New UK data protection bill may lighten the burden for business

Being a data protection lawyer may sound like the world’s most boring job to some, but legislators seem determined to keep us on our toes. Not least in the UK where, five years after the European Union’s General Data Protection Regulation (GDPR) changed the data protection rulebook, the new Data Protection and Digital Information Bill is likely to change the rules yet again.

The UK government introduced the Data Protection and Digital Information (No.2) Bill on 8 March 2023 (withdrawing an earlier version that was introduced the previous year). The bill is currently at the House of Commons committee stage. If passed, the bill is unlikely to come into effect until well into 2024, with many provisions taking effect on specified dates even later.

If implemented into law in its current form, the bill will make significant changes to the UK’s existing, GDPR-based privacy regulations (the post-Brexit UK version of which is now known as the “UK GDPR”) and to the “ePrivacy rules” (which are covered by the Privacy and Electronic Communications (EC Directive) Regulations 2003, known as “PECR”). Consequently, the Bill has been the subject of debate in political, legal and business circles since it was first mooted, and it is unlikely that the discussion it has prompted will die down in the near future. 

The bill has been drafted with the aim of updating and clarifying some of the more confusing sections of the GDPR/PECR as well as making compliance easier for organisations in lower-risk situations. The bill also introduces a number of additional powers for the Information Commissioner’s Office and additional measures intended to help enforce ePrivacy rules. 

The first of these aims - simplification - seems unlikely to raise objections. Many sections of the GDPR are subject to wide interpretation, and bill’s clarifications on matters such as what constitutes personal data, when the “legitimate interests” lawful basis can apply, and on what purposes may be considered compatible with the original purpose for collecting data (and therefore allow the continued use of such data) may help users interpret the law in certain limited circumstances. However, these are merely clarifications, and unlikely to have a significant impact on current practices for most organisations.

The proposal to compel telecommunications and communication service providers to report suspected contraventions of direct marketing regulations to the Information Commissioner’s Office - i.e. to report nuisance callers - may be more controversial. Service providers must do this within 28 days if they have “any reasonable grounds” to suspect that a user is in breach of the law - effectively making such service providers police their own customers. It isn’t currently clear what would be considered to give such reasonable grounds for suspicion, but there will be a £1,000 fixed penalty for failure to report so, if this law passes, service providers will need to ensure that they have processes in place to spot and report contraventions.

However, it is the key stated aim of the bill - to lighten the load on organisations - that is currently the topic of most debate. GDPR compliance can be complicated and time consuming, particularly for smaller businesses. While many feel as if they are aligned with the “spirit of the law”, they would nonetheless welcome less documentation, more freedom to use technology to its maximum potential and an increased ability to refuse data subject access requests, which have gained a bad reputation for being “weaponised” by disgruntled staff or users with an axe to grind.

For these organisations, measures such as increased rights to refuse or charge for “excessive or vexatious” subject access requests, a reduction in the number of data protection impact assessments that may be required and, in many cases, the removal of the requirement to maintain a record of processing or have a person officially registered as a Data Protection Officer, are likely to be welcomed. 

On the other side of the argument, the Open Rights Group (ORG), a body set up to protect the rights of individuals, has consistently expressed the view that the Bill will erode user privacy rights. The ORG was recently reported as saying that the government was “choosing big business and shady technology companies over the interests of everyday people”. 

Additionally, the ORG has echoed the fears of many of us in the legal world that any relaxation of the GDPR could lead to the EU Commission not renewing the UK’s adequacy decision. Without this, data would no longer flow seamlessly from the EU to the UK. This would mean that rather than removing red tape, UK businesses with EU customers would need to jump through additional hoops to enable those customers to provide them with personal data.

In reality, if a UK organisation also promotes their goods and services within the EU, they are unlikely to see any significant benefits from relaxations in the new Bill. These businesses would still be considered “controllers” under the GDPR and would need to comply with all of the GDPR’s requirements, irrespective of any changes to laws in the UK.

So, is implementing a new UK data protection bill really worth the effort? In my view, probably not.

The GDPR isn’t perfect. But by now it is familiar and there are plenty of skilled professionals and resources available to help organisations comply. Relaxing a few rules may help a few UK businesses - but the majority won’t benefit. And I would argue that any benefit will not outweigh the risk to users’ rights, the added complexity of having yet another set of regulatory requirements to understand and comply with, and the risk that this Bill might mean the UK loses its adequacy decision. 

Alison Berryman is senior managing lawyer at Biztech Lawyers