Last year the United Kingdom government introduced a legislative proposal to change the UK privacy/data protection regime (which essentially consists of UK GDPR, PECR [E-Privacy rules] and the Data Protection Act 2018). Parliamentary work on this draft legislation was then put on hold and the UK government has now “reintroduced” the draft legislation, with changes. This article briefly looks at this development.
What is the Bill about?
Today the UK government introduced to the UK Parliament the “Data Protection and Digital Information (No. 2) Bill” (“the Bill”).
Work on the previous draft legislation was paused so that government ministers could engage in a so-called “co-design process” with business leaders and data experts to try and ensure that the proposed new UK data protection regime builds on the UK’s existing data protection standards and aims to ensure so-called “data adequacy” whilst moving away from what the UK government terms the EU GDPR “one-size-fits-all” approach.
According to the UK government, the Bill is a “common-sense-led UK version of the EU’s GDPR [which] will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.” The Bill aims “to cut down pointless paperwork for businesses and reduce annoying cookie pops-up [sic]”.
According to the UK government, the Bill will:
- “Introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws;
- Ensure our new regime maintains data adequacy with the EU, and wider international confidence in the UK’s comprehensive data protection standards;
- Further reduce the amount of paperwork organisations need to complete to demonstrate compliance;
- Provide organisations with greater confidence about when they can process personal data without consent;
- Increase public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making;
- [B]uild on the high standards we already have for personal data use, strengthening and modernising the regulator (the Information Commissioner’s Office) by making sure it has the capabilities and powers to tackle organisations who breach data rules – giving it the freedom to better allocate its resources; and,
- [R]educe burdens by enabling businesses to continue to use their existing cross-border transfer mechanisms if they are already compliant.
The Bill is at the second reading stage and will now be debated by Parliament following which it can be expected that amendments will be proposed to the Bill.
What are the takeaways?
Much of the Bill overall seems to be about seeking to make clarifications. Whilst certain clarifications may be welcome (given the difficulties in interpreting some aspects of the existing data protection regime) whether the final legislation will deliver on making (claimed) substantive changes (such as getting rid of so-called Data Protection Representatives) rather than consisting in the end of a major tweaking exercise will have to be seen.
Whatever the final outcome, international organisations that have devoted much work, time and resources trying to ensure compliance with both the existing UK GDPR and EU GDPR may find that there is more work for them to do on the UK side of things (such as with regard to work to be done on the so-called “Senior Responsible Individual” or “Records of Processing”).
In any event, organisations should keep track of the Bill’s progress in order to be able plan ahead for any changes that they may eventually need to make to their UK data protection compliance.
We have previously reported on plans to reform the UK data protection rules here https://www.corderycompliance.com/changes-uk-dp-regime-3/, here https://www.corderycompliance.com/uk-dp-regime/ and here https://www.corderycompliance.com/ukgov-ukdpr/.
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The “Data Protection and Digital Information (No. 2) Bill” can be found here https://bills.parliament.uk/bills/3430.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785