On March 8, 2023, the UK Secretary of State for Science, Innovation and Technology, Michelle Donelan, introduced the Data Protection and Digital Information (No. 2) Bill to UK Parliament. The first version of the reform bill was originally proposed by the UK government in July 2022, but was put on pause during September 2022.
According to UK government in its press release, the Bill will “introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws”. It further notes that the Bill will “ensure…[the] new regime maintains data adequacy with the EU”, a point which has been questioned since it was originally announced that the UK would reform its data protection laws.
Initial key takeaways from the Bill are:
- A list of activities which could be considered a legitimate interest of a controller has been introduced. The list is non-exhaustive and includes direct marketing, intra-group transmission of personal data and ensuring the security of network and information systems.
- Records of processing are only required for organizations that carry out processing activities likely to result in “high risk to the rights and freedoms of data subjects.”
- Fines for nuisance calls and texts are increased to up to either 4% of global turnover or 17.5 million GBP, whichever is greater.
- A framework for the use of digital verification services has been included.
- Transfer mechanisms lawfully entered into before the Bill take effect will continue to be valid under the new regime.