The Data Protection and Digital Information Bill (DPDI Bill (No 1)) was presented to Parliament on 18 July 2022. Since then, the Government has been in consultation with the Business Advisory Group, and responsibility for DPDI Bill (No 1) passed from the Department for Digital, Culture, Media and Sport (DCMS) to the newly formed Department for Science, Innovation and Technology (DSIT). However, DPDI Bill (No 1) had not made any progress through Parliament, owing, at least in part, to the fractious political goings on of 2022.
In September 2022, the second reading of DPDI Bill (No 1) was pulled to ‘allow ministers to further consider this legislation’. There were rumblings of taking inspiration from other countries such as Israel, Japan, Canada and New Zealand, where data adequacy is achieved without GDPR. So strong was the sentiment given by New Technology Secretary Michelle Donelan in September 2022 at the Conservative Party Conference, many assumed that the DPDI Bill (No 1) would be further paused and potentially even withdrawn while the Government revisited its approach to UK data protection perhaps contemplating a more material shift away from the approach in the GDPR.
On 8 March 2023, the Government confirmed that DPDI Bill (No 1) had been withdrawn and Secretary Donelan introduced the Data Protection and Digital Information Bill (No 2) (DPDI Bill (No 2)). In the official press release, Secretary Donelan said it would “unlock £4.7 billion in savings for the UK economy over the next 10 years and maintain the UK’s internationally renowned data protection standards so businesses can continue to trade freely with global partners, including the EU”. The press release further states: this is a "new common-sense-led UK version of the EU’s GDPR" which will "reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online".
How much has changed and will it make compliance easier?
After much speculation, DPDI Bill (No 2) is not quite the rewrite that was perhaps anticipated and is better described as a revised version of DPDI Bill (No 1). The reason for which is likely the delicate balancing act as the Government preserves the adequacy decision with the EU, whilst trying to reduce the regulatory burden on businesses.
Important revisions introduced in DPDI Bill (No 2) include:
Enabling innovation |
|
Previous Bill Clarified how personal data can be used for research, statistical and historical purposes and also clarified the meaning of these purposes. The intention being to make it easier for scientists to use personal data for research purposes and conduct important research for the public good. |
New Bill Changes retained with new wording added to clarify “scientific research purposes” including commercial or non-commercial activity, and a change to broaden the meaning of “scientific research”, to encompass processing activities which can “reasonably be described as” scientific in nature. |
Legitimate Interest |
|
Previous Bill Changed the scope of what is considered to be a legitimate interest: legitimate interest is a lawful basis for processing where personal data may be used by the controller or a third party provided their legitimate interests are not overridden by the rights and freedom of the individual. Specified that certain interests are “recognised legitimate interests”, meaning it will not be necessary to carry out that balancing test. |
New Bill Retains the changes to the scope of what is considered “legitimate interest” and has added a new clause providing three non-exhaustive examples of processing, that may be considered necessary processing for the purpose of legitimate interest. Including processing necessary for direct marketing; ensuring the security of IT systems, and intra-group transmission of personal data for internal administrative purposes. |
Articles 30 Records of Processing |
|
Previous Bill New record keeping requirements, with obligations reduced. Organisations with fewer than 250 employees and where there is no high-risk processing are exempted. To test what is classed as high-risk, organisations must look at the nature, scope, context and purposes of processing. |
New Bill No longer a specific reference to number of employees, and focus is on whether processing is likely to result in a high risk to the rights and freedoms of individuals. For assessment of what is considered high risk, the same test applies as outlined in previous bill. |
International Transfer Regime |
|
Previous Bill International transfers have always been part of the UK data protection regime and the previous bill did not make changes to the UK's existing transfer safeguards. Introduced a data protection test for data exporters to apply when making transfers and assessing the protection offered in the recipient country. |
New Bill Press release: The Government press release states the improved bill will “support even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation.” Clarifies that transfer mechanisms used to transfer personal data outside of the UK which were lawfully entered into before the new bill comes into force continue to be valid. |
Cookies |
|
Previous Bill Cookie regime amended to permit the use of cookies without obtaining consent for certain additional defined purposes including for statistical purposes to assess how services on a website are used, to improve the services or the website. This exemption may capture the use of certain analytical cookies where the data is being used to improve services/websites. These changes apply to the Privacy and Electronic Communications (EC Directive) Regulations 2003. |
New Bill Press release: The Government press release states that the UK Government aims to reduce annoying cookie pop ups. The new bill has not made any further changes to the Privacy and Electronic Communications (EC Directive) Regulations 2003 but has retained the changes suggested in the previous bill. |
Data Protection Rights – Automated decision making |
|
Previous Bill Changes to automated decision making: a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision. |
New Bill Press release: The Government press release highlights the DPDI Bill (No 2) aims to increase public spending and business confidence in AI technology, by clarifying the circumstances when robust safeguards apply to automated decision making. The new bill clarifies that when assessing whether there is a meaningful human involvement in the act of decision making, a person must consider the extent to which the decision is reached by means of profiling. The Secretary of State may issue regulations to further regulate automated decision making. |
Whilst the DPDI Bill (No 2) will see the UK data protection regime moving further away from the EU data protection regime, the DPDI Bill (No 2) is not a radical change. The main thrust of the UK data protection regime will stay the same but some of the proposed changes in DPDI Bill (No 2) will reduce the compliance burden on businesses.
As with DPDI Bill (No 1), we consider the most significant question is whether the changes proposed will, in the eyes of the EU, mean personal data is not considered to be adequately protected in the UK and put the UK's adequacy decision with the EU at risk. The adequacy decision allows for the free flow of data from the EU to the UK without organisations having to put any additional measures in place.
The next stage for DPDI Bill (No 2) is for it to receive its second reading in the House of Commons. The date for the second reading is still to be scheduled.
What will DPDI Bill (No 2) mean for businesses?
In terms of whether it meets the demands of businesses, the Government press release states that The Data Protection and Digital Information Bill was "co-designed with business from the start" and that DPDI Bill (No 2) was developed in consultation with business leaders and data experts. Businesses expecting that they will no longer need to worry about data protection matters will be disappointed. DPDI Bill (No 2) still maintains high standards of data protection rights.
DPDI Bill (No 2) introduces more flexibility for businesses in terms of how they manage their record keeping and compliance with data protection legislation. In addition, the proposed changes to the cookies regime give more flexibility, for example the changes may allow the use of certain analytical cookies without consent where the data is being used to improve services/websites. Businesses will need to consider the proposed requirements of DPDI Bill (No 2) carefully and understand how it will change UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) 2003. Businesses will need to check that their current standards and internal processes meet the proposed new requirements established by DPDI Bill (No 2). In the majority of cases where businesses are compliant with the current data protection regime, they will be compliant with the new regime.
For further information about the latest changes or compliance with the data protection and privacy regime generally, please get in touch with Sarah Daun, Caroline Churchill or Andrew Kimble.
This article is part of Womble Bond Dickinson’s Growing Global series. For more insights, click here to visit our Growing Global hub.