Data protection concerns: Will the UK’s new data protection bill upset the EU-UK adequacy agreement?

In June 2021, the European Commission (EC) granted an ‘adequacy’ decision to the UK – effectively agreeing that UK legislation at the time, the UK GDPR, alongside an amended version of the Data Protection Act 2018 (DPA 2018), offered an equivalent level of data protection to EU citizens in a similar way to the EU GDPR.

The adequacy decision allows personal data to flow freely from the EU and wider European Economic Area (EEA) to the UK, meaning that UK businesses and organisations can continue to receive personal data from the EU and EEA without putting additional arrangements in place.

Although the adequacy decision lasts until June 2025, it may be withdrawn by the EC if the UK data landscape changes to the point of reducing the level of protection offered to EU citizens, and any new legislation would have to be re-tested for suitability by the EC.

In July 2022, The Data Protection and Digital Information Bill (DPDI) was introduced to the House of Commons. It proposed to modify the UK GDPR (i.e. the UK adoption of the EU GDPR) and the Data Protection Act 2018, making data protection compliance more straightforward in the UK and thus promoting innovation while maintaining high data protection standards. However, the DPDI Bill’s journey to becoming an Act of Parliament was cut short due to the change in UK government leadership in September 2022.

A revised draft (Data Protection and Digital Information (No.2) Bill) was introduced to parliament in March 2023. Most of the content in the 2023 Bill remains the same as the previous version.

This article looks at the key reforms proposed by the new UK Data Protection Bill, how subsequent changes to the UK GDPR could affect the EU-UK adequacy decision and what this means for pharmaceutical businesses conducting clinical trials in the UK.

What key UK data protection reforms does the Data Protection and Digital Information Bill introduce?

The Data Protection and Digital Information Bill (2) has made a few significant changes to DPDI (1) but mostly offers further explanation and clarification of previous proposals.

It is worth noting, at this stage, that when the final Bill becomes an Act, due around March 2024, it could well be different again, as changes are possible during its legislative journey. However, with that in mind, the key areas which the Bill intends to address are likely to remain the same and are as follows:

  • A more subjective identifiability test as part of the definition of ‘personal data’, which could narrow the scope of data governed by UK GDPR.
  • A list of ‘recognised’ legitimate interests (as a legal basis for processing data) to include various public interest purposes (e.g., safeguarding vulnerable individuals) for which no balancing test (i.e., weighing up the data controller’s legitimate interests against the rights and interests of the data subject) would be required. In addition, there will be a non-exhaustive list of activities which may be considered a legitimate interest. These include direct marketing, intra-organisational data transmission necessary for administrative purposes and maintenance and security of networks and information systems. All legitimate interests beyond those on the “recognised” list will still require a balancing test.
  • A new set of ‘approved’ international data transfers, under a new risk-based ‘data protection test’ for assessing adequacy where the standard of protection in the receiving country is ‘not materially lower’ than that of the UK. Existing transfer mechanisms, set up before the new legislation, will not have to meet the criteria for the new data protection test for international transfers. New transfer arrangements, however, will need to be assessed against the new data protection test.
  • Changes to Data Subject Access Requests (DSARs) create grounds for organisations to reject or charge reasonable fees if the request is vexatious or excessive, including requests intended to cause distress, those not made in good faith, or that are an abuse of process. The DPDI Bill has not explained how to determine data subjects’ intentions and the meaning of abuse of process.
  • New simplified rules around data collection for scientific research. DPDI (2) clarifies that scientific research includes research carried out as a commercial activity but specifies that research into public health will only count as scientific research if it is in the public interest. It also includes a non-exhaustive list of types of scientific research.
  • Automated decision-making (ADM) is only subject to Article 22 of the UK GDPR when a significant decision is made without ‘meaningful human involvement’. The DPDI prohibits ADM except under certain conditions, including safeguards enabling data subjects to obtain human intervention and to contest decisions. Profiling alone is not ADM, but the extent to which the decision was reached by profiling must be considered in determining whether there was meaningful human involvement.
  • For companies involved in high-risk processing, the mandatory Data Protection Officers (DPOs) are replaced with senior responsible individuals (SRI) drawn from senior management. The DPDI also removes the requirement for businesses not located in the UK to appoint a UK representative. The Information Commissioner’s Office (ICO) must publish examples of types of processing it considers high risk.
  • Data Protection Impact Assessments (DPIAs) – only required for likely high-risk processing. The ICO must publish examples of processing types it considers high-risk for this purpose. No explicit requirement to consult the SRI, but this seems implicit in the list of SRI tasks.
  • All high-risk processing activities (irrespective of the size of the organisation) will require records of processing activities (RoPA), along with the requirements for risk assessments and to appoint senior responsible individuals (SRI).
  • Reduced cookie and direct consent requirements.
  • An enhancement of regulatory powers (e.g., stronger actions against breaches in data rules) for the Information Commissioner’s Office (ICO), which will become the Information Commission with additional duties (e.g., promoting innovation and competition). The Secretary of State will also have new powers, including:
    – the power to set strategic priorities for the ICO and to require the ICO to respond in writing as to how it will address them (although the ICO is not legally obliged to comply with them);
    – the power to amend the list of recognised legitimate interests referred to above;
    – and the power to approve statutory codes of practice published by the ICO.

How will the new Data Protection and Digital Information Bill affect international sponsors with clinical trials in the UK and the EU/EEA?

At a conference in March 2023, representatives from the UK government and data protection regulator, the Information Commissioner’s Office (ICO), indicated that, generally, compliance with EU GDPR would be considered sufficient under UK privacy and data protection laws, even after the introduction of the Act.

However, those doing business only in the UK and who do not plan to expand to the EU/EEA may find it easier to comply only with UK laws under the DPDI Bill when finalised. Multinationals may also do the same with their UK-only data processing activities.

How could the DPDI Bill affect the EU-UK adequacy decision?

Any significant legislative change to the UK GDPR runs the risk of the UK failing to meet the adequacy criteria of the EU GDPR, which in turn means the EU Commission could terminate, suspend or amend its adequacy decision, which currently allows unhindered transfers of personal data from the EEA to the UK.

One area of change which could attract the EU Commission’s attention is the reform of the ICO and thus may seek further clarification on whether the regulator will maintain its independence. But until the Bill becomes law and the EC has assessed the new UK GDPR, any suggested changes to the EU-UK adequacy decision are speculation.

Which parties would be affected by the loss of the EU-UK adequacy decision?

The loss of the adequacy decision would affect a company with UK operations that is not EU-GDPR compliant and wants to transfer data from the EEA to the UK.

Companies in this situation would have to provide appropriate safeguards that protect enforceable rights and effective legal safety nets for EEA individuals, for example, by using Standard Contractual Clauses (SCCs) – standardised and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under the GDPR.

However, businesses operating within the EEA and the UK already complying with the EU-GDPR should continue to do so, thus can transfer data into the UK.

How can pharmaceutical companies prepare for the new UK GDPR legislation

The priority for any company or organisation with UK operations is to monitor the DPDI Bill’s progress and consider any changes they need to make when it becomes law. A data protection consultancy with expertise in pharma working practices and GDPR (both UK-GDPR and EU-GDPR) is best placed to advise you on your circumstances and support you in making any necessary changes when the time comes.

If you are a pharma or biotech SME already grappling with the GDPR, having a trusted GDPR compliance partner in your corner will help you focus on your commercial goals while remaining confident that all your business and research activities are on the right side of the new data protection law.

Pharma Data Protection are industry-focused data protection specialists who work with you as an extension of your team, giving you up-to-date advice on UK and EU data protection legislation. We ensure the safe handling of sensitive personal data related to clinical trials and support you in meeting the requirements for GDPR compliance across all business activities.

Talk to us about data protection requirements for your UK and EU/EEA clinical trials