On 8 March 2023, a revised version of the Data Protection and Digital Information (No. 2) Bill (“Bill (No. 2)”) was introduced to Parliament. The second reading of Bill (No. 2) in the House of Commons is due to take place on 17 April 2023 and, whilst there are still many hurdles for Bill (No. 2) to get over, it is important that businesses start preparing for the potential changes that Bill (No. 2) will bring and also take this time to reflect on whether they are currently compliant with data protection legislation.
The Government released the previous Data Protection and Digital Information Bill (“Old Bill”) on 18 July 2022. Following a turbulent time in politics in the UK, the second reading of the Old Bill was put on hold to give ministers time to further consider the legislation. On 8 March 2023, the Old Bill was withdrawn and replaced by Bill (No. 2). Bill (No. 2) is currently with the House of Commons and is in the early stages of its passage to Royal Assent and adoption.
Bill (No. 2) seeks to make amendments to a number of different pieces of data protection legislation including the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations. The Government intends to cut ‘pointless paperwork’ and create a simpler framework of data protection legislation for businesses. The new framework is intended to give businesses greater flexibility in choosing how best to comply with the relevant legislation.
The Science, Innovation and Technology Secretary Michelle Donelan stated that “Our [new data protection] system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain.”
The Government also expects these reforms to unlock £4.7 billion in savings for the UK economy over the next 10 years.
Businesses that already comply with UK data protection laws will not be required to make any substantial changes.
The key changes under the new Bill (No. 2) are:
- Broadening and clarifying the ability to use personal data for research purposes;
- The introduction of a list of situations where businesses can rely on the legitimate interests legal basis for data processing, which includes direct marketing, certain intra-group transfers and IT security;
- Clarification on the restrictions surrounding automated decision making, with the option for the Secretary of State to publish further guidance;
- Changes to the obligation to maintain records of processing activities, so that record keeping is only required where the processing is likely to result in a high risk to the rights and freedoms of the individuals whose data is being processed;
- Relaxation of the rules on cookies so consent is not needed for certain statistical, functional, security and location cookies;
- Increased GDPR level fines for businesses that fail to comply with the Privacy and Electronic Communications Regulations which mainly relate to direct marketing and cookies consent; and
- The role of Data Protection Officer will be replaced with Senior Responsible Individual.
What happens next?
Bill (No. 2) will go through a second reading on 17 April 2023. After this, it will go through a detailed line-by-line examination by a committee and amendments will be suggested. This will be followed by a review of the proposed amendments and a third reading. This process will need to be repeated through the House of Lords before there is a final consideration of the amendments and the grant of Royal Assent.
It is posited that the reforms of the data protection framework will take effect during the course of 2023.
Next Steps for Businesses
Businesses should keep a close watch on developments over the coming months and be ready to update their procedures and contracts should Bill (No. 2) be adopted, and they feel that they may not comply. Though, in its current form and by intention of the legislatures, Bill (No. 2) is highly unlikely to pose any administrative difficulties to businesses who are compliant with the current data protection framework.
Whilst the intention of Bill (No. 2) is to simplify data protection compliance in the UK, it is questionable whether it will achieve its aim because most UK businesses deal in both the UK and the EU, so they will still have to comply with EU data protection legislation, which mirrors the current UK framework. It will be impractical for businesses to operate a “two tier” system to data protection compliance so they will just adopt the more burdensome EU standards for all their data.
It will also be interesting to see whether the UK’s divergence from EU law has an impact on the UK’s adequacy decision, which permits data transfers from the EU and the UK.
If you have any questions regarding either your business’s compliance with the data protection framework or regarding the new Data Protection and Digital Information (No. 2) Bill, please get in touch with the commercial team at Marriott Harrison.