March 13, 2023
The Data Protection and Digital Information Bill was first introduced in July 2022 but paused in September 2022. The Government says that it has co-designed the revised Bill with key industry and privacy partners to give organisations greater flexibility over how they can comply with the regime while maintaining high data protection standards.
The Government says that the “improved” bill will, in broad terms:
- introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement, taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws;
- ensure the new regime maintains data adequacy with the EU and wider international confidence in the UK’s comprehensive data protection standards;
- further reduce the amount of paperwork organisations need to complete to demonstrate compliance;
- support more international trade without creating extra costs for businesses if they are already compliant with current data regulation;
- provide organisations with greater confidence about when they can process personal data without consent; and
- increase public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making.
In more detail, the Government says that the revised Bill will:
- introduce obligations on providers of electronic communications services to notify the ICO of “any reasonable grounds” for suspecting a contravention of direct marketing rules, and increase fines for nuisance calls and texts to either up to 4% of global turnover or £17.5 million, whichever is greater;
- reduce the number of consent pop-ups people see online (not yet included in the Bill but apparently a work in progress);
- establish a framework for the use of trusted and secure digital verification services;
- strengthen the ICO through the creation of a statutory board with a chair and chief executive;
- update the definition of “scientific research” to clarify that commercial organisations will benefit from the same freedoms as academics to carry out innovative scientific research, such as making it easier to re-use data for research purposes;
- provide that only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms need to keep processing records;
- give organisations more clarity about when they can process personal data without needing consent or having to conduct a legitimate interest test for certain public interest activities, e.g. where there is a public interest in sharing personal data to prevent crime, safeguard national security or protect vulnerable individuals;
- ensure that organisations can use automated decision-making with more confidence and that the right safeguards are in place for people about whom those decisions are taken, e.g. being able to challenge that decision and request a human to review the outcome instead; and
- ensure businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if they are already compliant with current UK data laws.