UK government reignites data
Changes to existing privacy framework proposed in updated
Data Protection and Digital Information Bill
On 8 March 2023, the UK government introduced the Data
Protection and Digital Information (No.2) Bill. The bill is the result
of the significant consultation held by the government in 2021,
entitled “Data: a new direction “. It is the second version of the bill,
replacing the original published in July 2022.
While the bill proposes wholesale changes to the UK’s privacy
framework, those changes can be characterised as an evolution, not
a revolution. That said, the EU will undoubtedly be keeping a close
eye on its progress insofar as the UK’s adequacy status and the free
flow of personal data between the EU and the UK are concerned.
The bill aims to reduce the administrative burden on businesses,
promote innovation and reform the Information Commissioner’s
Office (ICO). It spans 205 pages, and mostly reflects what was
proposed in the government’s response to the consultation (about
which, see our Insight), and what was covered in the original
However, there are some important changes introduced by the bill
that businesses will need to consider should it come into effect as
proposed, discussed below. Businesses should also be aware that
the bill includes to the definition of personal data.
Records of processing
Businesses (whether controllers or processors) will only need to
keep records of processing where a processing activity is likely to
result in a high risk to the rights and freedoms of individuals,
regardless of the size of their business (including the number of
employees the business has).
In practice, the requirement to create and maintain records of
processing under the General Data Protection Regulation (GDPR)
has become something of an administrative burden for many
businesses, so this proposed change may well save some businesses
time and costs.
Removal of Data Protection Officers
Businesses will no longer need to appoint a Data Protection Officer
(DPO); instead, if they carry out high risk processing (or are a
public authority), they will be required to designate a “senior
responsible individual” who will be accountable for data protection
While the day-to-day obligations of this role will not change
dramatically, the individual must now be part of the business’s
senior management, as opposed to the current position, where the
DPO reports to senior management but has to be independent of it.
This flexibility is likely to be welcome news to businesses.
Removal of DPIAs
Businesses will no longer need to conduct data protection impact
assessments (DPIAs). Instead, they will need to implement an
“assessment of high risk processing”.
This change aims to streamline data protection records by focusing
a business’s attention on how it operates, and introducing
appropriate measures depending on the type of data it processes:
for example, the bill removes the list of activities deemed to be
high risk which was in the GDPR.
It remains to be seen whether this will amount to little more than a
change of name in practice.
Removal of need for a UK representative
Data controllers that are not established in the UK no longer need
to appoint a data protection representative within the UK.
Data subject access requests
The bill changes the test for refusing and charging for data subject
access requests. If enacted, the “manifestly unfounded and
excessive” test would be replaced by a “vexatious and excessive”
The government proposes that the adoption of this new test will
allow businesses greater autonomy in refusing requests when the
system is clearly being abused, although the devil will be in the
detail as to how the Information Commissioner’s Office (ICO)
interprets the new test. (For more on this, see our Insight.)
Currently, only “strictly necessary” cookies may be used without
consent. The bill expands the categories of cookies that do not need
consent to be dropped, including cookies collecting data for
purposes such as statistical analysis and improvement of service or
website use; however, users would still need to be given
comprehensive information, and an opportunity to opt out.
In its operative provisions, the bill now includes examples of the
types of processing that may be considered necessary for the
purposes of a legitimate interest. These include processing for
direct marketing purposes, intra-group transmission of personal
data for internal administration purposes, and processing which is
necessary to ensure the security of network and information
However, these are only examples and, unlike the new concept of
“recognised legitimate interests” (below), a controller will still be
required to ensure its interests are not outweighed by the data
subject’s rights and interests.
‘Recognised legitimate interests’
The bill introduces a limited number of “recognised legitimate
interests”. This means that, provided a business can demonstrate
that processing is “necessary” for one of the recognised legitimate
interests, that business will no longer be required to balance its
legitimate interest against the data subject’s interests, rights and
Currently, the list of recognised legitimate interests is limited to
areas including processing necessary in the public interest; national
security, public security and defence; emergencies; safeguarding
vulnerable individuals; and democratic engagement. The bill
enables the Secretary of State to add new categories.
Changes to international transfers
A risk-based approach to the international transfer of personal data
is introduced, meaning that organisations would be able to assess
the data protection risks involved in using mechanisms such as the
ICO’s international data transfer agreement (IDTA) or Addendum
for those transfers, and then decide on appropriate mitigation
The bill also confirms that data transfer mechanisms lawfully
entered into before it comes into force will continue to be valid
Using the same risk-based approach, the Department for Science,
Innovation & Technology would be able to make future UK
adequacy decisions; however, this approach is different to that
required for adequacy decisions under the GDPR. The requirement
under the bill is a “not materially lower” standard of protection in
the recipient country, whereas under the GDPR it is an adequate
level of protection, interpreted as “essentially equivalent”.
The bill reframes the provisions on automated decision-making to
be a requirement for safeguards to be in place, rather than a
prohibition with exceptions. More stringent provisions apply where
an automated decision is based entirely or partly on special
categories of personal data.
The Secretary of State may also make secondary regulations
providing for cases where there is, or is not, to be taken to be
meaningful human involvement in decision-making (meaningful
human involvement being required to prevent processing from
constituting automated decision-making).
The existing exceptions which apply for processing for the
purposes of scientific research have been amended to make clear
that they cover any research that can reasonably be described as
scientific, whether publicly or privately funded, and whether
carried out as a commercial or non-commercial activity.
ICO restructure and new identity
The ICO’s name will change to the Information Commission. The
Information Commission will act as an independent body
corporate, with new reporting obligations to the government.
The Secretary of State will have greater oversight over the
Information Commission, which means the government has the
potential to influence guidance and codes of conduct.
Changes to PECR
The bill increases the maximum amount of fines under The Privacy
and Electronic Communications (EC Directive) Regulations 2003
(PECR) to be brought in line with the UK GDPR and Data
Protection Act 2018, enabling the ICO to issue fines of up to £17.5
million or 4% of a business’s global turnover for breaches of certain
regulations under PECR, and up to £8.7 million or 2% of a
business’s global turnover for other breaches of PECR.
Providers of public electronic communications services will have
an obligation to notify the ICO if they have reasonable grounds for
suspecting that their users have contravened the direct marketing
Osborne Clarke comment
The changes introduced by the bill to the UK’s privacy framework
are not unexpected, given they mostly reflect the government’s
response to its consultation. The second iteration of the bill makes
relatively few substantive changes to the first version, though there
are some useful changes, including on record keeping and
international transfers and on scientific research.
Osborne Clarke – Emma Shields, Tamara Quinn, Emily Tombs, Georgina Graham, Mark
Taylor and Catherine Hammon
The bill represents a small step away from the EU GDPR, rather
than the giant leap that might be preferred by some businesses,
perhaps in part because the UK government will be mindful of the
risks involved in diverging too far from the EU GDPR, given that
the EU-UK adequacy decision is scheduled for review in 2024.
The benefits of the free flow of data between the UK and the EEA
for many UK businesses are likely to be favoured over the current
administrative burdens of compliance using alternative mechanisms
such as standard contractual clauses and the IDTA, especially for
global businesses well acquainted with the requirements of the
The bill is now awaiting a second reading, which is expected to
happen in a matter of weeks. If it has not received Royal Assent by
the end of the current parliamentary session in October, it will fall
unless it is formally carried over into the next parliamentary session
(which cannot be assumed, but is not unusual for significant