The Data Protection and Digital Information (No. 2) Bill is close to being finalised. In this newsletter we will explain the background and implications of the Bill.
What is the background of the DPDI Bill?
The DPDI Bill was introduced to Parliament on 8th March 2023. It largely retains the content of the Data Protection and Digital Information Bill which was introduced in July 2022, which has now been superseded. The Bill aims to reduce the compliance burden on organisations and create more flexibility, while maintaining high data protection standards.
The Bill proposes changes to the UK General Data Protection Regulations (UK GDPR), the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR). Below we explain some of the key changes in more detail.
What is the proposed reform in relation to ‘personal data’?
Currently under the UK GDPR, ‘personal data’ covers any information that relates to an identified or identifiable individual. The Bill seeks to redefine the concept of ‘personal data’ by setting out the circumstances in which information being processed would amount to information relating to an ‘identifiable living individual’. The first set of circumstances is where the living individual is identifiable by the controller or processor by reasonable means at the time of the processing. The second set of circumstances is where the controller or processor knows or ought reasonably to know that (a) another person will, or is likely to, obtain information as a result of the processing; and (b) the living individual will be, or is likely to be, identifiable by that person by reasonable means at the time of processing.
In addition to this, the Bill seeks to provide clarification as to when an individual can be identified directly or indirectly.
What are Subject Access Requests and what change is being proposed?
A Subject Access Request (SAR) is a request made by or on behalf of an individual for the information (their personal data) which they are entitled to ask for under Article 15 of the UK GDPR. Currently, data controllers may charge a fee to comply with a SAR or refuse to comply with a SAR if it is ‘manifestly unfounded’ or ‘excessive’. The Bill seeks to amend the criteria so that the terms are replaced with ‘vexatious’ or ‘excessive’. This amendment could potentially broaden the circumstances in which controllers may refuse to comply with or charge a fee for complying with a SAR.
What are the proposed changes in relation to automated decision-making?
Article 22 of the UK GDPR limits the circumstances in which organisations can make solely automated decisions, including those based on profiling, which have a legal or similarly significant effect on individuals.
The Bill proposes amendments to Article 22, including a new definition of a decision based solely on automated processing as one that ‘involves no meaningful human involvement’. The Bill further clarifies that, when determining whether a decision is made with ‘meaningful human involvement’, consideration must be given to the extent to which the decision is reached by means of profiling.
The Bill also sets out certain safeguards that controllers need to put into place where a significant decision taken by or on behalf of a controller in relation to a data subject is (a) based entirely or partly on personal data; and (b) based solely on automated processing.
What is being proposed in relation to international data transfers?
Currently under the UK GDPR, personal data may be transferred from the UK to a recipient in a country, territory or organisation that is covered by UK adequacy regulations. Adequacy decisions confirm that a particular country or territory or international organisation has an adequate data protection regime. The DPDI Bill introduces a new ‘data protection test’ for assessing adequacy. The new test considers whether the level of protection provided in the recipient country is ‘materially lower’ than under the UK GDPR.
How 3CS can help
Our team of corporate and commercial lawyers and consultants have both domestic and international expertise and offer a full range of corporate and commercial legal services. If you need any assistance or have any other questions in relation to compliance with data protection requirements, please get in touch with your usual 3CS contact.
