On 18 July 2022, the UK authorities printed the Data Protection and Digital Information Bill (the “Invoice”), which proposes reforms to the UK’s information safety and e-privacy panorama in-line with the National Data Strategy. All firms that conduct enterprise within the UK – whether or not on the bottom or remotely – could possibly be affected by the adjustments given the regime’s extraterritorial impact.
The Invoice responds to a notion that the present necessities are overly burdensome and stifle innovation by proposing to calm down sure obligations whereas attempting to not diverge too far-off from the GDPR’s necessities. Modifications that diminish the extent of safety might impression the UK’s European Fee adequacy resolution, which allows free stream of private information from the EEA to the UK.
Whereas a lot might change throughout the legislative course of, listed here are the important thing factors to notice now.
- No main adjustments to the present regime: The Invoice doesn’t revoke the UK GDPR or include any main substantive adjustments to the present panorama. It could, nevertheless, diverge from the GDPR in some respects.
- Extra relaxed cookies consent necessities: The Invoice proposes to take away the necessity to acquire person consent for a larger vary of cookies, together with these regarding web site performance, and the gathering of statistical details about how the web site is used and the way it may be improved. Firms working parallel UK and EU-facing web sites would wish to resolve to what extent they may geo-fence guests in the event that they wished to conform the divergent requirements. In follow, some would possibly select to proceed to use the EU’s extra stringent requirements within the UK for ease.
- Proper to entry buyer information and enterprise information: The Invoice proposes a proper for patrons to obtain “buyer information” (together with details about transactions between the client and the dealer) and “enterprise information” (together with details about, or regarding the provision of, items, providers and digital content material supplied by the corporate) from the companies they transact with. In contrast to the information topic rights beneath the GDPR, these buyer and enterprise information rights apply to any kind of buyer – together with company entities – that work together with a enterprise in a B2C capability, signalling growth of information rights within the non-personal information realm.
- Pre-approved legit pursuits: The Invoice proposes a listing of pre-approved “legit pursuits” that won’t require firms to carry out a legit pursuits evaluation. These embrace processing of private information that’s obligatory to reply to a request that’s within the public curiosity, to safeguard nationwide safety, and for stopping, detecting or investigating crime. Firms will nonetheless have to doc which curiosity applies and show that the processing is critical to additional that curiosity.
- Elevated scope to refuse information topic entry requests (“DSARs”): The Invoice would let information controllers refuse DSARs which might be “vexatious or extreme”. It features a checklist of things for controllers to contemplate when figuring out whether or not this threshold is met (that are much like these within the latest European Information Safety Board DSAR guidance), in addition to figuring out particular conditions by which DSARs may be refused. It’s unclear what the sensible impression of this modification will likely be and, specifically, whether or not any “vexatious” requests wouldn’t additionally fulfill the present requirement that requests be “manifestly unfounded”.
- Modifications to documentation necessities: The Invoice proposes changing Data of Processing Actions (“ROPAs”) with Data of Processing Private Information, and Information Safety Impression Assessments (“DPIAs”) with Assessments of Excessive Threat Processing. The proposed content material necessities are barely much less prescriptive than at current, however would proceed to be largely aligned with, the present necessities. Nonetheless, firms might want to regulate their present ROPAs and DPIAs as obligatory to make sure that they handle any new necessities.
- Information Safety Officers (“DPO”) versus Senior Accountable People (“SRI”): The Invoice proposes eradicating the present DPO necessities. As a substitute, public our bodies, and corporations that course of “excessive danger” private information, should appoint an SRI – a member of senior administration who has accountability for overseeing numerous data-protection associated duties. The SRI’s tasks are much like these of a DPO with some new additions, together with an obligation to “take care of private information breaches”. It’s unclear what function the Invoice envisages the SRI taking part in in a private information breach, although they are going to seemingly have to be included on any incident response group for UK-related breaches.
- UK consultant requirement scrapped: non-UK based mostly information controllers or processors that do not need a bodily presence within the UK would not required to nominate an area consultant.
- New “Information safety take a look at” for worldwide information transfers: The Invoice proposes a brand new “information safety take a look at” for figuring out whether or not the usual of information safety within the information recipient’s jurisdiction isn’t “materially decrease” than the usual within the UK. This outcomes-based evaluation should no less than contemplate the elements listed within the Invoice – that are much like these contained within the present European Information Safety Board steerage. The Invoice’s wording – that the third nation’s information safety requirements should not “materially decrease” than the UK – is barely completely different than beneath the GDPR, which requires the usual to be “basically equal” although not similar. It stays to be seen whether or not this may lead to any sensible variations between the 2 checks.
Firms ought to proceed to observe the content material of the Invoice because it progresses by means of Parliament and, as soon as finalised, the could need to contemplate the place they may be capable to profit from any divergence between the regimes and/or what insurance policies, procedures and practices want updating to replicate modified necessities.
Whereas a UK authorities official has stated that the federal government believes that the proposed adjustments are suitable with sustaining the UK’s European Fee adequacy resolution, the EU is but to remark and a few uncertainty stays.
The authors want to thank Sophie Michalski for her contribution to this text.
Avi Gesser is Co-Chair of the Debevoise Information Technique & Safety Group. His follow focuses on advising main firms on a variety of cybersecurity, privateness and synthetic intelligence issues. He may be reached at email@example.com.
Erez is a litigation accomplice and a member of the Debevoise Information Technique & Safety Group. His follow focuses on advising main companies on a variety of complicated, high-impact cyber-incident response issues and on data-related regulatory necessities. Erez may be reached at firstname.lastname@example.org
Robert Maddox is Worldwide Counsel and a member of Debevoise & Plimpton LLP’s Information Technique & Safety follow and White Collar & Regulatory Protection Group in London. His work focuses on cybersecurity incident preparation and response, information safety and technique, inside investigations, compliance opinions, and regulatory protection. In 2021, Robert was named to World Information Evaluation’s “40 Underneath 40”. He’s described as “a rising star” in cyber regulation by The Authorized 500 US (2022). He may be reached at email@example.com.
Martha Hirst is an affiliate in Debevoise’s Litigation Division based mostly within the London workplace. She is a member of the agency’s White Collar & Regulatory Protection Group, and the Information Technique & Safety follow. She may be reached at firstname.lastname@example.org.