On March 8, 2023, the U.K. Secretary of State for Science for Innovation and Technology announced the publication of the Data Protection and Digital Information (No.2) Bill. This new version of the Data Protection and Digital Information bill will effectively supersede the prior draft, which was first published in July of 2022.
The Bill would not alter the fundamental principles of the existing UK GDPR—which is very similar to the EU GDPR—allowing companies that are already compliant to remain complaint. Instead, as the Secretary explained when it was announced, the Bill was designed with input from businesses and data experts, and is intended to create less “red tape” than the existing European GDPR. Notably, the new Bill has several business friendly features, such as:
- Reduced Record Keeping: A controller that carries our processing of personal data would no longer be required to maintain appropriate records of processing unless such processing is likely to result in a high risk to the rights and freedoms of individuals.
- Removal of U.K. Representative Requirement: The Bill would omit Article 27 of the existing UK GDPR, which requires controllers or processors not established in the UK to appoint a representative that is physically located in the UK.
- Clarified “Legitimate Interest”: Processing with a “legitimate interest” will now expressly including processing for purposes of direct marketing, processing for intra-group transmission of personal data, and processing that is necessary for the purposes of ensuring the security of a network or information systems. Further, the explanatory notes state that these express examples are illustrative only and non-exhaustive, and that a data controller may process personal data for other legitimate activities, “providing the processing is necessary for the activity and appropriate consideration is given to the potential impact of the processing on the rights and interests of data subjects.” Specifically, Article 6 of the UK GDPR will still limit such processing “where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
- International Data Transfer Standards: The Bill would allow for data transfers to a third country or international organization if “the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects.”
- Cookies: Consent would no longer be required for cookies when those cookies are used to: (1) collect information for statistical purposes about how the service or website is used, with a view to making improvements to the service or website; (2) enable the way the website appears or functions to adapt to the preferences of the subscriber or user; (3) update software, if that is the cookies sole purpose; or (4) in the case of an emergency. However, for 1-3, the user must still be provided with “clear and comprehensive information about the purpose of the storage or access” and be given a “simple” means of objecting to the storage.
The Bill is currently awaiting its second reading to be scheduled in the House of Commons.
Even if the Bill progresses, it will not radically alter (or even require change to) compliance regimes. However, the Bill is notable in that it may indicate that the UK could be testing new paths that diverge from the EU in the future.