The United Kingdom may be headed for a major break from EU GDPR. In mid-2022, the UK began studying potential reform of GDPR. This was revived with the United Kingdom’s Data Protection and Digital Information (No. 2) Bill (Bill 265, 58/3), introduced on March 8, 2023. It includes 106 groups of line-item amendments to the General Data Protection Act 2018 (UK GDPR). Particularly significant is a modification to what qualifies “personal data” under the prior act (and the EU GDPR). Article 4(1) of GDPR (and present UK GDPR) sweeps into “personal data;”
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
(emphasis added).
GDPR covers data that identifies people, directly or indirectly. “Indirect” identification can be achieved among other ways, by combining information an entity possesses with information it can obtain. For example, a postal code alone would not narrow down a person’s identity significantly. But correlated with other data points, it might.
The UK bill narrows the scope of indirect identification. In proposed Section 3A, a piece of information would be deemed “relating to an identifiable living individual” (and therefore qualify as personal data) only in two situations: (1) where the holder (controller or processor) can, by reasonable means, identify the person or (2) the holder has actual or constructive knowledge that someone will be able to do so as a result of the holder’s processing. “Reasonable means” is defined subjectively, from the point of view of the person handling the particular data and whether identification is possible by any means the person is reasonably likely to use. That likelihood in turn hinges on the time, effort, and cost involved, as well as the technology available to the holder.
The Explanatory Notes state that this is to “provide greater clarity about which type of data is in the scope of the legislation.” HM’s Government’s Regulatory Policy Opinion (March 10, 2023) sheds additional light on the “why” – a rebalancing of business costs and public benefits. Regardless of the intent, the bill (i) creates a qualitative exclusion to data protection and (ii) would give the new UK Information Commission broad cover to calibrate enforcement, looking to the circumstances of collection and the collector, as well as premise regulation on “reasonable,” the most litigated word in the English-speaking world. This has many implications.
First, if the EU determines that this is not a “clarification” but a significant limitation of “personal data,” it may cause the EU to declare the UK’s data privacy law inadequate for data export purposes. GDPR operates from the premise that personal data is any information that could differentiate any human from any other; proposed Section 3A does not.
Second, Bill 265 may cause some data to become regulated only at some point after it is collected. One example is where an entity aggregates disparate types of de-identified (or non-identified) data to identify individuals, such as in digital advertising. It is not clear how GDPR-style affirmative consent would (or could) work if the first time data became “personal data” was in the hands of a business that does not interact with the public and with whom the data subject never had direct contact. This could force data brokers to change their contracting practices. Similarly, there are circumstances in which pseudonymous data might become anonymous data when transferred. GDPR Article 4(5) considers it pseudonymization as long as someone has the ability to reverse it; Bill 265 suggests that a pseudonymized data set that cannot be reversed by the holder would be anonymous.
Third, log data collected automatically by web servers (such as IP address, browser type, ISP, operating system) could become significantly less regulated in circumstances where it is not linked to other customer interactions (such as web forms). This is cold comfort, however, for multinationals that would still have to contend with EU GDPR requirements.
Finally, such a reform could add a new and disparate model for state legislation in the United States – which to date has only used GDPR’s expansive notions of personal information.
Key Takeaways:
- Proposed UK reforms could require additional documentation where an EU data exporter sends data into the UK.
- Data aggregators should be cautious about situations in which they may cause data to become identifiable and therefore regulated.
- Cookies and other automatic data collection could become less regulated in the UK.