On 18 July 2022, the UK government published the Data Protection and Digital Information Bill (the “Bill”), which proposes reforms to the UK’s data protection and e-privacy landscape in-line with the National Data Strategy. All companies that conduct business in the UK – whether on the ground or remotely – could be affected by the changes given the regime’s extraterritorial effect.

The Bill responds to a perception that the current requirements are overly burdensome and stifle innovation by proposing to relax certain obligations while trying not to diverge too far away from the GDPR’s requirements. Changes that diminish the level of protection could impact the UK’s European Commission adequacy decision, which permits free flow of personal data from the EEA to the UK.

While much could change during the legislative process, here are the key points to note now.

  1. No major changes to the current regime: The Bill does not revoke the UK GDPR or contain any major substantive changes to the current landscape. It would, however, diverge from the GDPR in some respects.
  2. More relaxed cookies consent requirements: The Bill proposes to remove the need to obtain user consent for a greater range of cookies, including those relating to website functionality, and the collection of statistical information about how the website is used and how it can be improved. Companies operating parallel UK and EU-facing websites would need to decide to what extent they could geo-fence visitors if they wanted to comply the divergent standards. In practice, some might choose to continue to apply the EU’s more stringent standards in the UK for ease.
  3. Right to access customer data and business data: The Bill proposes a right for customers to receive “customer data” (including information about transactions between the customer and the trader) and “business data” (including information about, or relating to the supply of, goods, services and digital content provided by the company) from the businesses they transact with. Unlike the data subject rights under the GDPR, these customer and business data rights apply to any type of customer – including corporate entities – that interact with a business in a B2C capacity, signalling expansion of data rights in the non-personal data realm.
  4. Pre-approved legitimate interests: The Bill proposes a list of pre-approved “legitimate interests” that will not require companies to perform a legitimate interests assessment. These include processing of personal data that is necessary to respond to a request that is in the public interest, to safeguard national security, and for preventing, detecting or investigating crime. Companies will still need to document which interest applies and demonstrate that the processing is necessary to further that interest.
  5. Increased scope to refuse data subject access requests (“DSARs”): The Bill would let data controllers refuse DSARs that are “vexatious or excessive”. It includes a list of factors for controllers to consider when determining whether this threshold is met (which are similar to those in the recent European Data Protection Board DSAR guidance), as well as identifying specific situations in which DSARs can be refused. It is unclear what the practical impact of this change will be and, in particular, whether any “vexatious” requests would not also satisfy the current requirement that requests be “manifestly unfounded”.
  6. Changes to documentation requirements: The Bill proposes replacing Records of Processing Activities (“ROPAs”) with Records of Processing Personal Data, and Data Protection Impact Assessments (“DPIAs”) with Assessments of High Risk Processing. The proposed content requirements are slightly less prescriptive than at present, but would continue to be largely aligned with, the current requirements. Nonetheless, companies will need to adjust their current ROPAs and DPIAs as necessary to ensure that they address any new requirements.
  7. Data Protection Officers (“DPO”) versus Senior Responsible Individuals (“SRI”): The Bill proposes removing the current DPO requirements. Instead, public bodies, and companies that process “high risk” personal data, must appoint an SRI – a member of senior management who has responsibility for overseeing various data-protection related tasks. The SRI’s responsibilities are similar to those of a DPO with some new additions, including an obligation to “deal with personal data breaches”. It is unclear what role the Bill envisages the SRI playing in a personal data breach, though they will likely need to be included on any incident response team for UK-related breaches.
  8. UK representative requirement scrapped: non-UK based data controllers or processors that do not have a physical presence in the UK would no longer required to appoint a local representative.
  9. New “Data protection test” for international data transfers: The Bill proposes a new “data protection test” for determining whether the standard of data protection in the data recipient’s jurisdiction is not “materially lower” than the standard in the UK. This outcomes-based assessment must at least consider the factors listed in the Bill – which are similar to those contained in the current European Data Protection Board guidance. The Bill’s wording – that the third country’s data protection standards are not “materially lower” than the UK – is slightly different than under the GDPR, which requires the standard to be “essentially equivalent” though not identical. It remains to be seen whether this would result in any practical differences between the two tests.

Next Steps

Companies should continue to monitor the content of the Bill as it progresses through Parliament and, once finalised, the may want to consider where they might be able to benefit from any divergence between the regimes and/or what policies, procedures and practices need updating to reflect modified requirements.

While a UK government official has stated that the government believes that the proposed changes are compatible with maintaining the UK’s European Commission adequacy decision, the EU is yet to comment and some uncertainty remains.

****

The authors would like to thank Sophie Michalski for her contribution to this article.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.