Amending the GDPR

26th July 2022 Commercial Litigation

The government has laid the initial version of its new Data Protection and Digital Information Bill before Parliament. This is only the first reading version and so it is inevitable that it will change considerably.

As has already been pointed out the actual value of the changes being made by this bill will be limited for many people. Anyone processing data of EU residents in the UK must comply, and will continue to have to comply with, the EU version of the GDPR. So changes to the UK version only really benefit organisations seeking to process UK residents data only. In addition, GDPR compliance is pretty poor generally and there is relatively little enforcement so easing the rules may in fact make little impact on those who were not complying with them anyway.

However, there are areas in which the legislation will make considerable changes which are likely to benefit businesses who wish to process data in other countries and make use of data for reasons other than for which it was originally collected.

Currently the GDPR does not distinguish much between the manner in which personal data is stored, particularly in relation to pseudonymised data. So if I hold data which contains a user identification number I have assigned and I could theoretically backtrack that data to a real person then it is still personal data. Equally, if I strip out identifiable names and addresses and separate them from the rest of the data and use my identification number only then that data is still personal data, even if I then get another entity to process it without giving them the key to link the pseudonymised data to real people. Pseudonymisation is only recognised by the GDPR as a security measure. This approach has a logic but its not hugely realistic. The new Data Bill seeks to change that. It sets up a distinction between direct and indirect personal data. The GDPR as originally drafted was clear that no such distinction existed. Where data dos not allow reasonable identification of a living individual then it will not be classed as personal data for the purposes of the Data Bill variant of the GDPR. This includes situations where a data controller pseudonymises data and then passes the data without the key to a third party to process.

What does that mean in plain English? Well, put simply, I can collect personal data, strip the name, address, email etc from it making it pseudonymised but still retaining a unique identification number I can use to stick it all back together later and then provide it to a third party to process unhampered by the GDPR provided that I do not give them the key to link the data to an individual. As long as the data itself does not give enough clues to reasonably identify someone then that is fine. This would allow transfers of data to countries that are not approved as having adequate personal data regimes as long as the data is pseudonymised first. Potentially this will be a game changer for a lot of organisations. It may also save Google Analytics use in the UK which was potentially problematic as Eu regulators were unhappy with its use of pseudonymisation.

The Data Bill also aims to simplify legitimate interests. A lot of processing is covered by legitimate interests but it is quite a nebulous processing area precisely because it is so wide-ranging. The Data Bill places a range of processing activities into a Schedule and defines these as legitimate interests in order to simplify some types of processing. In truth it is a short list and many of these things may well have been legitimate interests already but the clarity is helpful.

Another issue that many businesses have had with the GDPR is that data must be collected for a specified purpose and it cannot be used for anything else. Some organisations have tried to get around this by drafting very wide provisions as to how they might use data but the Upper Tribunal has been very critical of such an approach. The Data Bill has detailed provisions to allow processing for new purposes if they are compatible for a new purpose which are likely to allow for rather wider use.

Another area that has caused annoyance is the habit some individuals have to using GDPR to prosecute other disputes by making Subject Access Requests that they hope will provide a “smoking gun” for use in their dispute or simply to cause irritation. The courts have allowed refusal of these in particularly egregious cases but the GDPR itself is quite narrow in terms of what it permitted. The Data Bill seeks to widen categories of request that can be deemed vexatious by adding a list of points to consider and also allowing rejection of requests made “not in good faith” and which are “an abuse of process”. The courts will have to determine the scope of these words but it will certainly curtail some requests.

The Data Bill also makes certain types of automated decision-making easier. In particular where this has been consented to or where it is being done to decide whether to enter into a contract. In practice, this is likely to considerably ease the burden on such things as credit or tenant referencing done on an automated basis before entering into various forms of agreement with consumers.

For organisations outside the UK (whether in the EU or beyond) the obligation to have a designated Article 27 representative inside the UK is removed. Note that this will not allow organisations processing data for EU residents to avoid having a representative in the EU. This obligation was of limited value in that Article 27 representatives are merely post-boxes and most organisations will have contacts wherever they do business. Thos that do not were unlikely to be complying with the obligation in the first place!

There are a range of more technical changes involving reductions in the need to have data protection officers in many cases and easing the burden of record keeping. But these are a bit too detailed to cover here.

One final area of interest is in Codes of Practice. These are encouraged under the GDPR and trade bodies can set them up. So far little has happened however. The Data Bill includes an express requirement for the ICO to encourage public bodies to do more in this area. This might be quite helpful in a range of areas where a lot of data is being processed but there is little idea of what good practice looks like.

There are a number of other changes relating to archive and scientific research and also ones which primarily aim to ease the burden of the state in terms of law enforcement processing and coming to arrangements with other countries about adequacy. These are a bit high risk in that one of the problems with all this is that the UK may lose its own adequacy arrangement with the EU. Companies seeking to process data from EU nationals in the UK are unlikely to see that as a good trade off for some pretty small easing of burdens that is only applicable to companies entirely trading inside the UK.

How this all progresses will depend on the appetite of any new UK prime minister. It will also depend on whether the EU is minded to accept these changes or push back against them and how much the UK government it minded to accept EU pushback or fight against it. Again that may well depend on the attitude of the next PM!

We're Social

David Smith is a Partner located in Londonin our Commercial Litigation department

View other posts by David Smith

Let us contact you

View our Privacy Policy

Areas of Interest