NEWS8 March 2023

New version of UK data protection bill

AI GDPR News Privacy Public Sector UK

UK – The UK government has set out a new version of laws reforming the UK General Data Protection Regulation (GDPR) with aims to reduce costs and regulations for UK businesses while retaining the country’s data adequacy agreement with the EU.

GDPR abstract image

A statement from the Department for Science, Innovation and Technology said that the Data Protection and Digital Information Bill, due to be published today, would introduce a new, business-friendly framework using the best elements of GDPR and providing more flexibility on how business comply with data laws.

The bill was originally published in June 2022 and included new powers for the Information Commissioner’s Office (ICO) and a relaxation of some requirements of the UK GDPR.

However, following changes in prime minister and government minister responsible for the bill, the bill was paused in September 2022 with a view to engaging with data industry and business leaders on its proposals.

The government said it hoped the new bill would reduce the amount of paperwork organisations need to complete to demonstrate compliance as well as providing greater confidence about when organisations can process personal data without consent.

There was also hope the bill would increase public and business confidence in artificial intelligence (AI) technologies by clarifying the circumstances when robust safeguards apply to automated decision-making.

Alongside these new changes, the bill will increase fines for nuisance calls and texts to be either up to four per cent of global turnover or £17.5m, whichever is greater, and aims to reduce the number of consent pop-ups people see online.

The bill will also allow customers to create certified digital identities and strengthen the Information Commissioner’s Office (ICO) through the creation of a statutory board with a chair and chief executive.

The government also said it would ensure the new data laws would comply with the UK’s data adequacy agreement with the EU and maintain international confidence in the country’s data protection standards.

The UK’s data adequacy agreement with the EU was agreed in 2021 to maintain data transfers between the two economic entities post-Brexit.

However, the European Commission introduced a four-year ‘sunset clause’ into data adequacy agreement and stated it could withdraw the agreement at any time if the UK fails to appropriately protect EU citizens’ data.

Science, innovation and technology secretary Michelle Donelan said: “Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain.

“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”

John Edwards, UK Information Commissioner
“Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society.

“The bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the government to monitor how these reforms are expressed in the bill as it continues its journey through parliament.”

Jane Frost, chief executive, Market Research Society
“MRS welcomes improvements to the research clauses of the bill which appear to reflect our contributions to the government’s working party on impact assessment. However, there remain elements of the bill, for example changes proposed to privacy and electronic communications regulations which could permit ‘plugging’ by political parties.

“Plugging (political campaigning under the guise of research) would have a negative impact on the public’s trust in research. Since the research sector in the UK is a world leader, undermining its effectiveness by reducing public confidence would be a consequence which MRS would seek to avoid. We look forward to working with government to iron out such remaining potential problems in the bill as it goes forward.”

Konrad Shek, director of policy research, Advertising Association
“The Advertising Association broadly welcomes the introduction of the new version of the DPDI bill and what has been achieved to date, with the added clarity to the use of legitimate interest, especially with regard to direct marketing; the inclusion of commercial research under research provisions; and reduction of overall paper requirements.

“We hope there will be further opportunities to amend the bill particularly in areas linked to non-intrusive cookies, such as increased clarity and flexibility over audience measurement and for ad performance.”

Chris Combemale, chief executive officer, Data & Marketing Association
“The DMA has collaborated with the government throughout the Data Protection and Digital Information Bill’s development to champion the best interests of both businesses and their customers.

“We are confident that the bill should act as a catalyst for innovation and growth, while maintaining robust privacy protections across the UK – an essential balance which will build consumer trust in the digital economy.”

Christie Dennehy-Neil, head of policy & regulatory affairs, IAB UK
“We urge the government to seize the opportunity it creates to improve people’s online experience by extending cookie consent exemptions to advertising measurement and analytics, which are necessary, non-intrusive functions.

“This would achieve the risk-based and proportionate approach to cookie consent that the government wants. In its current form, the bill doesn’t make the most of this opportunity for meaningful change.”