Overview

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-anticipated “Personal Financial Data Rights” rule (and Executive Summary) – more commonly known as the “Open Banking” rule – under Section 1033 of the Dodd-Frank Act. This landmark regulation aims to empower consumers by granting them greater control over their personal financial data, enabling them to access and share this information with third-party providers securely and without charge. According to the CFPB, the rule is designed to foster competition and innovation in the financial services industry by making it easier for consumers to switch financial providers and for new companies to offer innovative products and services.

The final rule requires covered entities – including banks, credit card issuers, digital wallet providers, and other financial institutions – to provide consumers and authorized third parties with access to specified consumer financial data upon request. It also establishes privacy and security protections, limiting third parties use of the data they receive to the purposes expressly authorized by the consumer. While the rule has been lauded for promoting consumer choice and competition, it has also faced criticism and legal challenges from industry stakeholders concerned about data security, compliance burdens, and statutory authority.

What Does the CFPB Open Banking Rule Entail?

The CFPB’s Open Banking rule mandates that covered data providers make available to consumers, or to third parties authorized by consumers, certain data related to covered consumer financial products or services free of charge.

• Covered data – data providers must make available:

• Account Balance and Transaction Information: At least 24 months of transaction history, including amounts, dates, payment types, merchant names, rewards credits, and fees or finance charges.
• Payment Initiation Information: Data necessary to initiate payments from accounts, facilitating services like “pay-by-bank.”
• Terms and Conditions: Details such as fee schedules, interest rates, credit limits, rewards program terms, and whether the consumer has entered into an arbitration agreement.
• Upcoming Bill Information: Information on upcoming payments due, including scheduled payments to third parties.
• Basic Account Verification Information: Names, addresses, email addresses, and phone numbers associated with the accounts.
• Exceptions – data providers do not have to make available:
  • Confidential commercial information.
  • Information collected for the sole purpose of preventing fraud/money laundering.
  • Information required to be kept confidential by law.
  • Information the data provider cannot retrieve in the ordinary course of business.

Entities that are “data providers” under the Rule?

The rule applies to a broad range of financial service providers, referred to as “covered data providers.” This includes:

• Regulation E financial institutions: Banks, saving associations, and credit unions holding consumer asset accounts.
• Regulation Z card issuers.
• Payment Facilitators: “Any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.” This includes companies that enable transactions from consumer accounts, including digital wallet providers.

Notably, the final rule exempts depository institutions that hold assets of $850 million or less (i.e., equal to or less than the Small Business Administration size standard for such institutions), aiming to alleviate the compliance burden on smaller banks and credit unions.

Consumer and Developer Interfaces

Under the rule, data providers are required to establish and maintain two separate interfaces for accessing covered data: a consumer interface (e.g., online banking portals to allow consumers to access their data directly) and a developer interface for authorized third parties (e.g., APIs, though the rule is technology neutral) to facilitate secure and standardized access to covered data. Data providers must also provide certain information to consumers and authorized third parties, including: (i) its legal name and any assumed names; (ii) a link to its website; (iii) its Legal Entity Identifier (LEI) that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information for consumers or third parties to ask questions about accessing covered data. Data providers may not charge fees to either consumers or authorized third parties for accessing covered data. The developer interface must meet certain minimum performance standards and may not unreasonably restrict the frequency with which it receives or responses to requests from an authorized third party.

Data providers can deny access to their interfaces to third parties under certain limited circumstances, such as if the third party does not provide sufficient evidence that its security practices are adequate. Data providers may deny access to their developer interface if a third party does not present evidence that its information security practices are adequate to protect covered data or if the third party does not provide: (i) Its legal name (and any assumed names); (ii) a link to its website; (iii) its LEI that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information a data provider may use to inquire about the third party’s information security and compliance practices.

Like the proposed rule, the final rule does not explicitly prohibit authorized third parties screen scraping; however, the final rule seeks to curtail screen scraping by prohibiting authorized third parties from accessing a data provider’s developer interface by using any credentials that a consumer uses to access the consumer interface.

What Are the Privacy and Security Protections and Restrictions on Third Parties?

To safeguard consumer data, the rule imposes several privacy and security requirements on third parties:

• Purpose Limitation: When a consumer authorizes a third party to access the consumer’s financial data from a data provider, the third party can only use the data for the specific product or service requested by the consumer. Practices like selling the data or using the data for targeted advertising or cross-selling the third party’s other products/services, are prohibited (unless the consumer expressly consents to these purposes).
• Consent and Authorization: Third parties must obtain express consent from consumers through clear authorization disclosures, outlining the data to be accessed and the purpose.
• Limited Duration of Authorization. The authorization from a consumer is valid for one year, after which the third party must obtain new authorization from the consumer. If an authorization expires, the third party may no longer collect covered data and may no longer use or retain covered data collected under the expired or revoked authorization.
• Revocation Rights: Consumers have the right to revoke a third party’s access at any time, and third parties must (1) make revocation easy, (2) cease data collection and delete data unless retention is necessary to provide the requested service, and (3) notify the data provider if it receives a revocation request from the consumer.
• Data Security Programs: Third parties must implement data security measures in line with the Gramm-Leach-Bliley Act (GLBA), or, if not subject to the GLBA, the FTC Standards for Safeguarding Customer Information (i.e., Safeguards Rule).
• Policies and Procedure: Third parties would need to maintain their own internal written policies on procedures to comply with the rule and the rule’s record retention requirements.

What Are the Compliance Deadlines?

Compliance with the rule will be implemented in phases as follows:

Key Takeaways

This significant regulatory development carries several implications for businesses in the financial sector:

• Prepare for Compliance: Covered entities, both data providers and third parties, should begin assessing their data infrastructure, security protocols, compliance procedures, and obtain required LEI identifiers to meet the new requirements within the specified timelines.
• Review Data Sharing Practices: Companies seeking to access covered data must evaluate their data collection, use, and retention policies to ensure they align with the purpose limitations and consent requirements of the rule.
• Enhance Privacy and Security Measures: Robust data security programs compliant with GLBA and other regulations must be implemented to protect consumer data during access and transfer. This is particularly important for third party recipients who may not be as familiar with these requirements (as noted above, if the third party is not subject to the GLBA already, the third party must follow the FTC Safeguards Rule, which sets out detailed security requirements for protecting consumers’ financial information).
• Monitor Legal Developments: Ongoing legal challenges could impact the implementation and enforcement of the rule. Companies should follow these proceedings and be prepared to adapt accordingly.
• Engage with Industry Standards: Participation in recognized standard-setting bodies may aid in compliance and contribute to the development of interoperable systems that benefit the industry as a whole (the CFPB finalized its rule regarding standard-setting bodies earlier this summer).

For more information about these developments and how they may affect your organization, contact your DLA relationship partner, the authors of this blog post, or any member of DLA’s Data Protection, Privacy, and Security team.

In July 2024, a draft recommended national standard Personal Information Protection Compliance Audit Requirements (“Draft Standard“) was issued for public consultation, which sets out comprehensive audit requirements and procedures. To be specific:

• The Draft Standard includes in its Schedule C a list of 37 groups of specific processing operations that must be checked in an audit, as well as the relevant PIPL requirements. The requirements cover the full life cycle of personal data processing, and concern areas such as lawful bases of processing, necessity and data minimization principles, disclosure of necessary processing details to data subjects, sharing of personal data with third parties, automated decision making, public disclosure of personal data, CCTV, sensitive personal data and minor data protection, cross-border data transfers, data subjects’ rights, internal data protection policies and procedures, technical and organizational measures, DPO, personal data protection impact assessments, data incidents, etc.

• The Draft Standard also outlines the general procedures of an audit, and sample lists the documents and materials which must be reviewed during an audit.

• In addition, the Draft Standard emphasizes the importance of internal governance. It requires a data controller to establish a compliance audit management system and formulate audit rules and procedures. The data controller’s Board of Directors, DPO and/or Legal Representative must take ultimate responsibility for the establishment of audit system and implementation of audits within the organization. The data controller must also allocate sufficient finance and suitable human resources to audit related work. Personnel being appointed to handle audits related works must have suitable knowledge and experience, and ideally hold qualification certificates.

• The Draft Standard does not prescribe when or how often a data controller must conduct an audit. In the Measures for the Management of Compliance Audits on the Protection of Personal Information (Draft for Comments) (“Draft Measures“), which was issued in September 2023 for public consultation, it is stated that a data controller which processes more than one million individuals’ personal data must conduct Self-supervision Audits at least once a year. Other data controllers must conduct Self-supervision Audits at least once every two years.

• The Draft Measures require data controllers to submit the audit reports of Regulator Requested Audits, take necessary remediation actions, and then submit the post-remediation reports.

As of the date of this article, neither the Draft Standard nor the Draft Measures have been finalized. But there are rumours indicating that both will be finalized before the end of 2024. An increasingly common understanding in the market is that personal data compliance audits will become the next regulatory focus of the data regulator.

Regardless of the status of these drafts, a data controller has an obligation under the PIPL to conduct Self-supervision Audits periodically. It is, thus, recommended to take note of the requirements under the Draft Standard, consider establishing an internal audit management framework and complete at least one Self-supervsion Audit within a reasonable time.

Under China’s data protection law, if a data controller processes any sensitive personal information, it will be subject to stricter obligations. For example, it must obtain the individuals’ separate consent. It must take enhanced technical and organizational measures. More importantly, under the new Chinese regulation governing the cross-border transfer of personal information (see our article here for details), if it transfers even one individual’s sensitive personal information outside China, it will need to file the transfer with the Chinese data regulator. Thus, the accurate identification of sensitive personal information has become increasingly important, and will become more so under proposed new data audit regulations.

The China Personal Information Protection Law (“PIPL“) defines sensitive personal information as any personal information that, once leaked or misused used, may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety.

The PIPL offers a few samples of sensitive personal information (e.g. biometrics, religious beliefs, medical health, financial accounts, whereabouts, and any personal information relating to minors under the age of fourteen). Recommended national standards such as GB/T 35273-2020 Personal Information Security Specifications (“Specifications“) and GB/T 43697-2024 Rules for Data Classification and Grading (“Rules“) also include non-exhaustive sample lists. During the past years, the identification of sensitive personal information in the market has relied heavily on such samples and lists.

In June 2024, a new Draft Guide for Sensitive Personal Information Identification (“Draft Guide“) was issued for public consultation, which proposes a different approach to identifying sensitive personal information. For example:  

• Facial recognition data: Under the Specifications and the Rules, only facial feature extraction or faceprint constitutes sensitive personal information. The Draft Guide now proposes to expand the scope to cover face images also, based on the rationale that facial feature extraction or faceprint may be generated from face images.

• Health data: Under the Specifications and the Rules, food allergy related data is specifically identified as sensitive personal information, which (unreasonably) subject many restaurants and catering companies to stricter data protection obligations. The Draft Guide now proposes to limit the scope of health data to disease, illness, disabilities and diagnosis- and treatment-related data.

• Finance data: Under the Specification and the Rules, transaction and expense records are identified as sensitive personal information, which may lead to an extreme conclusion that all the shops and malls keeping consumers’ purchase records process sensitive personal information. Under the Draft Guide, transaction and expense records would be removed from the list. Instead, sensitive personal finance information would be limited to bank, securities and fund account or card numbers and passwords, as well as token information and income details related to each specific account or card.

• Other data: The Draft Guide proposes removing communications records and web browsing records from the sensitive personal list, which is helpful especially for companies that monitor and record employees’ work-related emails and messages. The Draft Guide also clarifies that flight and high-speed train travel records fall into the scope of “whereabouts” data and thus constitutes sensitive personal information, whether in a consumer or potentially even employee-travel context.

It is uncertain when the Draft Guide will be finalized, and indeed how much it would be relied upon by the Chinese data regulator considering it would only constitute non-binding recommended guidance. Nonetheless, it is clear that identifying sensitive personal information is no longer a straightforward question, and the context under which personal information is processed will be critical to the assessment. To be fair, the focus on “risk of harm” has always been a key component of defining sensitive personal information in China. Therefore, going forward organisations looking to identify its sensitive personal information should place more focus on the consequences and potential harm to the data subjects if the data in question is breached or misused. A case by case and context-specific analysis will likely be required.

Vietnam’s long-awaited, first-ever Personal Data Protection Decree (“PDPD”) has finally been passed and is scheduled to take effect from 1 July 2023 (save limited grace period exceptions).

The PDPD is the first comprehensive data protection regulation consolidating Vietnam’s existing data protection regulatory framework (which is found across various legal instruments).

Given the tight timelines, businesses which engage in or relate to personal data processing activities in Vietnam, are advised to take prompt action to ensure compliance.

The most notable provisions of the PDPD relate to the compliance requirements in general processing and cross-border transfers of personal data.

Highlights of the PDPD

• Consent: the primary legal basis for processing personal data remains to be consent.
• Data Protection Impact Assessment (“DPIA”) Profile: data controllers are required to prepare and maintain DPIA Profiles for their personal data processing activities. In certain circumstances DPIA Profile may need to be submitted to the regulators.
• Cross-Border Transfer of Personal Data: in order to transfer personal data outside of Vietnam, organisations must complete and submit a Dossier of Impact Assessment for Cross-Border Personal Data Transfer (“TIA Dossier”). The regulators may halt data transfers in situations where an organisation violates national security, submits an incomplete TIA Dossier, or loses or discloses personal data of Vietnamese citizens.
• Data Localisation: surprisingly, the PDPD has not addressed the issue of data localisation. This said, organisations should continue to observe developments on this, and follow existing laws and regulations, notably the interaction between PDPD and the Cybersecurity Law (Decree 53).
• DPO: organisations may need to appoint and register its DPO with the authority, especially if sensitive personal data is processed.
• Data subject rights: certain data subject rights are now subject to a 72-hour handling deadline.
• Data incident: data breach incidents must be notified within 72 hours of the occurrence.

What next – practical steps

In view of the tight timescales to ensure compliance with the PDPD, organisations should speed up in brushing up their existing data privacy programmes and remedy any inconsistencies with the PDPD requirements.

Please contact Carolyn Bigg, Venus Cheung, or Gwyneth To if you have any questions or to see what this means for your organisation.

In his Opinion of 27.04.2023 (C 340/21), the Advocate General of the European Court of Justice (“ECJ”) commented on the interpretation of the civil non-material right to damages pursuant to Article 82 (1) GDPR as well as on the requirements and the duty of disclosure of the technical and organizational measures pursuant to Articles 24, 32 GDPR in the event of a cyber-attack in the context of a reference for a preliminary ruling of Bulgarian origin.

Facts of the case

The Bulgarian authority “National Revenue Agency” (hereinafter referred to as “NAP”) was target of a cyber-attack which led to unauthorized access to NAP’s information system. In the course of this cyber-attack, personal data – mainly tax and social security information – of approximately 4 million Bulgarian citizens (or approximately 6 million citizens in total, including foreign citizens) had been accessed and published on the Internet. Among them is also the plaintiff.

In the proceedings at first instance before the Administrative Court of the City of Sofia (hereinafter referred to as “ASSG”), the plaintiff demanded an amount of approx. 500 EUR on the grounds of a legal infringement arising from Article 82 (1) GDPR. He argued that NAP had failed to ensure its cybersecurity in an appropriate manner. In the opinion of the plaintiff, the failure to apply appropriate technical and organizational measures in accordance with Articles 24, 32 GDPR resulted in a breach of the protection of personal data. The plaintiff expressed his non-material damage suffered in the form of worries, fears and anxieties about possible future misuse of his personal data.

The NAP, as the defendant, considered the claim to be unfounded. The NAP argued that a cyber-attack does not allow per se conclusions to be drawn about a lack of technical and organizational measures. The NAP argued that it had been the victim of a cyber-attack by third parties who were not its employees and could therefore not be (co-)responsible for the damage incurred and therefore is exempted from liability pursuant to Article 82 (3) GDPR.

Decisions of the court of first instance and referral to the ECJ

The ASSG dismissed the claim, taking the view that the dissemination of the data was not attributable to the NAP, that the burden of proof as to whether the measures implemented were appropriate was on the plaintiff, and that non-material damage was not eligible for compensation.

Hearing the case on appeal, the Bulgarian Supreme Administrative Court referred a number of questions to the ECJ with regard to

• the presumption that technical and organisational measures in accordance with Art. 32 GDPR are not sufficient in case a cyber-attack occurs;
• the subject matter and scope of the judicial review re. the appropriateness of technical and organizational measures;
• the controller’s burden of proof that the technical and organisational measures are appropriate;
• the exemption of liability under Art. 82 (3) GDPR in connection with cyber-attacks; and
• the threshold for the non-material damages under Art. 82 (1) GDPR.

Statements of the Advocate General of the ECJ

The core statements of the Advocate General of the ECJ are as follows:

• According to the Advocate General, the occurrence of a “personal data breach” is not sufficient in itself to conclude that the technical and organisational measures implemented by the controller were not “appropriate” to ensure data protection. The assessment of the appropriateness of those measures must be based on a balancing exercise between the interests of the data subject and the economic interests and technological capacity of the controller, in compliance with the general principle of proportionality.
• Further, the Advocate General states that, when verifying whether the measures are appropriate, the national court must carry out a review which extends to a specific analysis of the content of those measures and the manner in which they were applied, as well as of their practical effects.
• The Advocate General states that the burden of proving that the technical and organisational measures are appropriate is on the controller. In accordance with the principle of procedural autonomy, it is for the national legal order of each Member State to determine the admissible methods of proof and their probative value, including the measures of inquiry.
• The fact that the infringement of the GDPR was committed by a third party does not in itself constitute a ground for exempting the controller. In order to be exempted from liability, the controller must demonstrate, to a high standard of proof, that it is not in any way responsible for the event giving rise to the damage. The unlawful processing of personal data has, in fact, the nature of aggravated liability for presumed fault, which gives rise to the possibility for the controller to provide exonerating evidence.
• Finally, according to the Advocate General, detriment consisting in the fear of a potential misuse of one’s personal data in the future, the existence of which the data subject has demonstrated, may constitute non-material damage giving rise to a right to compensation, provided that it is a matter of actual and certain emotional damage and not simply trouble and inconvenience.

Conclusion

Although the opinion of the Advocate General is not binding for the ECJ, it is to be expected that the ECJ will in general adopt the opinion of the Advocate General in its final judgement. In case the ECJ will follow the opinion of the Advocate General, this judgment will have huge impact and relevance for data processing companies. As the numbers of cyber-attacks increase constantly, in general any company can be affected by a cyber-attack. It is therefore of utmost importance to be prepared for such an eventuality and to review and, if necessary, amend the implemented technical and organisational measures in accordance with Art. 32 GDPR. Even though a cyber-attack can probably never be completely prevented, it is highly recommended in the light of the opinion of the Advocate General and the associated burden of proof for the companies concerned, to regularly check the technical and organizational measures as part of internal audits and to ensure sufficient documentation which is appropriate to be used in court. Such audits also need to cover processors and even sub-processors. Furthermore, contracts with processors and sub-processors need to adequately address not just the allocation of responsibility, but also court-proof documentation.

The UK Government has published its long-awaited ‘Data Protection and Digital Information Bill’. The Bill will reform areas of UK data protection and electronic privacy law, and will also introduce new regulatory frameworks, most notably in the field of digital identity verification. By amending the UK GDPR, the Data Protection Act 2018 (“DPA 2018”) and the Privacy and Electronic Communications Regulations 2003 (“PECR”), the Bill realises the Government’s ambition to recalibrate its approach to data protection and privacy following the UK’s withdrawal from the EU.

In this post, we provide a high-level overview of key areas of reform. In subsequent posts, we will do a deeper dive on specific areas as the Bill makes its way through the legislative process.  At this stage, it is important to note that the Bill is receiving its first reading in the House of Commons, and the text will change – to a greater or lesser extent – before the Bill passes into law.

Definitions

The Bill expands upon certain key definitions. These expanded definitions draw on a combination of existing GDPR recitals (‘promoting’ these into the operative provisions of the legislation) and established ICO guidance / case law.  The overall aim appears to be to provide additional clarity, on the face of the law, about how important certain terms should be interpreted. For example:

• Section 1 expands on and qualifies the definition of ‘personal data’ depending on whether additional information is or is not used to identify an individual. This provision looks to reflect ICO guidance around the standard for anonymisation and reflects a ‘subjective’ approach to the question of identifiability.
• Section 2 creates a statutory definition of scientific research and statistical purposes, by drawing on the existing recitals.

Legal Basis and Principles

More novel is the creation of a new concept of ‘recognised legitimate interests’ – i.e. processing activities that are deemed to automatically satisfy the legitimate interests balancing test, providing greater certainty to controllers looking to rely on this legal basis (s. 5; Schedule 1).

A number of these mirror the exemptions set out in Schedule 2 of the Data Protection Act 2018, e.g. ‘the detection, investigation and prevention of crime’. As Schedule 2 DPA 2018 currently exempts controllers from most of the principles other than lawfulness / lawful basis, this can be seen in part as a logical extension of existing data protection exemptions for activities seen as being squarely in the public interest.

Similarly, the Bill creates specified new exemptions from the ‘purpose limitation’ principle, including for example, the disclosure of personal data to a public authority that is relying on the ‘public task’ legal basis (s. 6; Schedule 2).

Obligations of Controllers / Processors

The role of the Data Protection Officer is to be replaced by a new role, with the title ‘Senior Responsible Individual’ (s. 14).

The threshold for appointment of a Senior Responsible Individual is slightly different to the existing threshold for appointment of a DPO with the new requirement applying to public bodies and organisations undertaking high risk processing. The designated individual must be a senior member of management, rather than simply reporting to senior management. However, the day-to-day tasks of the SRI look to be largely similar to those of the DPO, such as monitoring compliance of the organisation, advising the organisation on data protection issues, taking steps to ensure compliance and acting as contact point for the Commissioner.

Under the proposed new regime, the requirement to carry out Data Protection Impact Assessments is replaced by a requirement to undertake ‘Assessments of High Risk Processing’ (s. 17). It is worth noting that the general criteria for triggering a requirement to carry out a DPIA that are currently set out in Article 35(3) of the UK GDPR are to be removed. In their absence, we expect the ICO’s specific list of criteria (created under Article 35(5) UK GDPR) to be the relevant reference point.

Despite the name change, the substantive nature of what should be considered as part of these assessments looks largely the same as under current law.

It is also worthy of note that there is a proposed removal of the current obligation under Article 27 for organisations which operate outside of the UK but are caught by the UK GDPR’s extra-territoriality provisions to appoint a representative.

Data Subject Rights

Key changes in this area include the following:

• Controllers will be able to refuse data subject access requests that are ‘vexatious or excessive’ (s. 7). In this context, ‘vexatious’ is to be understood as requests which are ‘intended to cause distress, ‘not made in good faith’ or amount to ‘an abuse of process’.
• When collecting information directly from a data subject, a controller is excused from the requirement to provide fair processing information under Article 13 UK GDPR where data is collected for “scientific research or statistical processing”. Where data is collected indirectly (Article 14 UK GDPR), we now have criteria on the face of the law to help determine when the ‘disproportionate effort’ exemption applies, and the implication that this should be limited primarily to scientific research is, for Article 14 purposes, removed (s. 9).

The Information Commissioner

Reform to the ICO (which will henceforth be an Information Commission, rather than a Commissioner) is relatively wide ranging, and covers a number of themes. For example, there are  changes which look to bring the work of the ICO under a higher degree of Government supervision:

• the Commission is to be subject to express duties to have regard to promoting innovation and competition, and safeguarding public and national security (s. 27);
• the Secretary of State can set ‘strategic priorities’ for the Commission (s. 28);
• the Commission must assess its own performance on an annual basis using KPIs (s. 33).

However, at the same time, the Commission is granted several new powers designed to support its investigatory and enforcement activities, including powers to:

• require controllers or processors to arrange for the preparation of a report at the controller or processor’s expense (s. 35);
• require persons to attend at a place and answer questions (referred to as an ‘interview notice’) (s. 36).

International transfers

The Bill will introduce amendments in relation to both international transfers and the UK’s approach to adequacy assessments (Schedule 5).

First, Article 44 of UK GDPR is set to be removed.  This is the over-arching requirement that “All provisions in this Chapter [V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. Removing this should, in theory, make data transfers less onerous and give greater flexibility to UK exporters of personal data.

The previous adequacy assessment criteria are to be replaced by a new ‘data protection test’ for which the required standard is now “not materially lower than”, which looks to be a step away from the EU doctrine of ‘essential equivalence’.

The requirement to carry out transfer impact assessments remains but the exporter must now consider whether “acting reasonably and proportionately […] the data protection test is met in relation to the transfer or that type of transfer”.

Cookies

The Bill seeks to relax cookie consent requirements in tightly defined circumstances and add clarity as to what comes within the “strictly necessary” exemption (s. 79):

• Statistics and preference cookies are to move from a consent / ‘opt-in’ requirement to an ‘opt-out’ standard, subject to strict criteria.
• The amended law will set out certain activities considered to fall within the “strictly necessary” exemption, including for example, to ensure the security of the user’s device is not adversely affected by the service, to prevent or detect fraud, and to authenticate a user.

PECR Enforcement Regime

The Bill also brings the PECR enforcement regime into line with that of the UK GDPR and the DPA, the most notable change here being the increase of potential fines to UK GDPR levels.

Conclusion

Whilst many parts of the Bill look to reflect the Government’s stated ambition to encourage innovation and responsibly ease the burden of compliance for businesses, it should be noted that the Bill does balance a softening of the rules in certain areas with enhanced regulation in others – the new investigatory and enforcement powers for the ICO and the increase in PECR fines being the obvious examples. There are also many examples of changes which are subtle – some of these are simply about reflecting established principles or guidance on the face of the law, others are about tweaking around the edges of existing governance requirements without overhauling them completely.

The Bill runs to 192 pages, and so necessarily this article provides a snapshot the changes introduced by the Bill which are likely to be of most interest to our readers.  Additional parts of the Bill address areas including Digital Verification Services, Customer Data and Business Data, and we will look at these in subsequent posts.