Following the UK’s departure from the European Union, a key priority for the UK Government has been to amend UK laws to reduce red-tape for business and simplify EU laws that were retained in UK law following Brexit.
One of these areas is in relation to data protection law. On 8 March 2023, the Government introduced a new Data Protection and Digital Information Bill (the “Bill”) to Parliament. The Bill replaces a previous bill published in June 2022, and will amend existing UK data protection law rather than replace the law in its entirety. The changes aim to introduce a simple, clear, and business-friendly framework that will not be costly or difficult to implement.
Since the introduction of the General Data Protection Regulation (“GDPR”) in 2018, and against a backdrop of significant, and fast paced, technological innovation across all sectors, including the energy sector, data protection has been high on the agenda for all businesses. In particular, the GDPR required many businesses to overhaul their existing processes and procedures to ensure compliance with the principles of the new regime and to enable them demonstrate this. Changes to the current law may therefore raise concerns amongst some businesses who have had to incur significant costs and resources to comply with the GDPR. However, the good news is that the changes incorporated in the Bill are not expected to impact those organisations that have already implemented changes to comply with the GDPR. Rather, the changes will generally make compliance easier for those organisations that are putting policies and procedures in place and any organisation who complies with the GDPR requirements will not need to amend their policies and procedures, should the Bill become law.
The GDPR has been criticised for taking a “one-size-fits-all” approach and for being complex, costly and onerous for businesses to comply with. The Government has stated that the Bill will save the UK economy £4.7 billion over the next 10 years while maintaining the existing data protection standards that enable the UK to trade data internationally without significant red-tape. It remains to be seen, however, whether any of the changes brought by the Bill would have an impact on the UK’s “adequacy” status for transferring personal data to the UK from the EU – ultimately, this will be for the EU to determine.
Some of the changes introduced by the Bill, which we consider will be of interest to businesses in the energy industry, are:
– Changes to when a business can rely on “legitimate interests” as constituting a legal basis for processing. These include intra-group transmission of personal data where necessary for internal administrative purposes. These will be subject to a balancing test but if they can be relied upon are expected to ease some of the administrative burden on businesses sharing personal data within their group.
– The existing requirement to maintain a record of processing activity for all processing activities will be limited to records of processing for high risk processing activities. This is also likely to ease the administrative burden on businesses, while balancing the risks for data subjects.
– Changes to the requirement to obtain consent for cookies and similar technologies placed for the purposes of collecting statistical information or to bring improvements, for the installation of necessary security updates and to locate an individual in an emergency.
At the timing of writing, it is unclear what the Government’s timescales are for the Bill. The Bill is substantial – over 200 pages and may take some time to work its way through Parliament.
It is also possible that some of the more contentious provisions (for example the powers granted to the Secretary of State to amend legislation) may face opposition in the House of Lords. We will therefore need to wait and see how the Bill progresses through Parliament.