Re-introduction of the Data Protection and Digital Information Bill
On Wednesday 8 March 2023 the Government announced that the revised Data Protection and Digital Information Bill (the DPDI Bill), which is new legislation seeking to reform existing data privacy laws in the UK (including the Data Protection Act 2018, UK GDPR and the Privacy and Electronic Communications Regulations 2003), would be re-introduced to Parliament after a 6-month hiatus.
The DPDI Bill, first introduced on 18 July 2022, was paused so that "ministers could engage in a co-design process with business leaders and data experts" to prepare a data protection regime that is "tailored to the UK's own needs and customs", moving away from the "one-size-fits-all" approach taken by the European Union (EU GDPR).
The new DPDI Bill is being promoted as the new "common-sense-led UK version of the EU's GDPR", seeking to reduce costs and burdens for British businesses and charities as well as "removing barriers to international trade."
The Government hopes that the new version of the DPDI Bill will introduce a simpler, clearer and business-friendly framework that will be more economical and easier to implement – taking the best elements of UK / EU GDPR and providing businesses with more flexibility in compliance, without compromising protections.
The Science, Innovation and Technology Secretary of State, Michelle Donelan, leading the Government's backing of this re-introduction, has stated the Government's aspiration for the new DPDI Bill to:
- ensure the new regime maintains data adequacy with the EU, and wider international confidence in the UK’s comprehensive data protection standards;
- reduce the amount of paperwork organisations need to complete to demonstrate compliance;
- support more international trade without creating extra costs for businesses if they’re already compliant with current data regulation; and
- provide organisations with greater confidence about when they can process personal data without consent and in relation to AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making.
The reality is that any new regime proposed by the Government cannot deviate too far from EU GDPR, without risking a loss of adequacy status for the UK, inevitably impacting trade relations and costs for exporting / importing businesses dealing with customers or suppliers in the EU. It will be interesting to see how far the DPDI Bill will actually diverge from EU GDPR given the UK's need to maintain adequacy status.
Several more iterations of the DPDI Bill are expected as it passes through Parliament, and we will be assessing the practical consequences of the detail of the DPDI Bill and the impact for our clients.