News

On 8 March 2023, the government withdrew its previous data protection bill, which had been scheduled for a second reading, and instead published a revised new bill, the Data Protection and Digital Information (No. 2) Bill.

The proposed Bill makes a number of changes to the existing framework, including reducing the burden to keep records of data processing activities unless the activities are high risk in nature. The Bill also proposes to changes to the legal bases for processing personal data in respect of the ‘legitimate interest’ basis, by abolishing the balancing process that currently has to be carried out where the legitimate interests are on a specified ‘recognised’ list. The proposals also include reforms to the regulator, currently the ICO, requests by data subjects in respect of their rights, and removes the requirement for controllers or processors who do not have an establishment in the UK to appoint a representative in the UK.

Like its predecessor, the new Bill’s stated aim is to simplify the existing legislation on data protection and digital and electronic communications by reducing the burden of compliance on businesses. It remains to be seen whether this version of the Bill will be passed, and if so, whether its passage has any influence on the UK’s adequacy rating by the EU, which currently identifies the UK has having equivalent protection for data subjects as exists under EU law, and which therefore permits the transfer of personal data from EU countries to the UK.