UK Re-Introduces Data Protection and Digital Information Bill

On 8 March 2023, UK Ministry for Science, Innovation and Technology (“Ministry”), announced the re-introduction of the Data Protection and Digital Information Bill (“Bill”), which was first introduced in July 2022. The new published version of the Bill will replace the previous draft.

Data-driven trade generated %85 of the UK’s total service exports and contributed an estimated £259 billion to the economy in 2021, the Ministry said. The new data regime aims to reduce the costs and burdens for UK businesses and charities to comply with data protection legislation and remove data legislation barriers to international trade. The Bill, which will preserve the basic principles of the UK GDPR, very similar to the European Union General Data Protection Regulation (“EU GDPR”) during the post-Brexit era, aims to bring less bureaucracy than the EU GDPR.

With the improved Bill the expectations are:

• Introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement for companies. It takes the best elements of GDPR and provides businesses with more flexibility about how they comply with the new data laws,
• Ensure that the new regime maintains data adequacy with the EU,
• Further reduce the amount of paperwork organisations need to complete to demonstrate their compliance,
• Support international trade without creating extra costs for businesses if they’re already compliant with current data regulations,
• Provide organisations with greater confidence about when they can process personal data without consent,
• Increase public and business confidence regarding AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making.

The Bill specifically envisages changes in the following topics:

Reduced Record Keeping

The Bill reduces the amount of paperwork organizations must complete to demonstrate compliance with data protection legislation, on the grounds that the current EU GDPR approach can limit organizations' flexibility to manage risks. According to the amended Bill, only organizations whose data processing activities are taking into account the nature, scope, context and purposes of the processing, carry out processing activities likely to pose high risks to the rights and freedoms of individuals will now be required to keep processing records. This may include situations where organizations are processing large volumes of sensitive data about human health. Except in these cases, a controller will no longer be obliged to keep appropriate processing records. In addition new draft Bill contains a requirement for the Information Commissioner to publish a document containing examples of types of processing which the Information Commissioner considers likely to result in a high risk to the rights and freedoms of individuals.

Facilitating International Data Transfer

The Bill will ensure that businesses can continue to use existing international data transfer mechanisms to share personal data overseas, provided they are already in compliance with current UK data laws. The new regulation aims to ensure that British businesses do not have to pay more costs or make new checks to show that they comply with the new regulations.

Clarified “Legitimate Interest”

Data controllers are obliged to ensure that the rights and interests of the data subject are still balanced if the legal reason they rely on while performing personal data processing activities is their own legitimate interests. However, data controllers do not have the obligation to balance the data subject's rights and interests with data controllers' legitimate interests if the data processing process is carried out due to a situation in the published recognized legitimate interests list. National security, defense, emergencies, preventing crime, safeguarding, and democratic engagement are listed in the proposed list for now. The state will be able to add to this list later.

Increasing public and business confidence in AI Technologies

Innovative technologies such as artificial intelligence and quantum computing have the potential to deliver widespread benefits, such as improving healthcare delivery and reducing the risk of fraud. However, the Ministry noted that the UK's current data protection laws are complex and lack clarity solely for automated decision making and profiling, making it difficult for organizations to use such technologies responsibly. With the regulations introduced in the Bill, there can be a procedure for when these decisions may be wrong or harmful, they can appeal and apply for human examination. For example, if a person's job or loan is denied because an automated decision was made without meaningful human input, they could appeal that decision and instead have a human review the result.

GDPR-Compliant Businesses Should Take Note

Since the regulations brought by the Bill are intended to relax the obligations brought by the GDPR for businesses, currently GDPR-compliant businesses will be compatible with the regulations to be brought.

Changes in ICO Governance Structure

The Bill provides changes to the ICO governance structure and at the same time grants the ICO more discretion around complaint handling and additional powers to compel information and issue interview notices. In this regard in the press release it was stated that: “The Bill will strengthen the Information Commissioner’s Office (ICO) through the creation of a statutory board with a chair and chief executive, so it can remain a world-leading, independent data regulator and better support organisations to comply with data regulation.”

Tagged with: Kavlak Law Firm, Ayşe Aybüke Çilingir, Özge Keskin, Data Protection, Data Privacy