All Things Newz
Law \ Legal

New Data Protection And Digital Information Bill Sent To UK Parliament – Privacy Protection

To print this article, all you need is to be registered or login on

A new Data Protection and Digital Information Bill (the Bill) in
the UK is proposed to substantially modify the prevailing privacy
framework derived from EU law. Amongst other reforms, it vows to
soften the regulations and overhaul the UK Information
Commissioner’s Office (ICO).


Since the EU-UK Transition Period ended on 31 December
, the UK Government made clear its intention to
renovate the UK’s data protection framework. The Bill is
purporting to maintain a high standard of protection for
people’s privacy and personal data while pledging to deliver
around £1 billion in savings for businesses.

The Queen’s Speech of May 2022 officially announced upcoming
legislation to alleviate the current barriers of complying with the
UK GDPR and Data Protection Act 2018 (DPA 2018). Among other
updates, this new legislation seeks to harmonise and clarify the
different lawful grounds on which private companies can process
personal data at the request of public bodies and remove
unnecessary regulatory hurdles in order to allow an adequate
delivery of public services.

Following the conclusion of DCMS’ consultation, the Bill was
formally laid before Parliament on 18 July 2022.
The Bill outlines a more flexible approach to data protection
compliance by introducing an array of measures concerning personal
data and digital information as well as streamlining the
requirements the current legislation places on organisations to
demonstrate how they are complying with the regulations.

Current Data Protection Regulatory Framework in the UK

The EU’s General Data Protection Regulation (EU GDPR) was
incorporated into UK law at the end of the EU-UK Transition Period
under section 3 of the European Union (Withdrawal) Act 2018 (EUWA
2018) and modified by the Data Protection, Privacy and Electronic
Communication (Amendments etc) (EU Exit) Regulations 2019 under the
power in section 8 EUWA 2018 to create the UK GDPR.

The UK GDPR came into force on 1 January 2021
and covers the key principles, rights and obligations for most
personal data processing activities in the UK, with the exception
of law enforcement and intelligence agencies. It is based on the
GDPR which applied in the UK from 25 May 2018 to 31
December 2020

The GDPR together with the DPA 2018, replaced the Data
Protection Directive (95/46/EC) and its UK implementing legislation
with effect from 25 May 2018.

The Brexit Regulations introduced a number of changes so that
the retained EU law version works in a UK setting from 1
January 2021
. The DPA 2018 sits alongside and supplements
the UK GDPR.

The UK’s data protection framework therefore consists of
three regulatory regimes:

  • general processing of personal data – governed by the UK
    GDPR as supplemented by Part 2 of the Data Protection Act

  • processing by ‘competent authorities’ (as defined in
    section 30 & schedule 7 DPA 2018) for law enforcement purposes
    – governed by Part 3 DPA 2018, which implemented EU Directive
    2016/680 (the EU Law Enforcement Directive) into UK law; and

  • processing by the UK intelligence services – governed by
    Part 4 DPA 2018.

The Privacy and Electronic Communications (EC Directive)
Regulations 2003 transposed Directive 2022/58/EC (PECR). Certain
types of processing activities are specifically regulated in the
PECR, such as the collection of personal data through cookies and
direct marketing, which overlap the general rules for processing in
the UK GDPR. The Bill introduces a number of amendments to these
existing sources of data protection law.

Proposed Reforms

The main amendments introduced by the six Parts of the Bill

  • Part 1 seeks to clarify ambiguities found in
    the UK GDPR and provides the ICO with additional enforcement

  • Part 2 outlines the provision of digital
    verification services (see section below for further details).

  • Part 3 addresses the use of customer data and
    business data and provides powers to create ‘smart data’
    schemes which allow the secure transfer of customer data, upon
    customer’s request, with authorised third-party providers.

  • Part 4 includes stipulations around digital
    information including variations to the Privacy and Electronic
    Communications (EC Directive) Regulations 2003 (PECR), for instance
    amendments to the rules on cookies, unsolicited direct marketing
    (including a duty on a public electronic communications service
    provider to notify the ICO of unlawful direct marketing) and
    communications security (e.g., network traffic and location

  • Part 5 creates a statutory organisation, with
    a new governance structure, to replace the Office of the ICO. It
    also updates the scope of the police National DNA Database Board
    and provides the Secretary of State with a power to change the
    scope of the Board.

  • Part 6 introduces the power to make
    consequential revisions, financial provision, and

The rules on international transfers and cross-border personal
data flows are also refined in the Bill. This intends to simplify
international commerce by providing a comprehensible and more
balanced framework for international data transfers. The new scheme
seeks to maintain high levels of protection when personal data is
exported outside the UK, and the data protection criteria will
focus on the protection afforded to data subjects, regardless of

The Bill similarly amends the threshold at which organisations
can refuse to respond to a subject access request, to where a
request is deemed to be ‘vexatious or excessive’. This
threshold allows requests made without the intention of accessing
personal information to be more easily refused or charged for than
the existing threshold of ‘manifestly unfounded or

Digital Identity Verification Services

As there are currently no specific regulations addressing how
business are providing digital identity verification services in
the UK, the digital identity provisions in this Bill seek to foster
trust in and acceptance of digital identities across the UK to
simplify identity proofing, reduce costs, make it more secure and
to enable a booming digital identity marketplace in the UK for
those that use these technologies to prove things about themselves,
for example when opening an online bank account.

To do this, the Bill establishes a regulatory framework for the
provision of digital identity verification services in the UK and
allow public authorities to disclose personal data to trusted
digital identity providers for the purpose of identity and
eligibility verification.

The Data Protection and Digital Information Bill can be found here and the UK Parliament Legislation Tracker
can be accessed here.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.


The ICO Guidelines On UK BCRs

Reed Smith (Worldwide)

The ICO published new guidelines on Binding Corporate Rules (BCRs) on 25 July 2022. There have been significant delays in approvals of UK BCRs by the ICO following Brexit.

International Transfers Summer 2022 Update

Kemp IT Law

This is my Summer 2022 update to my three vlogs on international transfers of personal data – which were thrown into the spotlight by Schrems II! Check out the vlogs for a quick refresher here…

Source link

Related posts

Supreme Court Decision Casts Doubt On SEC’s Climate Proposal And Other Regulatory Initiatives – Securities

Horace Hayward

Avoiding Wastage In Your Law Firm – Performance

Horace Hayward

British Columbia Tribunal Finds Employer That Unilaterally Removed Employee On Maternity Leave From Management Position Liable For Discrimination And Constructive Dismissal – Employee Rights/ Labour Relations

Horace Hayward