Data Protection & Digital Information Bill (DPDI) changes will be announced shortly in a further shake-up of UK data laws.

TAKEAWAYS

The new Department for Science, Innovation and Technology (DSIT) will shortly release proposals for changes to UK data laws, including edits to the DPDI Bill.

This is part of sweeping changes that have seen data laws policy move from the prior Department for Digital, Culture, Media and Sport (DCMS) to the new DSIT and building on the DCMS 2021 consultation: "Data: a new direction." The stated goal is to "cut red tape" and position the UK as a more attractive location for digital economy businesses post Brexit.

While any changes to the UK GDPR and Data Protection Act may drive some opportunity, they also carry risks for businesses seeking more uniformity, not less, run counter to the trend of more GDPR-like laws being passed and risk the UK's data laws adequacy status with the EU.

Businesses already face an uphill struggle keeping pace with fast changing and multiple new data laws being passed in multiple U.S. states as well as numerous countries around the world. The one silver lining has been the emergence of a recent trend of basing, to some extent, many of these new laws on the GDPR. This means that one way forward has been to look to build upon effort already expended on creating and administering GDPR compliance frameworks, albeit with updating needed for relevant recent changes or enforcement. The current efforts of the UK government therefore may well leave some feeling nervous. The details of any proposed changes to the UK GDPR will have to be scrutinized to assess impact (and to see if Data Protection & Digital Information Bill (DPDI) proposals regarding fines, cookies, data protection officers (DPOs), Data Protection Impact Assessments (DPIAs), etc. survive). We will also have to keep an eye on how the EU responds, as any removal of adequacy status will add further complications to EU-UK data transfers. One thing that is for certain is that any business with UK operations, customers, suppliers or partners will need to freshly review and likely make changes to its policies, documents and procedures to account for any changes this year.

The UK government hopes that the changes to data laws will "reduce red tape" faced by businesses operating in the UK or targeting UK individuals, moving to an approach that is outcome-focused rather than "box-ticking," and increasing competitiveness and efficiency of UK businesses.

The UK Secretary of State Michelle Donelan is due to reveal more details of the proposed changes this month. Further changes to the last version of the DPDI Bill are expected. By way of reminder, the DPDI proposals included:

  • Modernizing the UK's privacy regulator, the Information Commissioner's Office, and empowering it to take stronger actions against organizations;
  • Removing consent requirements for cookie use in an expanded range of exempted purposes and, however, also increasing fines to GDPR levels;
  • Removing the need to do a balancing test as to whether certain "legitimate interests" processing is overridden by data subject rights;
  • Changing the purpose limitation principle to benefit controllers;
  • Changing the grounds for refusing data subject requests;
  • Changing restrictions on automated decision-making;
  • Removing requirements for appointing UK representatives (less onerous than EU rule);
  • Relaxing rules around records of processing activities (ROPA) requirements;
  • Changing rules around DPOs; and
  • Changing rules around DPIAs.

The DPDI Bill replaced the previously named Data Reform Bill, so it is likely there will be a fair deal of further tinkering to the DPDI with the new proposals.

The government has previously stated that the changes should not diminish the protection of personal data in the UK, for which it seeks to retain a "gold standard." Any significant deviation from current practices would, however, likely add to complications for international businesses. If the EU takes a dim view, it could also risk the UK losing its "adequate" status, which currently allows for personal data to flow uninhibited between the UK and the EU.

Businesses will need to revisit their operations once we have more details.

The newly minted Department for Science, Innovation and Technology (DSIT) is a priority project for the Sunak government. It is therefore likely that, although the prior Data Reform and DPDI Bills made slow progress, the new proposals being announced this month will have more momentum and lead to changes to UK data laws and variances with the EU GDPR. Businesses are advised to monitor the latest developments and consider how this will likely impact their current business activities, data protection policies and procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.