed its second reading in the House of Commons.

After a false start last year, the Data Protection and Digital Information (No.2) Bill (“the Bill”) has passed through its first major parliamentary hurdle as it looks to update data protection laws in the first major change since Brexit. The Bill was given its second reading on Monday 17 April and will now proceed to the committee stage for line-by-line scrutiny.

Changes proposed in the Bill

The Bill is very much ‘evolution’ rather than ‘revolution’ of the existing data protection regime, nevertheless it will change the way in which organisations must ensure data protection compliance. The Bill, as drafted, makes several changes to data protection law including:

• Examples of legitimate interests – organisations currently have to justify each legitimate interest they identify as a lawful basis for processing personal data, balancing each against the rights and freedoms of a data subject. Many tasks relying on legitimate interests are clearly necessary for the functioning of an organisation. The Bill introduces examples of legitimate interests, which, whilst still requiring balancing against the data subject’s rights and freedoms, are identified explicitly as being an acceptable legitimate interest to pursue (e.g. where personal data is shared within a company group).

• Recognised legitimate interests not requiring a balancing of data subject rights - the Bill also introduces a limited number of recognised legitimate interests, for example preventing or detecting crime, which will not require the balancing with data subject rights and freedoms before being able to be relied upon. 

• Making further scientific research easier to undertake – the Bill modifies the standard of consent required for scientific research purposes to allow those undertaking such research greater flexibility  where the exact use of the information is not able to be determined at the point of the consent.

• The end of the DPO? Data Protection Officers are no longer to be appointed, however in their place organisations that would previously have needed to appoint a DPO (e.g. public authorities and those processing large amounts of sensitive personal data) will need to appoint a “senior responsible individual”.

• Records of processing activities – currently, organisations with more than 250 employees or which process personal data which risks the rights and freedoms of data subjects are required to keep a record of their processing activities. Anecdotally, many organisations have found that these records duplicate many other documents kept by organisations (such as retention policies and privacy notices). This obligation is removed in the Bill, replaced with a duty on organisations who undertake processing activities likely to result in a high risk to the rights and freedoms of individuals to keep “appropriate records”.

• Vexatious or excessive requests by data subjects – the Bill introduces a new definition of vexatious or excessive requests, so that data subject access and similar requests can be refused or charged for more easily than the “manifestly unfounded or excessive” test currently in place, providing factors organisations should take into account when deciding whether a request is vexatious or excessive. This definition builds on and develops existing guidance on when an organisation may consider a request “manifestly unfounded or excessive”. Such clarity is to be welcomed in what is a particularly difficult area for small organisations to handle.

• Direct marketing changes – a welcome update for charities – charities (and political parties) will be able to send electronic marketing communications to individuals who have previously expressed support for the cause being promoted to them without requiring explicit consent (unless they have opted out of receiving such communications). This brings charitable donations into line with commercial promotions relying on the so-called ‘soft opt-in’, though charities will still need to ensure compliance with the particular requirements of the direct marketing and data protection legislation and should also consider the fundraising code when sending such communications.

• Direct marketing – a bigger stick – the maximum direct marketing fines have been increased to align with the maximum fines under the UK GDPR, such that an organisation can now be fined up to £17.5 million or, if higher, 4% of their global turnover for a breach of the electronic direct marketing regime.

• The end of cookie, cookie, cookie? Constant requests to accept cookies are widely recognised both as a nuisance and a poor way of regulating the use of cookies online. The Bill seeks to reduce the number of cookies which require users’ consent but, crucially, consent is still required for advertising cookies.

• A new Information Commission – reforms are made to the Information Commissioner’s Office, which will become the Information Commission. Many of the changes amend the internal running of the body responsible for ensuring compliance with the UK’s data protection regime.

Next stages

The Bill will now proceed to the Committee stage for line-by-line scrutiny by the House of Commons. Once it has passed this hurdle, the legislation will also need to go through the House of Lords before it becomes law.

As the Bill makes its way through Parliament, it will be interesting to see how this first, tentative step to reform data protection law following Brexit is received. Many organisations find data protection obligations a significant burden, but as our personal data becomes increasingly valuable to organisations, appropriate regulation of its use becomes increasingly important.