UK Data Protection Reform – new Data Protection and Digital Information Bill

On 8 March 2023 the UK government introduced a new Data Protection and Digital Information Bill. This follows the introduction of a Bill last summer which was withdrawn for further consultation and now the slightly revised Bill has been re-introduced.

The Bill aims to tread a careful line between the UK having its data laws post-Brexit, while at the same time not going so far as to irritate the EU into withdrawing the UK’s adequacy status when it comes up for review in June 2025.

The objectives of the Bill:

  • To be more business-friendly and less difficult and costly to implement than the GDPR
  • To reduce the paperwork involved with compliance
  • To clarify aspects of the current law

Despite the UK’s wish to have its own data laws, the Bill does not depart in material respects from the GDPR. In fact, some critics of the Bill have said that the focus on merely clarifying rules, rather than making substantive changes, means the Bill is largely redundant. Others have said that the Bill actually makes some real practical improvements to the GDPR and that perhaps the EU or others will want to follow.

Some of the main changes are as follows:

Subject access requests

The Bill amends the exemption so that you can refuse to respond to a DSAR or charge a fee if a DSAR is ‘vexatious or excessive’. This exemption will allow more DSARs to be refused than the existing exemption of ‘manifestly unfounded or excessive’.

A request may be vexatious if it is not made in good faith, or is an abuse of process. For example, where a DSAR is (as is often the case in HR related claims) motivated not by privacy concerns, but as a pre-litigation disclosure exercise, or has a “mixed motive”, it may be more open to challenge and refusal than at present under the GDPR.

Legitimate interests

The Bill creates a new lawful ground for processing personal data, allowing you to process personal data where necessary for a “recognised legitimate interest” – i.e. processing that meets a condition in a new Annex 1 to the UK GDPR. This includes conditions such as preventing crime, civil emergencies, and safeguarding vulnerable individuals.

While these may not be useful for day to day business, the Bill also sets out examples of activities which will fall within the “legitimate interest” condition. These include processing for direct marketing, intra-group transfers, and for network security. This is helpful clarification, but is likely the case in any event under the GDPR.

Data security

The Bill modifies the terminology in the GDPR by replacing the requirement to implement “appropriate technical and organisational measures” (or TOMs) with “appropriate measures, including technical and organisational measures”.  So, this is potentially broader than the GDPR.

Removal of the requirement to appoint a representative

Controllers and processors who are outside the UK but who must comply with the UK GDPR because of the extra-territoriality provisions will no longer be required to appoint a UK based representative.

Senior responsible individual

The Bill replaces the requirement to appoint a Data Protection Officer (DPO) but introduces a new requirement to designate a “senior responsible individual” who must be part of the organisation’s “senior management”.

Record keeping

To reduce red-tape, the Bill provides that a controller or processor is exempt from the duty to keep records, unless they are carrying out “high risk” processing activities.  The ICO is to publish guidance with examples of the types of processing which the ICO considers are likely to result in a high risk.

Automated decision-making and AI

In respect of the rules relating to automated decision making (which can be important for AI technologies) the Bill clarifies that a decision based solely on automated processing is one which there has been no “meaningful human involvement” in the taking of the decision. When considering whether there is meaningful human involvement in the taking of a decision, you must consider, among other things, the extent to which the decision is reached by means of profiling. Further regulation is to be expected to define when there has been meaningful human involvement in a decision.

PECR – Privacy and Electronic Communications Regulations 2003

There are also some updates to the rules on cookies. To reduce the need for some cookie consents, you can implement cookies for statistical purposes, or for functionality, or to update software without the need for consent.

Meanwhile, fines for nuisance calls and texts are increased from the current £0.5m to be in line with GDPR, i.e. up to either 4% of global turnover or 17.5 million GBP, whichever is greater.

Practical considerations

It seems likely that the new Bill will come into force during the course of this year.

Broadly speaking, most UK businesses will be able simply to continue with their current level of compliance without significant change, but for some there will be opportunities to take advantage of following the somewhat more business-friendly amended rules.

However, one complexity is that many businesses are also subject to the EU GDPR as a result of the extra-territoriality provisions. They will need to be able to demonstrate compliance with both (slightly diverging) regimes.


Nigel Miller

UK to reform data protection laws

Nigel Miller (partner)

Prince Charles, in giving the Queen’s Speech on 11 May 2022, announced the government’s intention to reform UK data protection laws. The purpose of the reforms is to:

  • Take advantage of the benefits of Brexit to create a “world class data rights regime” that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.
  • Modernise the Information Commissioner’s Office, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.

The main elements of the Bill are:

  • Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
  • Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
  • Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

The government sees the GDPR as a highly complex and prescriptive piece of legislation which encourages excessive paperwork, and creates burdens on businesses with little benefit to citizens. As the UK has now left the EU, the data protection framework can be reformed in order to reduce burdens on businesses.


The contents of the Bill are not yet available and it remains to be seen quite how far these reforms will go. It is one thing (for example) to reduce paperwork, and remove the need for irritating cookie banners (a couple of the potential targets of the Bill), but another to go too far and put at risk the UK’s adequacy ruling that allows the free flow of data from the EU. In the end, the reforms may be helpful but relatively modest.

new Trans-Atlantic Data Privacy Framework

The European Data Protection Board has welcomed the announcement of a political agreement in principle between the European Commission and the United States of a new Trans-Atlantic Data Privacy Framework.

The proposed Trans-Atlantic Data Privacy Framework seeks to address the concerns which led to the Privacy Shield framework being found by the European Court to be invalid. The proposed new Framework will include:
  • Safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.
  • A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
  • Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
  • Specific monitoring and review mechanisms.
When implemented, the Framework will provide a legal basis for personal data flows from the EU to the US.
However, it may be some time before organisations can rely on the new Framework as it has to be approved by the European Commission. At this stage, therefore, the Framework cannot be used for data transfers from the EU to the US and data exporters must continue to use Standard Contractual Clauses and to take the steps required to comply with the Schrems II decision of 16 July 2020.
And even when it is adopted, it will, like its predecessors (Safe Harbor and Privacy Shield) be open to legal challenge by privacy groups.
In any event, the Framework will not apply to transfers from the UK to the US, and the UK has previously indicated that the US is a priority for an “adequacy” partnership.

New UK International Data Transfer Agreement

Vlad Arutyunyan
Millie Pierce

On 2 February 2022 the UK Government’s Department for Culture, Media and Sport put before Parliament the International Data Transfer Agreement (IDTA), an addendum to the new EU standard contractual clauses (New EU SCCs) (Addendum) and various transitional provisions. The documents can be accessed here.

The IDTA has been created as the UK equivalent to the New EU SCCs for international data transfers. The EU commission modernised the EU SCCs on 4 June 2021. The New EU SCCs can be used by parties to incorporate standardised clauses into their contracts. These clauses deal with different sections, for instance for data controllers and processors. The IDTA is a standalone agreement that will apply to all transfers of personal data outside of the UK regardless of whether a party is a data controller or processor. Whilst there are a few exceptions, this includes data importers who are subject to the rules of the UK GDPR.

When the New EU SCCs were published on 4 June 2021, they didn’t apply in the UK due to Brexit. The IDTA and the Addendum have been created to replace the current SCCs used in the UK. The IDTA will take the binding effects of the European Court of Justice Schrems II[1] decision into account.

By addressing the necessary UK legal requirements, the Addendum will allow data exporters who continue to operate in the EU and UK to rely on the New EU SCCs without the need for an IDTA. The intent is to simplify the process for data exporters and will be supported by further guidance from the ICO on the risk protection steps that data exporters will need to undertake when transferring data.

The introduction of the IDTA and Addendum has been welcomed by the ICO, they have stated that “The IDTA and Addendum will also help to support the UK’s digital economy, by enabling the global flow of people’s personal data in order to deliver goods and services.

The ICO will continue to develop the following guidance to provide help and support for businesses:

  • Clause by clause guidance to the IDTA and Addendum.
  • Guidance on how to use the IDTA.
  • Guidance on transfer risk assessments.
  • Further clarifications to the international transfers guidance.

The ICO have stated that the IDTA and the Addendum “are immediately of use to organisations transferring personal data outside of the UK“. The ICO hopes, subject to Parliamentary approval, that these changes will grant parties more confidence when entering into data transfer agreements. The ICO have confirmed that if approved, the IDTA, Addendum and transitional provisions will come into force on 21 March 2022.

[1] Previously EU to US transfer of data was permitted under the Privacy Shield Decision. This was ruled to be illegal and stricter requirement for data transfer were expected based on the SCCs.

A new year, a new ICO

As of 4 January, John Edwards became the new UK Information Commissioner for a five-year term. Mr. Edwards spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeds Elizabeth Denham CBE.

Looking ahead to 2022, Mr Edwards will be working on the proposed reforms to the Data Protection Act and the introduction of the Online Safety Bill. He will also prioritise the protection of children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.

One little known fact: In 1986 – 1987 Mr. Edwards worked as a mountaineer in the Search and Rescue Team at Mount Cook National Park. These skills may come in handy navigating the complex data protection landscape!