After a failed attempt to revitalise data protection law with an initial bill laid before Parliament last summer, The Data Protection and Digital Information (No. 2) Bill was introduced by UK government in March of this year.
If this bill is enacted, the Bill will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications Regulations.
Generally speaking, the Bill is welcomed as it contains reforms which are intended to make data protection law more straight-forward for businesses to understand and implement and the Bill also seeks to introduce some flexibility for businesses in terms of the use of personal data. This should reduce the administrative and cost burden on businesses in complying with data protection law.
Specific changes proposed under the Bill include:
- clarifications around legitimate interests, scientific research and automated decision-making which should allow businesses to explore the potential of new technologies and artificial intelligence without worrying about the risk of technical non-compliance with rules that lack clarity;
- data protection impact assessments being required only for likely high-risk processing;
- a right for businesses to refuse a subject access request or charge reasonable fees if the request is "vexatious or excessive". Examples of "vexatious" are given as requests that "(a) are intended to cause distress, (b) are not made in good faith, or (c) are an abuse of process”;
- a relaxation of rules relating to cookies so that a website operator would be able to place certain types of non-intrusive statistical, security and location cookies without the need for obtaining the current pop-up consents;
- a change in the requirement to keep records of data processing such that records will only be required for likely high-risk processing.
Businesses that are already compliant with the UK's existing data protection laws will not be required to make substantive changes to their current practices to comply with the Bill. However, businesses might decide to take advantage of the changes proposed in the Bill to streamline their data protection compliance obligations in the UK. UK businesses with operations within the EU will need to continue to comply with the EU GDPR.
Whilst the Bill would go some way towards reducing bureaucracy for businesses and increasing autonomy, the fundamental data protection landscape, obligations and principles are not set to change, data protection standards are still high and the potential consequences for failure to comply remain significant so businesses should not attribute any lesser priority to getting to grips with data protection compliance.
The Bill is still in the early stages of legislation but it will be an interesting regulation to look out for as it develops in the coming months.