Skip to content

UK Data Protection and Digital Information Bill introduced into Parliament

Browse this blog post

Another important milestone for UK data protection reform was reached this week with the proposed legislative change revealed in the Data Protection and Digital Information Bill.
The Bill was introduced on 18 July, just ahead of the Parliamentary recess.  Second reading will now take place in the autumn.  Some commentators had speculated whether the Bill would appear given the political uncertainty in Westminster and the pledge by Boris Johnson not to introduce any significant new policies until a new Prime Minister (and newly appointed Ministers and Cabinet) are in place.  In the end, the Bill was not regarded as new policy given the previous announcements and data protection practitioners now have the welcome opportunity to digest the detail over the summer.  This will also include the extensive explanatory notes and impact assessment as well as the Bill itself. 

I previously trailed the reforms in my earlier blog for the A&O Digital Hub back in June - The UK and global data protection landscape – seeing the bigger picture and navigating the maze.   Since that blog, on 17 June the Government issued its response to the 2021 consultation - Data: a New Direction.   This has also set out the underlying policy position and rationale for the changes and why certain proposals have not been taken forward. 

General view

Although these changes to UK data protection law are large in number, the changes can be characterised as evolution rather than revolution. Whilst there are some changes as to how certain rights and principles work, the core framework from the UK GDPR has been retained.  The Department for Digital, Culture Media and Sport (DCMS) has also indicated that it has briefed and updated the European Commission about the reforms, seeking to provide reassurance that retaining EU adequacy is still an important outcome.  The accompanying impact assessment recognises the ongoing importance of maintaining adequacy and the free flow of data from the EU to the UK.
Whilst the Bill can be characterised as evolution, there are still many changes businesses will need to consider ahead of the new provisions coming into effect.  Multi-national businesses will welcome the additional flexibility and support for innovation but will also want the new UK requirements on accountability to be interoperable with their global data protection governance based on EU GDPR. Businesses may also want to consider what impact certain changes will have in practice – for example the change to allow a test of vexatious data subject access requests is cited as a burden reducing measure, but businesses will need to consider how much difference this will make in their own context. 

There will also be an important debate in Parliament on how these changes impact on the protections provided to the public and whether the reforms continue to maintain a high standard of data protection in the UK.  There will also be significant debate about the Bill’s provisions that allow the Secretary of State to make further provisions by regulations, which would be subject to less scrutiny than future primary legislation. 

There are too many provisions in the Bill to summarise in full here but this blog highlights key changes that businesses should start to consider.

The key areas of reform

  1. Reducing barriers to responsible innovation

    Automated decision making - The most significant reform under this banner is the change to Article 22 of the UK GDPR, on automated decision making.  This has been an important area of discussion – businesses see significant opportunities to improve the delivery of services and products through AI and algorithms, and there are risks from discrimination, bias and other harms from their deployment.  The Bill removes some aspects of Article 22, and simplifies and clarifies other existing provisions. 

    The general prohibition has now been removed and instead there are conditions to be met for decisions involving special category data.  The prohibition is then replaced with a series of safeguards that must be in place. The measures include conditions such as enabling the data subject to make representations and obtain human intervention about automated decisions. 

    Research - Other changes to support innovation and research have also been introduced.  These include clarifying the definition of research, clarifying the test for anonymisation and allowing for a broader approach to consent and research.  The changes will also allow for the “disproportionate effort” provision already in UK GDPR to be used when directly collecting personal data for research purposes. 

    Legitimate interest - There are also important changes as to how the legitimate interest can be applied, removing the need for a balancing test in certain circumstances, though the necessity test remains.  This is currently limited to a narrow list in the Bill, as concerns were raised during consultation.  This includes areas such as child safeguarding.  Provisions would allow the Secretary of State to add more categories. As it stands, this will mainly be of interest to the public sector.

  2. Reducing burdens on businesses and delivering better outcomes for people

    Accountability - Another key headline for businesses is around the reform to accountability requirements.  The Bill removes the requirements for data protection impact assessments, mandatory data protection officers and records of processing.  The new accountability regime that replaces these provisions creates new requirements around assessment of high risk processing, assigning senior responsibility within organisations and streamlined record keeping.  These new provisions have greater flexibility; allowing businesses to make decisions on how to apply accountability related to scale and risk of their own operation. 

    Data subject rights - The other key area to consider is the change of test for refusing and charging for data subject requests, including access. The ‘manifestly unfounded and excessive’ test in UK GDPR is now replaced by ‘vexatious and excessive’. The concept of vexatious requests is well established in UK law, including the Freedom of Information Act.  The intention is to give controllers greater confidence in refusing requests that genuinely abuse the rights provided, particularly access.  This could include when requests are made related to employment disputes.  The Bill also helpfully includes non-exhaustive criteria to determine whether a request is vexatious or excessive.  The Bill also provides further clarification of when time periods for compliance with a request can be extended. 

    Cookies - There are also amendments to the Privacy and Electronic Communications Regulations (PECR) to remove the requirement for cookie consent when using analytics.  The Bill refers to ‘statistical purposes’ and it is subject to certain conditions such as no sharing and re-use of the data.  The new exemption also covers the use of cookies in areas such as software installation and emergency situations.  With the aim to phase out cookie banners fully in the long term, the Bill also allows the Secretary of State to make regulations on ‘Information technology to enable consent to be given, or an objection to be made, automatically’. This will allow industry to develop new standards and solutions.  It was previous attempted with the ‘do not track’ standard for web browsers and will require international engagement to be effective. 

    Representative - There is also an important change for businesses offering services to the UK from third countries - the Bill removes the requirement for representatives for controllers outside the UK.

  3. Boosting trade and reducing barriers to data flows

    The Bill introduces amendments to the international transfer provisions in Part V of UK GDPR.  The changes introduce a more proportionate and risk-based approach.  These changes seek to address some of the disproportionate impacts from the CJEU’s Schrems II judgment, whilst maintaining effective safeguards.  

    A new ‘data protection test’ is set out in relation to transfers of personal data to a third country. This moves away from the adequacy test to consider whether data protection in the third country is ‘not materially lower’ than that under the UK GDPR. The test focuses on looking at protection as a whole and allows for greater flexibility when assessing a third country eg judicial or non-judicial redress for data subjects is now considered.   Where the Secretary of State has not provided regulations (ie the UK GDPR’s equivalent of the EU GDPR adequacy decision) and a controller or processor applies safeguards to enable international transfers instead (eg contractual clauses) the focus is now on the controller or processor acting ‘reasonably and proportionately’ when considering whether the data protection test is met.

  4. Delivering better public services

    These changes of are of less interest to businesses, but contain some important reforms to better enable data sharing between public bodies under the Digital Economy Act 2015.  There are also reforms that will enable businesses providing services on behalf of public bodies to rely on the lawful basis under Article 6(1)(e) of the UK GDPR.

  5. Reform of the Information Commissioner’s Office

Structure - Modernisation of the regulator forms an important component of the reforms, to bring the ICO’s governance in line with other significant economic regulators eg Ofcom.  This means a move away from the corporation sole model - to an Information Commission, with a statutory board, chair and CEO.  

The changes place greater focus on regulatory engagement, including input into ICO guidance and codes, via panels and impact assessments for the most important outputs.

Government input - There will be greater direction from Government, intended to create a more consistent and certain approach. The Bill provides the ICO with a new principal objective and duties including the desirability of promoting innovation.   The Secretary of State may also designate a statement of strategic priorities and the ICO must have regard to it (rather than be bound to follow it). The statement must be laid in Parliament, to provide another point of accountability.  The Bill also adds a provision for Secretary of State approval for statutory ICO Codes of Practice. 

Additional powers - Under the Bill the ICO gains further powers to compel technical reports, drawing inspiration from the power the Irish Data Protection Commission already has in the Irish Data Protection Act.  A new power also allows the ICO to issue interview notices when it suspects failings.   Changes will also be introduced to bring the fine threshold under PECR (currently £500,000) in line with GDPR, to address concerns about nuisance calls and marketing. 

Complaints - The ICO’s discretion to refuse certain complaints is also enhanced, with the Bill making it clear that the ICO can refuse a complaint if the controller has not yet received one.  Controllers are given 45 days to consider a complaint first.  The Bill adds further requirements for controllers to facilitate the making of complaints. This will create a greater focus on the policies and procedures that controllers have in place and how they link to customer service. 

The ICO will of course play a vital role in supporting the new Bill with new guidance and tools.  The ICO’s new corporate strategy ICO25 was published on July 14 and is important reading alongside the reforms.

Digital Identity

It is also relevant to note that the Bill is not solely focused on data protection and contains important new legislation to enable a new digital identity framework.  This is a topic that intersects with data protection. 

These reforms have been keenly awaited by many businesses and sectors with digital business models.  The UK digital identity system has fallen behind many countries and there is a significant opportunity to refresh the UK approach – enabling a trusted and federated market, supported by Government datasets and a trust framework.  The Bill sets in place the key statutory building blocks to make this happen. 

This includes a requirement for the Secretary of State for DCMS to prepare and publish the Digital Verification Services Trust Framework, which will be the underpinning component of the new system, alongside a register and system of certification for those organisations who play a key role in applying the framework.  

Next steps


It will be important to track amendments during the Bill’s passage through Parliament – we wait to see detailed position of the opposition parties for instance. 

Timing of implementation will also be a key question. The Government will announce this later.   

There is also now a practical question of navigating between three pieces of legislation – the UK GDPR, the Data Protection Act 2018 and the new Data Protection and Digital Information Act.  Practitioners had hoped for greater consolidation to help with the navigation challenge and it will be important that DCMS and the ICO provide the relevant resources to help with this.  

Over the coming weeks and months the Data Protection team at A&O will provide further analysis on the implications in podcasts and blogs.