The Department for Science, Innovation & Technology (“DSIT”) introduced the Data Protection and Digital Information (No 2) Bill (the “New Data Bill”) to Parliament on 8 March 2023.

MPs will consider the New Data Bill at Second Reading on 17 April. Early indications suggest that there should not be too much push back and therefore it is likely to come into force this year.

The New Data Bill is the second reincarnation of a revised set of data protection laws in the UK. The previous ‘Data Reform Bill’ was introduced in July 2022 but was paused in September 2022 for further consideration and consultation with business leaders and data experts.

This New Data Bill is very similar to the previous bill with its main focus being to “reduce costs and burdens for British business and charities” and “save the UK economy more than £4 billion over the next 10 years” (according to DSIT) while maintaining the UK’s high standards for data protection and privacy. The Information Commissioner, John Edwards, said “the Bill will ensure my office can continue to operate as a trusted, fair and independent regulator”.

The purported benefits of the New Data Bill are broadly twofold: First, to simplify the data protection framework in the UK and the role of the Information Commissioner’s Office while continuing to protect individual’s data rights. Second, to enable a greater boost to innovation and economic growth.

Key aims of the New Data Bill:

  • To be business-friendly – by introducing a clear framework for organisations, greater flexibility on how to comply with data protection legislation and being less costly to implement.
  • Clarify aspects of the UK GDPR, DPA 2018 and PECR.
  • Reduce paperwork needed by organisations to demonstrate compliance.
  • Reform the ICO’s governance structure and strengthen its powers. The creation of a statutory board will enable the ICO to remain independent and better support organisations.
  • Increase confidence in AI technologies by making it clear when robust safeguards apply to automated decision making.
  • Establish a trust framework of rules for the use of digital verification services in the UK.
  • Give organisations more clarity on when they can process personal data without needing consent.
  • Support international trade without creating extra costs for businesses if already compliant with current UK data regulation.

Changes that are likely to be of interest to most organisations include:

  • The introduction of a more subjective (and potentially narrower) definition of personal data - the individual only has to be identifiable to the controller or processor or others who are reasonably likely to receive the information.
  • A list of recognised “legitimate interests” – which notably includes processing for direct marketing purposes.
  • A Test for adequacy regulations (a.k.a. data bridges) – the standard of protection in a 3rd country is not "materially lower" than under UK GDPR when assessed in a "holistic way".
  • Clarifying that Article 30 records and DPIAs are only required for "high risk” processing activities.
  • Removing the requirement for a UK representative.
  • Replacing DPO with Senior Responsible Individual (SRI only needed for public bodies or high-risk processing).
  • Introducing a new lower threshold, “vexatious or excessive” for DSARs
  • Expanding exemptions to the requirement for consent to cookies. It seems that functional and basic non-intrusive analytics will fall within the exemption though it is still unclear what this means exactly so it is likely that further clarification will be required.
  • Soft opt in exemption has been widened to cover non-commercial organisations such as political parties and charities.
  • Fines increased for e-privacy breaches from £500,000 to UK GDPR fine levels.
  • Introducing clarifications around Article 22 – automated decision making.

The government says that it is committed to increasing wider international confidence in the robustness of the UK’s data regime and maintaining data adequacy with the EU (which comes up for review in 2025).

What does this mean for your business? 

The DSIT and UK Government have sent a clear message to UK businesses that if your businesses is currently complying with the UK GDPR then it will still be in compliance once the New Data Bill makes its way into law. There is welcome relief for multinational businesses who aim for a UK/European Union harmonised approach (with the added benefit of being able to dip in and out of the benefits the New Data Bill will offer when desired). In short, there will be no need to suddenly take a different approach to data protection compliance in the UK to your current EU/UK approach to data protection although we do expect a number of UK businesses to take advantage of some of the relaxations proposed by the New Data Bill.