On 8 March 2023, the UK government resumed its proposed reform of UK data protection laws with the introduction to Parliament of the Data Protection and Digital Information (No. 2) Bill, a replacement to its earlier reform bill.
The earlier version of the Bill was published in July 2022 (under prime minister Boris Johnson) but was then put on ice by the UK government following the appointment of Liz Truss as prime minister in order to allow time for ministers to re-examine the scope of proposed reforms.
In a speech given at the annual conference of the Conservative party in October 2022, the Science, Innovation and Technology Secretary, Michelle Donelan (who is responsible for guiding the Bill through Parliament), announced that the UK would be “replacing GDPR” with a “business and consumer-friendly, British data protection system.”
Whilst talk of replacing GDPR may have sounded radical, the changes set out in the Data Protection and Digital Information (No. 2) Bill are not a wholesale rejection and replacement of GDPR but a series of targeted reforms to the existing framework. A number of these changes (if enacted) will be significant for businesses processing personal data that is subject to UK data protection law.
In her statement accompanying publication of the Bill, Michelle Donelan announced that the proposed new laws will “release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.” The data protection reforms can broadly be grouped into changes that are intended to provide greater certainty to organisations that process personal data by clarifying aspects of the existing framework, and changes that are intended to meet the government’s pro-business agenda. The Bill proposes amendments in the following areas:
Updated definition of personal data
Legitimate interests
‘Recognised legitimate interests’
Further processing
Scientific research, including for technological development
International data transfers
Fewer records of processing
No more DPIAs
No more DPOs
Data subject requests
Automated decision-making
No UK representatives
Changes to the ICO
More cookies without consent
New notification obligation for telecoms and internet service providers
Fines under PECR aligned with UK data protection law
This Law-Now article focuses on the reforms to UK data protection law (UK GDPR and the UK Data Protection Act 2018) and summarises the key changes for businesses that process personal data that is subject to UK data protection law.
Click here to read the article.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.