2022 saw the proposed reform of the UK’s data protection regime, but fast-forward a few months and the original Data Reform Bill (the Data Protection and Digital Information Bill) has been withdrawn. The Government decided to revisit the original bill in order to adopt a more business and consumer-friendly approach.
In its place, on 8 March 2023 the Government introduced the revised Data Reform Bill (the Data Protection and Digital Information (No. 2) Bill) (the “Bill”).
The Bill has not departed significantly from positions under the previous bill, with only some limited additions. The content of the Bill has attracted both praise and criticism. Many UK businesses are expected to welcome the changes, with the Bill reducing bureaucracy and providing more autonomy in relation to the use of personal data, with potential cost and time savings as well. However, some are sceptical about whether the Bill goes far enough to achieve its aims and instead are of the view that it creates unjustified complexities by diverging from established GDPR positions without any meaningful reform.
EU data protection legislation will still apply to businesses operating within Europe or processing personal data of EU data subjects. As a result the proposed changes are unlikely to reduce the administrative burden for international organisations or those UK businesses that process EU citizen data. These companies would need to continue complying with the current GDPR framework. Keeping abreast of the two distinct regimes could actually end up creating an increased workload.
We highlight some of the key proposed changes under the Bill, together with their practical impact on businesses that are subject to UK data protection laws. Many of these changes will look familiar from last year’s Data Reform Bill.
The revised Bill has not lived up to the promises that were made when the initial Data Reform Bill was paused. Many hoped that it would be replaced by more bespoke privacy rules for the benefit of both businesses and consumers. However, there are still positive changes within the revised Bill (many of which were also present within the previous version). These changes will reduce the administrative burden for some businesses, and for those that do not directly feel this benefit because they still need to comply with diverging EU standards, at least the UK data protection regime will be somewhat simplified and easier to navigate.
It is sensible for the UK Government to have taken a cautious approach to data protection reform, to avoid the European Commission rethinking the UK’s adequacy decision so soon after it was granted and putting the free-flow of personal data between the EU and UK at risk.
Businesses should avoid viewing the increased flexibility of the reforms in isolation and ensure that, despite the increased autonomy, they are still exercising sound judgment. As one example, while businesses may no longer need to keep such extensive data processing records, they should consider the consequences of not doing so and whether this would make other tasks more difficult, particularly responding to data subject requests or dealing with a security breach. Businesses must also still ensure they are in compliance with all applicable aspects of privacy legislation, which will ultimately require businesses to have a comprehensive understanding of their data flows.
The Bill will be subject to a debate in the House of Commons at a date to be confirmed and will need to be approved by both Houses of Parliament before it can be adopted into law. Ashfords will continue to monitor the progress of the Bill.