Having had a little break, the DPDI Bill was re-introduced into Parliament on 8 March 2023. Technically, the previous DPDI Bill (DPDI 1) was withdrawn on the same day, and the fresh new Bill is called the Data Protection and Digital Information (No. 2) Bill (DPDI 2). Though DPDI 2 retains much of the content of DPDI 1.
I thought I’d do a comparison between DPDI 1 and DPDI 2, using the topics from my newsflash on 18 July 2022 (when DPDI 1 was introduced into Parliament).
||DPDI 1||DPDI 2|
|Lawful basis for processing (Article 6 UK GDPR)||In addition to the existing six lawful bases, there will be a new
one (Article 6(1)(ea)):
‘processing is necessary for the purposes of a recognised legitimate interest’.
A new Annex 1 to the UK GDPR contains a list of such recognised legitimate interests including:
|The new lawful basis remains in DPDI 2, with the list of
recognised legitimate interests in Annex 1.
In addition, there is a new list of examples of the types of processing that maybe necessary for the purpose of a legitimate interest under the existing lawful basis 6(1)(f):
These are not revolutionary, particularly as they reflect Recitals 46, 47 and 49 of the UK GDPR. Though maybe it will reduce the arguments some people like to have over seeking consents to direct marketing, often confusing lawful basis under the UK GDPR with the requirements of the Privacy and Electronic Communications Regulations (PECR). DPDI 2 also amends the PECR marketing rules – see my comment on this below.
|Compatible purposes of processing (Article 5(1)(b))||A new Annex 2 to the UK GDPR will list purposes of data
processing which are considered ‘compatible’ with the purposes of
collection of personal data.
|The provisions relating to compatible purposes in DPDI 2 appear substantially the same as in DPDI 1.|
|Vexatious requests from data subjects (new Article 12A UK GDPR)||The ‘manifestly unfounded or excessive’ exemption to requests from data subjects (previously Article 12(5) is to be replaced with an exemption for ‘vexatious or excessive’ requests. Examples of vexatious requests include those: intended to cause distress; not made in good faith, or which are an abuse of process.||The provisions changing ‘manifestly unfounded or excessive’ requests to ‘vexatious or excessive’ requests in DPDI 2 appear substantially the same as in DPDI 1.|
|Clarifying subject access requests (Article 15 UK GDPR)||A new Article 12B allows controllers to clarify a SAR ‘where the
controller reasonably requires further information to identify the
information or processing activities to which a request…relates’.
This expands the current ‘large quantities of data’ rule (in Recital 63), as holding a large amount of data is now just an example of when clarification may be sought.
|These new provisions in DPDI 2 on clarifying a request appear substantially the same as in DPDI 1.|
|Automated decision-making (Article 22 UK GDPR)||There will be fewer restrictions on solely automated
decision-making, though safeguards must still be in place.
The main restrictions will be on solely automated decisions based on special category data, or which rely on the new lawful basis of a ‘recognised legitimate interest’ (as raised in the first row above). Though safeguards must be in place for all solely automated decisions involving personal data.
The provisions only apply where the decision is a ‘significant decision’, producing a legal effect or ‘similarly significant effect’ for the individual. Regulations may specify specific situations which have (or do not have) a similarly significant effect.
|DPDI 2 contains similar changes to the rules on automated
decision-making to DPDI 1.
There is additional clarification over profiling – in considering whether there is meaningful human involvement in a decision, a person must consider the extent to which a decision is reached by means of profiling (in other words automated processing to evaluate individuals).
In addition. Regulations may be made to describe cases where there is (or isn’t) meaningful human involvement.
|Some fun relabelling: DPIAs, DPOs, ROPAs, ICO||
There is some substance to these name changes too, aimed at reducing the burdens on organisations in complying with these requirements.
|The provisions on assessments of high risk processing, senior
responsible individuals and the new Information Commission within DPDI 2
appear substantially the same as in DPDI 1.
There is a significant change to the rules relating to records of processing of personal data. Whilst the rules in DPDI 1 would have applied to all controllers and controllers, under DPDI 2, the rules only apply where a controller or processor carry out processing which is likely to result in a high risk to individuals.
In other words, such records will only be needed in the same situations as assessments of high risk processing are required.
This is a significant change to the current Article 30 UK GDPR rules. However, organisations may wish to continue to maintain similar records in order to keep track of their activities, and to demonstrate compliance for the purposes of accountability.
|International Data Transfers (Chapter V UK GDPR)||Schedules 5 to 7 to the Bill contain lots of stuff on international data transfers (IDT). The aim is to enable the UK government to take a risk-based approach to assessing adequacy of other countries, and to allow data exporters to act pragmatically and proportionally when using alternative transfer mechanisms (though the key transfer mechanisms appear to remain the same as under current law).||The IDT provisions within DPDI 2 appear substantially the same as
in DPDI 1.
Though Schedule 7 (transitional provisions) contains some additional provisions relating to the continuation of ‘pre-commencement’ transfer mechanisms.
Some comments on other changes not covered in my previous newsflash:
DPDI 2 is available here.
Olivia Whitcroft, principal of OBEP, 14 March 2023
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details