Data Protection and Digital Information (No 2) Bill: a second attempt at data protection reform
In the summer of 2022, the then Secretary of State for Digital, Culture, Media and Sport, Nadine Dorries MP, introduced the Data Protection and Digital Information Bill into the House of Commons. That Bill proposed various changes to the UK GDPR and the Data Protection Act 2018. The Bill had its first reading in the House of Commons and shortly before its scheduled second reading, it was dropped from the parliamentary calendar and further consultation with business was announced. Nothing further happened with the Bill until last month when it was formally withdrawn and the Secretary of State for Science, Innovation and Technology, Michelle Donelan MP, introduced the (imaginatively named) Data Protection and Digital Information (No 2) Bill. This piece will briefly consider some of the data protection reforms proposed in the second Bill.
The Information Commissioner
One of the most significant proposed changes is to abolish the office of Information Commissioner and replace it with a new body to be called the Information Commission. As things currently stand the Information Commissioner is the regulator for data protection across the whole of the United Kingdom; he also has responsibility for regulating and enforcing other legislation in the field of information law. The model of having a single office holder as the regulator for data protection (supported by staff and other officers appointed by them) has existed since the Data Protection Act 1984 created the Data Protection Registrar. That office has, over the decades, morphed into the current office of Information Commissioner. However, the government considers that the model which has operated thus far is no longer appropriate for such a large regulator with functions across a number of areas.
The new Commission would inherit the functions and powers of the Information Commissioner so functionally not much would change beyond who was exercising those functions. However, some other aspects of the Bill have caused concern about the future independence of the Commissioner and, in due course, the Commission.
The Chair of the Commission would be appointed by the King on the advice of the Secretary of State (as is currently the case for the Information Commissioner), but other members of the Board would be appointed by the Secretary of State. The Chief Executive would be appointed by the non-executive members of the Commission (which would include the Chair) but must consult with the Secretary of State before doing so.
Clause 28 of the Bill proposes introducing a new section 120E into the Data Protection Act 2018 which would empower the Secretary of State to issue a statement of priorities in relation to data protection. The Commissioner (and later, the Commission) would be required to have regard to that statement of priorities when carrying out their functions. There is a degree of concern that these provisions would impinge upon the independence of the regulator. However, the duty to have regard to the statement of priorities would not apply to the carrying out of functions in relation to a particular person, case or investigation. This suggests that the regulator would continue to be entirely independent from the Executive in the carrying out of their investigatory and enforcement functions. These provisions could raise some difficulties in relation to the adequacy decision by the European Union in respect of the United Kingdom; that is certainly an area to keep under review as it could have a negative impact upon data flows between the United Kingdom and the European Union.
Clause 36 of the Bill proposes introducing a new section 148A into the Data Protection Act 2018. This would give the Information Commissioner the power to issue an “Interview Notice”. This power would enable the regulator to require a person to attend an interview in the circumstances outlined in the proposed section 148A(1); this includes where the Commissioner suspects that a criminal offence has been committed.
It would be possible to appeal the notice to the First-Tier Tribunal and as such the date and time of the interview cannot be before the expiry of the period in which an appeal may be made. There would be no requirement to comply with the notice until any appeal against it had been determined or withdrawn.
It will be a criminal offence, in responding to such a notice, to make a false statement knowingly or recklessly in a material respect. However, other than in relation to the offence of making false statements, any statement made in response to an interview notice would not be admissible in criminal proceedings brought against that person for offences under the Data Protection Act 2018 unless (i) in giving evidence at trial the individual states something that is inconsistent with the earlier statement; or (ii) it is introduced or adduced by the individual or on their behalf.
There would be other protections, for example, against self-incrimination and in relation to material covered by legal privilege.
Spam texts and E-mails and nuisance telephone calls for the purposes of direct marketing is a matter of public concern and an area in which the Information Commissioner remains active in terms of enforcement. The Bill proposes several changes in this area.
Direct Marketing is principally regulated by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). There is currently no definition of direct marketing within PECR; instead, it is necessary to look to the Data Protection Act 2018 for the definition. Clause 81 of the Bill proposes introducing a definition of direct marketing into PECR; it is the same definition as is currently provided for within the Data Protection Act 2018 so it changes nothing in substance but will make PECR more readable.
So-called “non-commercial organisations” would be able to rely upon what has come to be known as the “soft opt-in” for the purposes of being able to undertake direct marketing. It would apply to organisations which have charitable, political or non-commercial objectives, enabling them to undertake direct marketing to further their objectives using personal data collected from people who have expressed an interest in or provided support for their objectives.
The Bill proposes that the Secretary of State will be able to make Regulations exempting marketing communications for the purposes of political engagement from the direct marketing provisions, provided that they are not directed at children under the age of 14.
The enforcement provisions for PECR will become linked to the enforcement powers within the Data Protection Act 2018. Currently, the Commissioner’s enforcement powers in relation to PECR are linked to the Data Protection Act 1998, which has been repealed other than to the extent it has been saved for the purposes of enforcing PECR. This will see the potential financial penalties for breaches of PECR increase from the present maximum of £500,000 to the same as those under the UK GDPR (£17,500,000 or 4% for global turnover, whichever is greater).
The Bill also introduces a new obligation on electronic communications network providers to notify the Information Commissioner of “any reasonable grounds” that they have for suspecting that a person is contravening or has contravened the direct marketing rules. There will be penalties for non-compliance. What “reasonable grounds” means is unclear, but the Explanatory Notes accompanying the Bill suggest that interception or examination of the content of communications won’t be necessary for compliance.
Article 30 of the UK GDPR, which makes provision for ‘Records of Processing Activities’ is going and will be replaced with a new Article 30A. Controllers and processers will be exempt from a need to keep records of processing “unless taking into account the nature, scope, context and purposes of the processing, it is likely to result in a high risk to the rights and freedoms of individuals.” Section 61 of the Data Protection Act 2018 is also going and will be replaced by a new section 61A on records of processing activities in the context of law enforcement processing.
The first iteration of the Bill proposed that businesses could rely upon the legitimate interests ground of processing, without the need to conduct a balancing exercise between the legitimate interests and the rights and freedom of data subjects, where the legitimate interests in question were “recognised”. These recognised legitimate interests would be:
- national security, public security and defence
- safeguarding vulnerable individuals
- democratic engagement
The new iteration of the Bill maintains this position; however, it goes on to provide examples of situations where the legitimate interests ground of processing might be an appropriate lawful basis for processing personal data. These examples are not part of the “recognised legitimate interests” and so a legitimate interests assessment would still be required. It would seem to be the intention that this provision is designed to try and clear up some of the misunderstanding around the legitimate interests ground of processing.
Complaints by Data Subjects
The Bill also introduces a new right for a data subject to complain to the controller about the processing of their personal data. Data subjects have always been able to make such complaints, but the law will now require the controller to deal with such complaints and to facilitate them. Furthermore, the Commissioner may refuse to accept a complaint by a data subject about a controller’s processing where no such complaint has been made to the controller first and it is less than 45 days since the complaint was made. The Bill also proposes giving powers to the Secretary of State to require controllers to inform the Commissioner of the number of complaints they have received from data subjects.
The Commissioner will also be able to refuse to deal with a complaint made by a data subject where the complaint is vexatious or excessive. There will exist a right of appeal to the First-Tier Tribunal against any refusal by the Commissioner to deal with a complaint made to him by a data subject. The requirement to complain to the controller would only apply before making a complaint to the Commissioner, it will not, as a matter of law, be a gateway to raising court proceedings for compensation or a compliance order.
The definition of personal data will be slightly narrowed so as to limit the assessment of identifiability to the controller or processor or anyone likely to receive the information. As the definition is drafted it means that if anyone anywhere in the world could identify the data subject then it is caught.
The Bill is still in the early days of its journey through parliament and there will be plenty of opportunities for amendments to be proposed (and made) to the Bill before it completes that journey; however, the Department of Science, Innovation and Technology does not expect much in the way of amendment to the Bill. Some of the proposals within the Bill are significant while others are much more mundane in nature and are ones which the government hopes will make some aspects of the data protection framework clearer to businesses.
Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.