Data Protection and Digital Information Bill: briefing note

This briefing note was co-authored by Weronika Dorociak, UK Government Relations Advisor, London.

Data Protection and Digital Information Bill

16 March 2023

The Data Protection and Digital Information (No.2) Bill aims to reform the existing UK data protection regime following Brexit, namely the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  

Who’s affected 

The Bill will impact individuals in addition to private and public sector organisations.  

A more flexible and less burdensome regime will be welcomed by businesses operating in the UK, especially SMEs and those operating in the public sector. It may also entice organisations to bring more business to the UK and encourage innovation. On the other hand, if the proposals are considered to diverge too far from the EU’s data protection regime, the UK’s adequacy status could be at risk. 

Purpose of the Bill 

The main purpose of the Bill is to create a new pro-growth and pro-innovation data protection framework that reduces burdens on organisations and boosts the economy. The proposed regime also aims to ensure that data can be used to empower citizens and improve their lives via more effective delivery of public healthcare, security, and government services. 

Key measures of the Bill 

These aim to: 

  • Give organisations greater confidence about the circumstances in which they can progress personal data without consent. 
  • Simplify the rules around the use of personal data for scientific research and technological development. The Bill will help cement the UK’s position as a science and technology superpower, as well as increase public and business confidence in AI.  
  • Create a clear and more stable regime for international data transfers, with the aim to facilitate trade, enhance the work of law enforcement and national security agencies, support innovation and help people stay connected across borders.  
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health-related treatments by helping improve appropriate access to data in health and social care contexts. 
  • Amend the requirement for controllers to keep data processing logs, unless there is a high risk to individuals. This applies to, for instance, medical records.  
  • Create grounds for organisations to reject ‘vexatious or excessive’ requests or charge a reasonable fee for such requests.  
  • Require public electronic communication service and network providers to report unlawful direct marketing activity and establish a monetary penalty for non-compliance.  
  • Replace the Information Commissioner’s Office (ICO) with the Information Commission and enable the regulator to take stronger action against organisations who breach data rules. 
  • Reduce the amount of paperwork that organisations need to complete to demonstrate compliance and lower compliance costs.  

Timeline 

The Data Protection and Digital Information Bill was announced in the Queen’s Speech 2022 and first introduced to the House of Commons on 18 July 2022. However, it was subsequently shelved due to the change of leadership in the Conservative Party that occurred on 5 September 2022.  

A revised draft (Data Protection and Digital Information (No.2) Bill) was introduced to parliament on 8 March 2023.  

Update – 8 March 2023 – Publication of the Data Protection and Digital Information (No.2) Bill

The No.2 Bill follows on and supersedes the original Data Protection and Digital Information Bill that was introduced by UK Government in July 2022. The original Bill was withdrawn on 8 March 2023 and the No.2 Bill was presented on the same day.

Update - 3 March 2023 – Data Protection and Digital Information Bill to return to Parliament next week

It has been reported this week that the Data Protection and Digital Information Bill will not return in this Parliamentary session. Michelle Donelan, Secretary of State for Science, Innovation and Technology, later announced that the Bill would be returning to Parliament next week.

Update - 16 February 2023 – New department to lead on the Data Protection and Digital Information Bill

Last week, Prime Minister Rishi Sunak unveiled a new Department for Science, Innovation and Technology and appointed Michelle Donelan as science secretary. It has now been confirmed that the Data Protection and Digital Information Bill will sit under the newly created department.

Update - 21 November 2022 - Data Protection and Digital Information Bill delayed until further notice

The second reading of the Data Protection and Digital Information Bill (the Bill) in the House of Commons was delayed following Liz Truss’s appointment as Prime Minister in September 2022. The new UK Government is yet to confirm its position on the data protection legislation, but it is likely that the Bill will return to parliament under Rishi Sunak’s premiership. 

Update - 17 August 2022 - Announcement of the Data Protection and Digital Information Bill

The Data Protection and Digital Information Bill aims to reform the existing UK data protection regime following Brexit, namely the General Data Protection Regulation (GDPR). The Bill’s announcement in the Queen’s Speech follows the UK Government's consultation entitled ‘Data: a new direction’, which was published in September 2021.

The Bill will impact individuals in addition to private and public sector organisations. 

A more flexible and less burdensome regime will be welcomed by businesses operating in the UK, especially SMEs and those operating in the public sector. The new legislation may even entice organisations to bring more business to the UK. On the other hand, if the proposals are considered to diverge too far from the EU’s data regime, the UK’s adequacy status could be at risk.

The 'Queen's speech 2022: background briefing notes' outlines that the purpose of the Bill is to:

  • Take advantage of the “benefits of Brexit” to generate a trusted world class data rights regime.
  • Create a new pro-growth data protection framework that reduces burdens on businesses and boosts the economy.
  • Modernise the Information Commissioner’s Office (ICO) to take stronger action against organisations who breach data rules.

The briefing notes outlines the derived outcomes of the Bill is to:

  • Make sure that data can be used to empower citizens and improve their lives, via more effective delivery of public healthcare, security, and government services.
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.
  • Create a clearer regulatory environment for personal data use that will fuel responsible innovation.
  • Simplify the rules around research to cement the UK’s position as a science and technology superpower.

The Bill was introduced to the House of Commons on 18 July 2022, in the week leading up to parliament’s summer recess. The Bill’s second reading is expected to take place on 5 September 2022.

Interestingly, neither candidate for the Conservative leadership challenge, Liz Truss nor Rishi Sunak has discussed the Bill in much detail. However, Sunak has announced that reform of the data protection landscape will be one of his top priorities, and Truss in particular has pledged to review all EU laws retained in the UK that hinder UK growth.

Related items:

Related content

Article

Data’s damp squib – the latest iteration of the EU-US data privacy framework

02/08/2023

Article

The new British data protection regime: what to expect

06/03/2023

Article

International cyber and data privacy insights - February 2023

15/02/2023

Article

Data Protection and Digital Information Bill: briefing note

21/11/2022

View more

Services

Locations