Topic: Privacy & Data Protection
The data protection team of DGKV notices a reform on-going in the regulation of personal data processing in the UK. Since Brexit, the EU’s General Data Protection Regulation (the “EU GDPR”) has ceased to apply to the data processing and protection in the UK and separate UK data protection rules have been introduced to govern the processing of personal data of UK individuals or by UK entities. These rules are going to be significantly reformed in the coming months by the proposed UK Data Protection and Digital Information Bill (“the Data Bill”).
On 28 June 2021, the EU adopted an adequacy decision pursuant to Article 45 of the EU GDPR, thus ensuring the continued free flow of personal data from the EU to the UK. On 8 March 2023, the UK Data Bill was introduced. It will be examined in the context of not only the adequacy decision but also the UK Retained EU Law (Revocation and Reform) Bill 2022 (“REUL”) which has been introduced and is currently in the report stage at the UK House of Commons, the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 (the “DPA 2018”), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”), which apply in the area of electronic communications, including marketing activities. The operation of UK GDPR and PECR will expire on 31 December 2023.
The purpose of the Data Bill is to create a new data protection framework. The Data Bill is composed of six parts and introduces changes in the existing UK data protection regime related to various aspects, such as the definition of personal data; the processing of data for “legitimate interests”; subject access requests; automated decision-making; scientific research; the obligations of data controllers and processors; international transfers of personal data; and intelligence service and national security processing. The Data Bill establishes rules on the provision of digital verification services; on data sharing that support the delivery of public services which benefit businesses; on a new opt-out model for cookies; on the abolishment of the Information Commissioner’s Office and the transfer of its functions to an Information Commission; on the regulation and oversight of biometrics, CCTV, and the National DNA Database.
Some of the significant changes pursuant to the Data Bill include the following:
• New lawful bases for automated individual decision-making are introduced;
• Records of processing activities is no longer required for all organisations;
• The fines for nuisance calls are increased to up to 4% of global turnover or £17.5 million, whichever is greater;
• The requirement to appoint a UK-based representative is removed; and
• A non-exhaustive list of activities which could be considered a legitimate interest of a controller are introduced.
It is important to note that the EU adequacy decision is limited to four years without the possibility of automatic renewal. A new adequacy assessment on the level of data protection in the UK shall be made in June 2025. Concerns have been expressed that the adoption of the Data Bill will jeopardize the 2025 adequacy assessment if it deviates too far from the EU’s data protection golden standard.
A Public Bill Committee has been set up to scrutinize the Data Bill line by line and review written comments, submitted by persons with “expertise and experience or a special interest” in the Data Bill. The first sitting of the Public Bill Committee is expected to take place on 10 May 2023 and the Committee is scheduled to report by 13 June.
As the topic is relevant and important to Bulgarian and other EEA companies doing business with or on other grounds transferring data to UK entities, our team will continue monitoring the developments in the matter.