To print this article, all you need is to be registered or login on Mondaq.com.
A new Data Protection and Digital Information Bill (the Bill) in
the UK is proposed to substantially modify the prevailing privacy
framework derived from EU law. Amongst other reforms, it vows to
soften the regulations and overhaul the UK Information
Commissioner’s Office (ICO).
Since the EU-UK Transition Period ended on 31 December
2020, the UK Government made clear its intention to
renovate the UK’s data protection framework. The Bill is
purporting to maintain a high standard of protection for
people’s privacy and personal data while pledging to deliver
around £1 billion in savings for businesses.
The Queen’s Speech of May 2022 officially announced upcoming
legislation to alleviate the current barriers of complying with the
UK GDPR and Data Protection Act 2018 (DPA 2018). Among other
updates, this new legislation seeks to harmonise and clarify the
different lawful grounds on which private companies can process
personal data at the request of public bodies and remove
unnecessary regulatory hurdles in order to allow an adequate
delivery of public services.
Following the conclusion of DCMS’ consultation, the Bill was
formally laid before Parliament on 18 July 2022.
The Bill outlines a more flexible approach to data protection
compliance by introducing an array of measures concerning personal
data and digital information as well as streamlining the
requirements the current legislation places on organisations to
demonstrate how they are complying with the regulations.
Current Data Protection Regulatory Framework in the UK
The EU’s General Data Protection Regulation (EU GDPR) was
incorporated into UK law at the end of the EU-UK Transition Period
under section 3 of the European Union (Withdrawal) Act 2018 (EUWA
2018) and modified by the Data Protection, Privacy and Electronic
Communication (Amendments etc) (EU Exit) Regulations 2019 under the
power in section 8 EUWA 2018 to create the UK GDPR.
The UK GDPR came into force on 1 January 2021
and covers the key principles, rights and obligations for most
personal data processing activities in the UK, with the exception
of law enforcement and intelligence agencies. It is based on the
GDPR which applied in the UK from 25 May 2018 to 31
The GDPR together with the DPA 2018, replaced the Data
Protection Directive (95/46/EC) and its UK implementing legislation
with effect from 25 May 2018.
The Brexit Regulations introduced a number of changes so that
the retained EU law version works in a UK setting from 1
January 2021. The DPA 2018 sits alongside and supplements
the UK GDPR.
The UK’s data protection framework therefore consists of
three regulatory regimes:
- general processing of personal data – governed by the UK
GDPR as supplemented by Part 2 of the Data Protection Act
- processing by ‘competent authorities’ (as defined in
section 30 & schedule 7 DPA 2018) for law enforcement purposes
– governed by Part 3 DPA 2018, which implemented EU Directive
2016/680 (the EU Law Enforcement Directive) into UK law; and
- processing by the UK intelligence services – governed by
Part 4 DPA 2018.
The Privacy and Electronic Communications (EC Directive)
Regulations 2003 transposed Directive 2022/58/EC (PECR). Certain
types of processing activities are specifically regulated in the
PECR, such as the collection of personal data through cookies and
direct marketing, which overlap the general rules for processing in
the UK GDPR. The Bill introduces a number of amendments to these
existing sources of data protection law.
The main amendments introduced by the six Parts of the Bill
- Part 1 seeks to clarify ambiguities found in
the UK GDPR and provides the ICO with additional enforcement
- Part 2 outlines the provision of digital
verification services (see section below for further details).
- Part 3 addresses the use of customer data and
business data and provides powers to create ‘smart data’
schemes which allow the secure transfer of customer data, upon
customer’s request, with authorised third-party providers.
- Part 4 includes stipulations around digital
information including variations to the Privacy and Electronic
Communications (EC Directive) Regulations 2003 (PECR), for instance
amendments to the rules on cookies, unsolicited direct marketing
(including a duty on a public electronic communications service
provider to notify the ICO of unlawful direct marketing) and
communications security (e.g., network traffic and location
- Part 5 creates a statutory organisation, with
a new governance structure, to replace the Office of the ICO. It
also updates the scope of the police National DNA Database Board
and provides the Secretary of State with a power to change the
scope of the Board.
- Part 6 introduces the power to make
consequential revisions, financial provision, and
The rules on international transfers and cross-border personal
data flows are also refined in the Bill. This intends to simplify
international commerce by providing a comprehensible and more
balanced framework for international data transfers. The new scheme
seeks to maintain high levels of protection when personal data is
exported outside the UK, and the data protection criteria will
focus on the protection afforded to data subjects, regardless of
The Bill similarly amends the threshold at which organisations
can refuse to respond to a subject access request, to where a
request is deemed to be ‘vexatious or excessive’. This
threshold allows requests made without the intention of accessing
personal information to be more easily refused or charged for than
the existing threshold of ‘manifestly unfounded or
Digital Identity Verification Services
As there are currently no specific regulations addressing how
business are providing digital identity verification services in
the UK, the digital identity provisions in this Bill seek to foster
trust in and acceptance of digital identities across the UK to
simplify identity proofing, reduce costs, make it more secure and
to enable a booming digital identity marketplace in the UK for
those that use these technologies to prove things about themselves,
for example when opening an online bank account.
To do this, the Bill establishes a regulatory framework for the
provision of digital identity verification services in the UK and
allow public authorities to disclose personal data to trusted
digital identity providers for the purpose of identity and
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from UK