UK government resumes proposed reform of UK data protection laws

United Kingdom

On 8 March 2023, the UK government resumed its proposed reform of UK data protection laws with the introduction to Parliament of the Data Protection and Digital Information (No. 2) Bill, a replacement to its earlier reform bill.

The earlier version of the Bill was published in July 2022 (under prime minister Boris Johnson) but was then put on ice by the UK government following the appointment of Liz Truss as prime minister in order to allow time for ministers to re-examine the scope of proposed reforms.

In a speech given at the annual conference of the Conservative party in October 2022, the Science, Innovation and Technology Secretary, Michelle Donelan (who is responsible for guiding the Bill through Parliament), announced that the UK would be “replacing GDPR” with a “business and consumer-friendly, British data protection system.”

Whilst talk of replacing GDPR may have sounded radical, the changes set out in the Data Protection and Digital Information (No. 2) Bill are not a wholesale rejection and replacement of GDPR but a series of targeted reforms to the existing framework.  A number of these changes (if enacted) will be significant for businesses processing personal data that is subject to UK data protection law.

In her statement accompanying publication of the Bill, Michelle Donelan announced that the proposed new laws will “release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”  The data protection reforms can broadly be grouped into changes that are intended to provide greater certainty to organisations that process personal data by clarifying aspects of the existing framework, and changes that are intended to meet the government’s pro-business agenda.  The Bill proposes amendments in the following areas:

Updated definition of personal data

Legitimate interests

‘Recognised legitimate interests’

Further processing

Scientific research, including for technological development

International data transfers

Fewer records of processing

No more DPIAs

No more DPOs

Data subject requests

Automated decision-making

No UK representatives

Changes to the ICO

More cookies without consent

New notification obligation for telecoms and internet service providers

Fines under PECR aligned with UK data protection law

This Law-Now article focuses on the reforms to UK data protection law (UK GDPR and the UK Data Protection Act 2018) and summarises the key changes for businesses that process personal data that is subject to UK data protection law.

Click here to read the article