The Data Protection and Digital Information Bill (No.2) was introduced last week, part of the government's drive to cut red-tape and increase economic growth post Brexit. The proposals contained in the Bill will undoubtedly please many organisations and will (hopefully) create more certainty in some areas, but there are concerns about the impact this will have on privacy rights.

For example, data subject access requests (DSARs) may be made freely under the current regime unless "unfounded" or "excessive". The Bill would allow controllers to charge a reasonable fee for requests that they consider "vexatious" and "excessive" with the aim of capturing a wider set of unreasonable requests controllers could charge for. The obvious concern here is that it may make it more difficult for individuals to access their personal data. Although many organisations would welcome the greater ability to charge a fee due to the considerable burden of responding to requests, the DSAR mechanism can, at least in theory, encourage more transparent processing and many people may not be able, or be prepared, to a pay a fee. This may, in practice, limit controller accountability.

Another area the Bill looks to clarify is to provide more concrete example of where "legitimate interests" is an appropriate lawful basis for processing personal data. It can be challenging for organisations to accurately establish legitimate interests, particularly when the processing is novel or on a large scale. Objectively speaking, providing additional clarity may be helpful.

We are keeping a close eye on how the Bill progresses.