The Data Protection and Digital Information Bill confirms various inconsistencies between the GDPR and the UK framework that could introduce significant differences between the two legal systems.
The Data Protection and Digital Information Bill, published by the Department for Digital, Culture, Media and Sport (DCMS), was presented to the UK Parliament on 18 July 2022. In line with the conclusions of the Government (23 June 2022) following Data: A New Direction public consultation (10 September 2021 – 19 November 2021), this text introduces a number of significant developments in UK data protection law, which until then exactly mirrored the GDPR, to adopt a more flexible and pragmatic approach.
Context: Brexit, GDPR and data protection
As we recalled in our column of 5 October 2021 (“Brexit and transfers of personal data, what future for adequacy decisions targeting the UK?”), post-Brexit the UK passed a law that directly ensured that European regulatory measures are maintained. applicable in UK law, including in particular the GDPR. Moreover, this legal implementation did not stop at a simple textual identity, in the sense that it was also agreed that the surviving European legislative measures should be interpreted in accordance with the relevant case law of the Court of Justice of the European Union (CJEU). Union), and to the general principles of EU law.
The legislation governing the protection of personal data in the United Kingdom has thus been found to be strictly identical to the European legal framework since Brexit. In particular, this justified the adequacy decision taken by the European Commission on 28 June 2021, which allows the free flow of data between the European Union and the United Kingdom, the level of data protection being of course considered adequate in this country, which is now third in relation to the European Union.
However, the UK was quick to signal its intention to set a new direction for its data protection legislation. The public consultation Data: A New Direction at the end of 2021 already explained the desire to change UK data protection rules to make them less restrictive and to encourage innovation and growth.
The “Data Protection and Digital Information Bill”, which was presented to Parliament this summer, concretizes this desire to simplify and make more flexible data protection rules and confirms certain inconsistencies between the GDPR and the UK legal framework. Indeed, many elements and proposals in the UK text could introduce significant differences, both conceptual and practical, between the two legal orders.
European GDPR and the Data Protection and Digital Information Act: potentially significant differences
The distinctions introduced by the UK Bill and the GDPR are manifold and we will only deal with the most significant ones here.
The concept of personal data
The first distinction, and perhaps one of the most fundamental, because it actually affects all the rules regarding data protection, concerns the very definition of personal data.
Personal data is defined in the sense of the GDPR as “any information relating to an identified or identifiable natural person” (Article 4 GDPR). Such a definition is completely objective in the sense that the qualification of personal data does not take into account a specific situation or the means available to the entity that carries out the processing of this data.
The “Data Protection and Digital Information Bill” limits this very broad definition of personal data by introducing a subjective element in the qualification of personal data. Information about a natural person will thus only be considered personal if it makes it possible to make such a person identifiable to the data controller or subcontractor using means that can reasonably be available to him at the time of processing.
It should be understood here that this is a significant difference which makes the definition of personal data much more limited in the UK legal framework. Thus, an entity in the United Kingdom could process data without being subject to legal obligations to process personal data if it does not have the means (technical, financial, organizational, etc.) to make the natural person to whom that data relates identifiable, even if they the same data may qualify as personal to another entity by more extensive means.
The legitimate interest
The UK text also aims to make the legal basis of legitimate interest more flexible and available to justify the processing of personal data. Under the GDPR, legitimate interests are defined and interpreted by the courts in a restrictive and subjective way. A strict test of balancing the interests claimed by the entity carrying out the processing and the interests of the data subject is implemented on a case-by-case basis, making the use complex and less reliable in terms of legal certainty.
The United Kingdom differs from this approach by explicitly stating the cases where companies could mobilize the legitimate interest in the course of their activities. As soon as the processing would be covered by such a list, the legal basis of legitimate interest could be mobilized without the need to carry out any test to balance the interests involved.
This is again a much more permissive UK approach to entities processing personal data who will be able to rely more regularly on such a legal basis and continue processing without the express consent of the individuals concerned.
The Data Protection and Digital Information Bill also introduces several differences in relation to a topic that has become particularly crucial today in light of its economic, social, but also geopolitical implications: cross-border transfers of personal data.
As under the GDPR, the transfer of personal data from the United Kingdom to a third country that is not subject to an adequacy decision may only be permitted on condition that the entity responsible for the processing takes appropriate measures to guarantee a adequate level of data protection in connection with the transfer.
However, the British text in this context chooses a risk-based approach: the appropriate nature of the data security measures and the degree of requirements of the supervisory authorities will be assessed and modulated according to the probability of the risk in the particular case of the transfer in question. This is a flexible probabilistic approach which has so far been explicitly and unanimously rejected by the European courts, especially in the wake of recent decisions regarding the use of Google Analytics (see our editorial for more details on this point).
In addition, the “Data Protection and Digital Information Bill” also relaxes the conditions for granting an adequacy decision, which allows the transfer of personal data to a third country without the use of additional data security measures. The GDPR actually adopts an essentialist approach by making the issuance of an adequacy decision conditional on the nature of the data protection rules in the third country being strictly equivalent to those of the European Union. Where the GDPR requires such equivalence in the very essence of the third country’s legal framework, the UK text introduces a second, more flexible test that only requires that the third country’s level of data protection is not significantly lower than that of the United Kingdom.
Such a negative wording and the introduction of a material and therefore subjective element results in a lower level of requirements compared to the wording of the European test; thus, a third country implementing obligations that are very different from the UK rules may still be subject to an adequacy decision if the concrete overall level of data protection is considered adequate. It cannot be ruled out that such reformulation of the test necessary to grant an adequacy decision would enable the United States to be subject to such an adequacy in order to strengthen economic and political relations between the United Kingdom and the United Kingdom states after Brexit.
The reform of the UK regulator
The last major difference that will be discussed here concerns the reform of the ICO (Information Commissioner’s Office), the UK regulatory authority. A new “information commission” would replace the ICO. The UK Secretary of State will be granted a certain number of powers vis-à-vis the Commission, of which certain initiatives will have to be approved or even defined by him (issuance of codes of conduct, definition of the authority’s overall priorities in particular). The Commission will be given more extensive powers, in particular with regard to the requirement to send documents for examination and control.
Implications and next steps
Other measures introducing inconsistencies between UK and European data protection law could also have been cited (relaxation of liability obligations, relaxation of cookie consent requirements, possibility to oppose a request to exercise rights under certain conditions, in particular ) . In any case, the whole news introduced by the “Data Protection and Digital Information Bill” clearly announces the new direction that the United Kingdom wants to adopt in its data protection legislation: simpler rules, less restrictive and more pragmatic with a view to streamlining economic activity and promote innovation.
However, such easing will not be without consequences, and this development carries a very real risk: a revocation of the adequacy decision taken by the European Union regarding the United Kingdom. A recall whose economic impact is estimated at an immediate cost of 220 to 530 million euros and 242 to 470 million annually in lost export earnings (according to the impact analysis of the “Data Protection and Digital Information Bill”).
While the UK authorities insist that the proposed reform will not harm the general level of data protection in the UK, certain measures mentioned above, such as the reform of the ICO and the question of its independence, may prove problematic from the point of view of the adequacy of UK legislation in relation to European standards. More specifically, the relaxation of the requirements for cross-border data transfers, a crucial geostrategic issue, will most likely be subject to great opposition in the European decision-making bodies.