Newsflash: Data Protection and Digital Information Bill introduced into UK Parliament

And…we’re off! Today, the Data Protection and Digital Information Bill (re-named from the Digital Reform Bill) was introduced into UK Parliament. There’s a lot to get one’s teeth into, but here are some things that sprang out from my initial look through.

  • Lawful basis for processing (Article 6 UK GDPR): In addition to the existing six lawful bases, there will be a new one: ‘processing is necessary for the purposes of a recognised legitimate interest’. A new Annex 1 to the UK GDPR contains a list of such legitimate interests (including, for example, where a controller receives a request to disclose data to a public body which needs it to carry out a public task).
  • Compatible purposes of processing (Article 5(1)(b)): A new Annex 2 to the UK GDPR will list purposes of data processing which are considered ‘compatible’ with the purposes of collection of personal data. This, again, includes where a controller receives a request to disclose data to a public body which needs it to carry out a public task.
  • Vexatious requests from data subjects (new Article 12A UK GDPR): The ‘manifestly unfounded or excessive’ exemption to requests from data subjects (previously Article 12(5) is to be replaced with an exemption for ‘vexatious or excessive’ requests. Examples of vexatious requests include those: intended to cause distress; not made in good faith, or which are an abuse of process.
  • Clarifying subject access requests (Articles 15 UK GDPR): A new Article 12B allows controllers to clarify a SAR ‘where the controller reasonably requires further information to identify the information or processing activities to which a request…relates’. This expands the current ‘large quantities of data’ rule (in Recital 63), as holding a large amount of data is now just an example of when clarification may be sought.
  • Automated decision-making (Article 22 UK GDPR): There will be fewer restrictions on solely automated decision-making, though safeguards must still be in place.
  • Some fun re-labelling: data protection impact assessments to be replaced with ‘assessments of high risk processing’; you won’t need a data protection officer, but you may need a ‘senior responsible individual’; ‘records of processing activities’ will become ‘records of processing of personal data’. There is some substance to these name changes too, aimed at reducing the burdens on organisations in complying with these requirements. The Office of the Information Commissioner will also transform into the ‘Information Commission’ (a new body corporate).
  • International Data Transfers (Chapter V UK GDPR): Schedule 5 to the Bill has lots of stuff on international data transfers – I need some more time to go through it!
  • Cookies rules under PECR: There will be new circumstances in which consent to the use of cookies is not required. The Explanatory Notes to the Bill explain that these are purposes which ‘are considered to present a low risk to people’s privacy’.

This is of course the first version of the Bill, and there may yet be many changes before it becomes an Act! The Bill is available here.

Olivia Whitcroft, principal of OBEP, 18 July 2022

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details