The UK government is introducing a revised version of its post-Brexit data protection reforms to Parliament, which it claims will save organisations £4.7bn over the next decade.
Originally introduced to Parliament in July 2022, the Data Protection and Digital Information Bill was due for its second reading on 5 September – the day the Conservative Party leadership election concluded – but was pushed back so that “ministers time to consider the bill further”.
The government now claims the updated bill will introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement, by providing businesses with more flexibility in how they comply with the new data laws, and further reduce the amount of paperwork required by organisations to show compliance.
As a result of reduced paperwork, the government has said that only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms (such as when processing large volumes of sensitive data about people’s health) will need to keep processing records.
“Co-designed with business from the start, this new bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs,” said science, innovation and technology secretary Michelle Donelan.
“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR [General Data Protection Regulation].
“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next-generation technologies, create jobs and boost our economy.”
The government added the revised bill will also support increased international trade without creating extra costs for businesses already compliant with existing data protection rules, as well as boost public confidence in the use of artificial intelligence (AI) technologies by clarifying the circumstances in which safeguards apply to automated decision-making.
For instance, if an automated decision has been taken without “meaningful human involvement”, an individual will be able to challenge that decision and request that another person review the outcome instead. However, the government has not specified what meaningful human input would look like.
The government claimed that the UK’s existing data protection laws are “complex and lack clarity for solely automated decision-making and profiling”, making it “difficult for organisations to responsibly use these types of technologies”.
The new regime will also provide organisations with greater confidence about when they can process personal data without people’s consent, for example, where there is a public interest in sharing personal data to prevent crime or safeguard national security.
Civil society reacts
In response to the bill’s revision and reintroduction, however, 26 civil society organisations – including Open Rights Group (ORG), the App Driver’s and Couriers Union, Liberty, Big Brother Watch, and the United Tech and Allied Workers, among others – signed an open letter to Donelan calling for it to be scrapped and taken back to the drawing board.
“The most recent version of the bill contained many concerning and ill-considered proposals which endanger UK residents and UK data protection,” they wrote.
“In recent months, a wave of legislation (related to protest, freedom of speech, and more) has attempted to consolidate power in the hands of the government and corporations at the expense of the rights of every day people. Following that trend, the proposed changes in this bill will reduce proper oversight of data processing, jeopardise sensitive information about UK residents, and create opportunities for discrimination against vulnerable groups.”
Specifically, the signatories noted that the bill would change the data protection impact assessment process so that organisations no longer have to consult with data subjects affected by high-risk processing; lower the thresholds for organisations to refuse subject access requests; and remove the individuals right not to be subject to automated decision making.
They added the government would also be able to interfere with the regulatory function of the Information Commissioner’s Office (ICO), and allow the secretary of state to approve international transfers with little regard to the existence of enforceable rights and effective remedies.
The secretary of state will also be able to create new legitimate grounds for processing data, which has the potential for abuse.
“Clauses 5 and 6 of the bill would allow the secretary of state to legitimise data uses and reuses via statutory instrument (SI) without meaningful parliamentary scrutiny, and without due regard of proportionality or the impact on individuals’ rights and freedoms,” they wrote.
“ORG’s work with organisations representing over-policed groups has brought to light how justifications for the collection and retention of data lurk outside ordinary criminal justice protocols and target minoritised groups on highly subjective grounds.”
Technology businesses took a much more positive view of the bill. TechUK CEO Julian David, for example, said it would bring organisations clarity and flexibility when using personal data.
“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU,” said David.
Chris Combemale, chair of the Bill’s Business Advisory Group and CEO of the Data & Marketing Association (DMA UK), added: “We are confident that the bill should act as a catalyst for innovation and growth, while maintaining robust privacy protections across the UK – an essential balance which will build consumer trust in the digital economy.”
The revised bill was also welcomed by the information commissioner, John Edwards, who said he was supportive of its “ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society.
“The bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the government to monitor how these reforms are expressed in the bill as it continues its journey through Parliament.”