Despite a rocky start, the UK Data Protection and Digital Bill 001 2023-24 (called the no. 2 bill following the withdrawal of Bill 265 2022-23) has finally made it through its third reading in the House of Commons and is set to move into the House of Lords later this year or early next year.
The raft of changes and updates since its original introduction have many implications for privacy professionals, some of which will be very welcome and others not so much.
⇒ The inclusion of a list of ‘recognised legitimate interests’ for which the need to carry out a balancing test has been removed.
Pro
The intention is for the list to be updated on a periodic basis. Each update will mean another LIA you don’t need to complete unnecessarily.
Con
We find that doing an LIA provides a moment for stakeholders to ‘pause and reflect’ on the data processing. Care needs to be taken to ensure that complacency doesn’t become the norm in your company if you no longer do LIAs on a routine basis.
⇒ The replacement of the DPO role with that of an SRI (Senior Responsible Individual).
Pro
Con
The SRI role does not contain an independence clause. DPOs have lost some of the protections they had under GDPR.
⇒ The introduction of the ‘vexatious or excessive’ concept for DSARs.
Pro
This change could potentially be very helpful BUT make sure at the earliest opportunity that the DSAR is (a) intended to cause distress (b) not made in good faith or (c) is an abuse of process, before calling it ‘vexatious or excessive’.
Con
We see a potential conflict of interest here between the company and the privacy professional, should you feel the DSAR is in good faith, but the company decides it’s vexatious (see above re: no independence clause).
⇒ GDPR level consent is no longer required for cookies relating to security updates, user preferences and collecting information for statistical purposes about how the website/service is used with a view to making improvements.
Pro
Less complicated cookie banners – who wouldn’t love that?
Con
Beware! We can envisage occasions where the marketing department decides that collecting information on the performance of ads is for ‘statistical purposes’ or to ‘improve the website’.
⇒ The requirement to carry out a Data Protection Impact Assessment (DPIA) is removed.
Pro
You still need to carry out an assessment of ‘high risk processing’ but it should be a lot easier and the requirements of what needs to be included are more straightforward. The proposed changes require the inclusion of the following: a summary of the purposes of processing, assessment of necessity and risks to individuals and a description of how those risks will be mitigated.
Con
The ‘DPIA-Lite’ approach misses out on some items that we feel are very important under the GDPR – such as the need for consultation. If this is no longer mandated by law, many companies will choose not to do it and will assume that they know the impact on individuals rather than actually truly assessing the impact.
⇒ The provisions regarding automated decision-making now only apply to processing that involves special category data.
Pro
The impact of this change will mean fewer DPIAs or their equivalents (the new ‘high risk processing’ assessment) to carry out.
Con
We foresee a potential decrease in ‘privacy by design and default’ as a result of the removal of other conditions for which DPIAs (or their equivalents) need to be produced. For example, processes or projects that are ‘novel’ to the organisation but which do not involve special category data may not be fully investigated in advance of the processing taking place and risk having unforeseen consequences for both the Data Subject and the organisation.
⇒ An extension of the ‘soft opt-in’ exemption for Direct Marketing to include the purposes of furthering charitable, political or other non-commercial objectives.
Pro
Great if you are the SRI for a political party or 'afficionado' of politics in general.
Con
This change promises to be not so great for everyone else as it basically means a bigger ‘spam’ folder in your inbox or a longer ‘block’ list on your phone. Be prepared for a possible rise in the identification of ‘phishing’ emails within your organisation.
On balance, as privacy specialists, one of whom has spent her career working in Ireland, we find that the changes aren’t too removed from the GDPR and that, taken on its own merits, the new Digital Bill won’t necessarily have a major impact on the day-to-day lives of UK privacy professionals or UK adequacy itself.
However, there are some red flags we cannot ignore. We are concerned about the subtle dilution of individual rights by enabling government to monitor bank accounts under the aegis of combatting ‘fraud’. In a similar vein the politicisation of the Bill by opening up the ‘soft opt-in’ to political parties in addition to the existing purpose to benefit charities and other non-commercial enterprises remains troubling.
Passage of the Bill is expected in Spring 2024 so add this to your 'To Do' list for Q1 with a note to look out for further updates.