New UK GDPR Reform Bill Published

The Data Protection & Digital Information (No.2) Bill (DPDI2) is now published, confirming the shake-up of UK data laws.

TAKEAWAYS

The new Department for Science, Innovation and Technology (DSIT) has now published the anticipated proposals for changes to UK data laws.

This new statute was unveiled as part of the government's desired goal to "cut red tape" and position the UK as a more attractive location for digital economy businesses post Brexit.

While changes to the UK GDPR and Data Protection Act may drive some opportunity, they also carry risks for businesses seeking more uniformity, not less, run counter to the trend of more GDPR-like laws being passed and risk the UK's data laws adequacy status with the EU (notwithstanding the UK government's view of the Bill).

Businesses already face an uphill struggle keeping pace with fast changing and numerous new data laws being passed in multiple U.S. states as well as countries around the world. The one silver lining has been the emergence of a recent trend of basing, to some extent, many of these new laws on the GDPR. This means that one way forward has been to look to build upon effort already expended on creating and administering GDPR compliance frameworks, albeit with updating needed for relevant recent changes or enforcement. The UK government changes therefore may well leave some feeling nervous. The changes to the UK GDPR will have to be scrutinized after the post-parliamentary readings to assess final impact of the Data Protection & Digital Information (No.2) Bill (DPDI2) (e.g., regarding fines, AI, cookies, transfers, legitimate interests, records of processing activities (ROPA), data protection officers (DPOs), Data Protection Impact Assessments (DPIAs), etc.). We will also have to see how the EU responds, as any removal of adequacy status will add further complications to EU-UK data transfers. Any business with UK operations, customers, suppliers or partners will need to freshly review and consider changes to its policies, documents and procedures to account for DPDI2.

The UK government hopes that the changes to data laws will "reduce red tape" faced by businesses operating in the UK or targeting UK individuals, moving away from "box-ticking."

The UK Secretary of State Michelle Donelan stated this week that "no longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR" and that the new laws "will be easier to understand, easier to comply with."

It remains to be seen what amendments might be made as the Bill passes through the parliamentary stages, but some key changes proposed from the prior DPDI Bill remain while some proposals are new. Key proposals include:

• Modernizing the UK's privacy regulator, the Information Commissioner's Office, and empowering it to take stronger actions against organizations;
• Removing consent requirements for cookie use in an expanded range of exempted purposes (e.g., statistical information or user preferences);
• Increasing fines to GDPR levels for nuisance marketing calls and texts;
• Removing the need to do a balancing test for certain "legitimate interests" processing (with a new list including direct marketing and intraorganizational data transfers);
• Changing the purpose limitation principle to benefit controllers;
• Changing the grounds for refusing data subject requests;
• Changing restrictions on AI and automated decision-making;
• Freeing up businesses to process personal data for research purposes (any processing that "could reasonably be described as scientific" and a proposed new illustrative list);
• A new adequacy test for international data transfers from the UK, provided the third-country protections are not "materially lower" than the UK GDPR, when assessed in a "holistic way;"
• Confirming transfer mechanisms lawfully entered into before the UK GDPR reforms take effect remain valid;
• Removing requirements for appointing UK representatives (less onerous than EU rule);
• Relaxing rules around ROPA requirements (only if of high risk to the rights and freedoms of data subjects);
• Changing rules around DPOs (new "senior responsible individual" or SRI);
• Changing rules around DPIAs (new high-risk threshold); and
• DSIT/Secretary of State being given new powers in the Bill to determine the details of when data can be processed.

The government has stated that the changes "introduce a simple, clear and business-friendly framework" ... "taking the best elements of GDPR and providing businesses with more flexibility." It remains to be seen if the new law will be simple to comply with in practice and how it will coordinate with laws in other jurisdictions. It also remains to be seen how the EU will view the GDPR cherry picking and changes. If it takes a dim view, it could still risk the UK losing its "adequate" status, which currently allows for personal data to flow uninhibited between the UK and the EU.

Businesses will need to revisit their operations now that we have the details of these proposed DPDI2 changes.

The Department for Science, Innovation and Technology (DSIT) is a priority project for the Sunak government, and the new DPDI2 Bill has confirmed the desire to shake up data laws in the UK. While some businesses will welcome some of the changes, the deviations from the EU GDPR position could cause confusion and some practical difficulties. Now that they have been released, businesses are advised to review the DPDI2 provisions and consider how this will likely impact their current business activities, data protection policies and procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mr Rafi Azim-Khan
Pillsbury Winthrop Shaw Pittman
31 West 52nd Street
New York
NY 10019-6131
UNITED STATES
Tel: 202663 8000
Fax: 202663 8007
URL: www.pillsburylaw.com

© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source Business Briefing