In an update to the original Data Protection and Digital Information Bill brought to the UK’s House of Commons on 18th July 2022, the Data Protection and Digital Information (No.2) Bill was introduced on 8th March 2023 with the aim of strengthening the country’s data protection law and increasing online safety.
What is the Data Protection and Digital Information Bill?
Michelle Donelan, Secretary of State for Science, Innovation and Technology, said that the new Bill followed a detailed consultation with industry and business, as well as privacy and consumer groups and would “create a new UK data rights regime tailor-made for our needs”. The goal of the new Bill was to make the legislation simpler and reduce bureaucracy for businesses and potentially make savings of £4.7bn in the economy over the next decade.
The Data Protection and Digital Information Bill is essentially an update to the existing UK GDPR legislation and businesses compliant with this should not have to make any changes. What is does do, however, is attempt to tackle some of the issues arising from GDPR.
The Bill’s aims are to:
- enable digital identities to be used instead of paper documents.
- increase fines for nuisance calls and texts (up to 10% of global turnover), as well as penalties for not reporting breaches.
- update the PECR (Privacy and Electronic Communications Regulations) to cut down on ‘user consent’ pop-ups and banners.
- allow for the sharing of customer data, through smart data schemes.
- enable a move from a paper-based system to electronic registration of births and deaths in England and Wales.
- facilitate the flow of personal data for law enforcement and national security purposes.
- create a clearer legal basis for political parties to process personal data.
Changes that affect businesses
Scientific research – Under the new Bill, “Scientific research” covers “processing for the purpose of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. This should be welcomed by research businesses, however there are questions as to how this definition will apply to privately funded technological development.
Legitimate interests – Businesses can rely on legitimate interests without the requirement to conduct a balancing test (whereby a business must balance the interests of an individual’s rights with the need to process personal data) where those legitimate interests are “recognised”, i.e., national or public security, defence, emergencies, or crime prevention. Balancing tests must be carried out for purposes of direct marketing, or transmission of personal data for internal administration.
Record keeping – While the previous Bill stated that companies must keep records of processing, in the updated Bill processors will be exempt from this unless carrying out high risk processing activities.
Direct marketing – There are new obligations on providers of electronic communications networks to notify the ICO (Information Commissioner’s Office) of “any reasonable grounds” they have for suspecting that a person or business is breaching the legislation.
Automated decision making and AI – The previous bill states that restrictions under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without “meaningful human involvement”. The new Bill states that profiling (analysing a person’s personality or habits) should be considered when making this assessment.
International transfers – Companies that have lawfully entered into alternative transfer mechanisms under UK GDPR law entered before the new Bill was passed can continue to use these mechanisms. This should provide reassurance to the relevant businesses.
Cookies – As with the previous bill, there will be an increase in potential fines for breaches of the PECR. Consent is not required for online trackers. However, the DSIT has said it will work with businesses over these provisions.
Make sure your business is protected
Building on from earlier GDPR legislation, the Data Protection and Digital Information Bill (No.2) represents a significant step forward for data protection and online safety in the UK. Whether it reduces the administrative impact and cost for organisation remains to be seen.
The legislation isn’t straightforward and the fines for breaching the rules can be onerous. If you’re at all unsure if your business is affected, it’s essential you have the right legal advice. Protect your business by booking a free 15-minutes consultation with JPP Law or you may consider a Data Protection Audit.