The revised Bill addresses some of the biggest barriers organisations face when handling personal data for research, innovation and basic business services.
On Wednesday 8th March 2023, the UK Government introduced the Data Protection and Digital Information (DPDI) No. 2 into Parliament, which enhances and replaces the originally proposed reforms to the UK GDPR in the first DPDI Bill, July 2022.
The changes come after industry groups including techUK called on the Government to push proposals in the Bill further to make the the UK's data protection laws more user friendly for researchers, innovators and smaller companies.
Following informal consultation with a range of stakeholders including techUK and consumer groups such as Which?, the UK Government yesterday set out the five areas they have targeted for further reform:
- Legitimate interests: the Government has set out a non-exhaustive list of activities which may be considered a legitimate interest, including direct marketing, intra-organisational movement of data, and maintenance of security of networks and information systems. Explanatory notes adds that legitimate commercial activity can also be included. All of these activities will still require a balancing test.
- Scientific research: in the Bill text and explanatory notes, the Government has clarified that the definition of scientific research in the UK GDPR includes research carried out as a commercial activity' and could include activities such as 'applied or fundamental research or innovative research into technological development,'
- Reducing compliance: to help lessen burdens for low data-intensive businesses, requirements such as risk assessments, record keeping and the need for a senior responsible individual will now only be triggered in relation to high-risk processing activities.
- International transfers: organisations will not be required to apply the new data protection test set out in in the Bill if they already have existing data transfer mechanisms in place, underpinned with appropriate safeguards. Any new mechanisms from the Bill's commencement date, will require the test.
- Automated decision making: the Government has clarified that profiling is only subject to the requirements of Article 22 when a significant decision is made without meaningful human intervention.
Commenting on the reforms, techUK CEO Julian David said,
techUK yesterday welcomeed DPDI announcement which sets out new targeted adjustments, co-designed with industry to help offer companies more legal confidence when conducting research, carrying our basic business services, and developing new technologies such as AI. At the same time, the changes retain levels of data protection in line with the highest global standards, and adequacy with the EU.
However, there are still outstanding questions on how some reforms will work in practice, such as an opt-out model for cookie consent, and new obligations around tracking and reporting unwanted calls, which we look forward to working closely with officials on.
Next steps
Overall, we believe the Government has well leveraged its opportunity to make the UK GDPR more workable for all organisations, in line with techUK's vision for the future of UK data governance. We would like to see these ready-to-go benefits seized by industry as soon as the Parliamentary timetable can allow.
Further delays to the Bill will hold back benefits the new laws can offer to businesses, and also risk hampering the sensible balance the Government has struck between pro-innovation reform, and maintaining a high standard of data protection rights.
Now laid before Parliament, the Bill will undergo a scrutiny period which will be crucial for addressing outstanding questions on reforms such as those related to nuisance calls, cookies and Secretary of State regulation making powers. Once passed, the regulator will also play a vital role in providing organisations and individuals with guidance for implementing the new regime.
As the Bill moves forward for debate in Parliament, techUK will continue to work closely with Government, MPs, and the regulator to get the new rules over the line.
Julian David, CEO, techUK
Julian David is the CEO of techUK, the leading technology trade association that aims to realise the positive outcomes of what digital technology can achieve through innovation and collaboration, and serves on its board of directors.
Dani Dhiman, Policy Manager, Data, techUK
Dani joined techUK in October 2021 as Policy Manager for Data.
As Associate Director for Policy Neil leads techUK's domestic policy development in the UK. In this role he regularly engages with UK and Devolved Government Ministers, senior civil servants and members of the UK's Parliaments with the aim of supporting government and industry to work together to make the UK the best place to start, scale and develop technology companies. Neil also acts as a spokersperson for techUK on UK policy in the media and at Parliamentary Committees.
techUK - Getting Regulation Right for a Digital Society
Visit our Digital Regulation Hub to learn more or to register for regular updates.
techUK is in constant dialogue with Government and policy makers to provide the perspective of the tech industry on a wide range of policy issues. Our working groups, networks, and events - including our annual Digital Ethics Summit and Tech Policy Conference - enable cross-sector collaboration and are crucial sources of insight and thought leadership. Get in touch to see how we can support your policy work. Visit our Digital Regulation Hub and complete the contact us' form.
Digital Regulation Hub - related resources:
- ICYMI: Webinar - 2023 Outlook for Digital Regulation: How do we get it right? 1 February
- News: techUK statement on an amendment to introduce expanded senior management liability provisions in the Online Safety Bill
- News: Removing confusing legal but harmful' definition for adults is the right way to ensure the Online Safety Bill can achieve its objectives to make the UK the safest place to be online for children
- On demand: Preventing and detecting fraud - the role of technology webinar
- News: Plans to reform the UK's data protection regime represent an important evolution for the UK GDPR