On March 8th, 2023, the UK Government introduced a new Data Protection and Digital Information Bill (2) into parliament. The government announcement of this bill claimed that “British Businesses to Save Billions Under New UK Version of GDPR”. What does this mean in practical terms for businesses and consumers?
Nothing has changed - yet
This announcement needs to be put into context. Firstly, the political context is that the government has been under pressure to show some tangible benefits from Brexit. In September 2022, the UK Government announced “The Retained EU Law (Revocation and Reform) Bill 2022”. This requires the government to “..sunset the majority of retained EU law so that it expires on 31st December 2023..” and assimilate it into UK statutes where appropriate to ensure the supremacy of UK rather than EU law. Secondly, in the context of the legislative process, nothing will change until the bill has passed through three readings in the House of Commons and then three readings in the House of Lords followed by Royal assent. During this process there may be many changes and amendments.
UK Data Protection Act 2018
In 2018, when the UK was still a member of the EU, the obligations under EU GDPR (General Data Protection Regulation) were incorporated into UK law through the UK Data Protection Act 2018. The new proposed legislation is tabled in the form of a set of amendments to that act. This makes the details of the proposal difficult to understand without a detailed knowledge of the chapter and verse of that act. To clarify this the government has published a set of explanatory notes that explain the intent of the changes. These show that the bill covers a range of areas and some of the highlights are set out below.
Clarification
One purpose of the bill is to provide clarification in several areas:
- It provides greater clarity about what is personal data and the reasonable steps that a data control needs to take to decide whether data could identify a living individual.
- It clarifies the different lawful grounds for which private companies can process personal data at the request of public bodies.
- It will provide the Information Commissioner with a sufficiently clear framework of objectives and duties in relation to its data protection responsibilities, against which to prioritize its activities and resources, evaluate its performance and be held accountable by its stakeholders.
- It clarifies language to help researchers in their use of personal data. It allows for the re-use of personal data for the purpose of longer-term research studies.
- It clarifies the rules on international transfers and cross-border flows of personal data. This is intended to facilitate international trade by providing a clearer and more stable framework for international transfers of personal data. The reformed regime aims to continue ensuring high standards of protection when people’s data is transferred overseas, and the data protection tests will focus on the data protection outcomes provided for data subjects, irrespective of form.
Outcomes rather than controls
The governments considers that the current legislation focusses too heavily on prescribed controls rather than risk-based outcomes:
- The current legislation also prescribes a series of activities and controls which organizations must adopt to be considered compliant. This can lead to a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach.
- It streamlines the requirements on organizations to demonstrate how they are complying with the legislation.
- It also amends the exemption which organizations can use to charge a reasonable fee for or refuse to respond to a request from a data subject to where a request is deemed to be ‘vexatious or excessive’.
- It will support appropriate data-sharing across the wider health and adult social care sector by setting standards about how information is shared, which make it easier to compare data, across the sector.
- It will simplify the oversight framework for the police use of biometrics and police and local authority use of surveillance cameras.
Privacy and Electronic Communications
It also makes changes to the Privacy and Electronic Communications Regulations 2003, relating to confidentiality of terminal equipment (e.g., cookie rules), unsolicited direct marketing communications (e.g., nuisance calls), and communications security (e.g., network traffic and location data).
Digital Verification Services
There is currently no existing legislation relating to the regulation of private organizations providing digital verification services in the UK. The bill aims to increase trust in and acceptance of digital identities across the UK. It will establish a regulatory framework for the provision of digital verification services in the UK and enable public authorities to disclose personal information to trusted digital verification services providers for the purpose of identity and eligibility verification.
Smart Data schemes
Smart Data is defined as the secure sharing of customer data, upon the customer’s request, with authorized third-party providers (ATPs). Organizations that are neither the customer nor original service provider (APPs) can then use this data to provide innovative services for the consumer or business. The bill is intended to enable:
- Rebalancing the information asymmetry between suppliers and customers.
- Customers to make better use of their personal data, e.g., enabling accurate tariff comparisons and providing access to better deals.
- Customers to benefit from a more competitive marketplace, including through lower prices and higher quality goods and service delivery.
- New services in and across the sectors, to help consumers save and manage their money and services.
Electronic Registers
This Bill would remove the requirement for paper registers to be held and stored securely in each registration district and enable all births and deaths to be registered electronically. This will remove the current duplication whereby births and deaths are registered both electronically and in paper registers. Currently the person registering a birth or death must physically sign the register in the presence of the registrar. It also makes it possible, at some time in the future, for the person registering to sign something else.
Trust services and eIDAS.
‘Trust services’ include services specifically relating to electronic signatures, electronic seals, timestamps, electronic delivery services, and website authentication. The eIDAS Regulation requires that such trust services meet certain criteria - standards and technical specifications - to allow for interoperability across the UK economy.
- The bill recognizes conformity assessment reports that have been issued by EU conformity assessment bodies accredited by the national accreditation body of an EU member state, and that these reports can be used to grant a trust service provider qualified status under Article 21 of the eIDAS Regulation, and for the purposes of regular auditing requirements under Article 20(1).
- It also gives the power to the secretary of state in the future to revoke this should the continued unilateral recognition of EU qualified trust services no longer be appropriate.
Opinion
On the face of it this bill looks to provide useful clarification around the processing of personal data. It supports a risk-based approach to personal data processing rather than a prescriptive one. It enables greater use of IT within the public sector and control over the use of data by law enforcement. It provides control over digital identity verifications providers and smart data sharing. However, I do not see how this legislation will save UK businesses millions of pounds. It is a shame that there is no mention of the opportunities from tamper proof registers of personal data held by public bodies for security and durability. It may help SMBs that operate solely within the UK, but I doubt that it will help multinationals. These organizations have to deal with the plethora of privacy legislation around the world and this bill risks adding another to this burden. Much will depend upon whether the EU will recognize that compliance with the UK rules set out in this bill will satisfy GDPR in the context of Schrems II to allow personal data transfers and processing in the UK.
The mastermind behind Schrems II, privacy advocate Max Schrems will be speaking at the European Identity and Cloud Conference 2023 on Tuesday, May 9. You can get a ticket at Early Bird price until March 31.