Skip to main content

Data reform returns to the agenda

The Government’s second attempt at data reform has led to the introduction of the Data Protection and Digital Information (No.2) Bill.

After being introduced in a blaze of glory, heralding the future of UK data processing within the UK, the Data Protection and Digital Information Bill was withdrawn and replaced by the Data Protection and Digital Information (No.2) Bill (the “Bill”) on 8 March 2023. Although with less fanfare, the current Government still believes the Bill will ensure that business will be able to understand and implement data protection legislation easier, while UK businesses will make savings of over £4billion due to the proposed legislative reforms.

The Bill is currently at the very early stages of its passage through Parliament and is subject to change. Therefore, time will tell whether or not the Bill’s proposals are enacted fully; the suggested economic benefit materialises; and, importantly, how Europe reacts to the final text – will it have an impact upon the EU’s current adequacy decisions in relation to the UK?

With regard to the latter point above, commentators differ in their opinion upon the potential impact upon adequacy. However, regardless, it is clear that data reform is on the horizon and your business should be ready.

If the Bill becomes law, it will effectively amend the UK GDPR, the Data Protection At 2018 and the Privacy and Electronic Regulations (“PECR”). However, it is important to note that the plan is that if a business is fully compliant with the current UK GDPR, then the Bill will entail evolution (perhaps even a widening of processing activities) as opposed to revolution. The burning question at this stage being – is your business currently fully compliant with the UK GDPR and related data protection laws? If not, there is no time like the present to rectify.

The Bill has tweaked some of the principles of its withdrawn predecessor and, as currently drafted, includes changes to the restrictions relating to automated processing; a simplification of the ‘Legitimate Interests’ procedures (including a relaxation of the rules relating to balancing test against the rights and freedoms of data subjects in relation to certain purposes); a relaxation of the rules with regard to record keeping when not carrying out high risk processing activities; the introduction of new direct marketing obligations for providers of electronic communications networks; a relaxation of consent requirements for the use of cookies and similar technologies in relation to a range of purposes; and an increase in potential fines for breaches of the PECR to provide uniformity.

The UK Government has insisted that the purpose of the Bill includes aiding the UK data economy, providing clarification, and introducing flexibility into data processing activities. It is debatable whether or not the Bill will achieve such aims. However, it is agreed by most legal analysts that clarification certainly is required in relation to certain aspects of the current data protection regime. However, the balance required is reform which will not adversely impact EU adequacy.

The key takeaway for businesses at this stage is that data reform is on its way and will increase the importance of lawful data processing in the future. Ensure that your house is in order now in relation to your future data and digital activities. 

To discuss the data reform announcement and what it means in more detail or to discuss any other issues involving IT systems and data protection, contact our data protection solicitors.