New UK Data Protection and Digital Information Bill Set to Streamline Compliance and Boost Business
In a recent announcement, the UK Secretary of State for Science for Innovation and Technology revealed plans for the upcoming Data Protection and Digital Information (No.2) Bill. This new version of the bill, expected to supersede the previous draft, aims to maintain the fundamental principles of the existing UK GDPR while creating a more business-friendly regulatory environment.
One notable feature of the proposed bill is the reduced record-keeping requirement for controllers processing personal data. Unless the processing poses a high risk to individuals’ rights and freedoms, controllers would no longer be obligated to maintain extensive records. This change aims to alleviate administrative burdens on businesses without compromising data protection standards.
Additionally, the new bill would remove the UK representative requirement outlined in Article 27 of the existing UK GDPR. This requirement, which mandates controllers or processors not based in the UK to appoint a representative physically located in the country, would no longer apply. This alteration aims to simplify compliance procedures for international companies operating in the UK.
The concept of “legitimate interest” in data processing is also clarified in the proposed bill. It explicitly includes processing for direct marketing purposes, intra-group transmission of personal data, and ensuring network or information system security. The bill’s explanatory notes underline that these examples are non-exhaustive, and data controllers may engage in other legitimate activities as long as they are necessary and consider the rights and interests of data subjects. However, the bill emphasizes that data subjects’ interests and fundamental rights should always be protected, particularly when the data subject is a child.
Furthermore, the bill addresses international data transfer standards. It allows for data transfers to third countries or international organizations if the level of data protection in those jurisdictions is not materially lower than the standard provided for data subjects in the UK. This provision aims to facilitate international data flows without compromising data security.
In a move that aligns with the current digital landscape, the bill reconsiders the requirements for cookie consent. Under the proposed legislation, consent would no longer be necessary for certain cookies used for statistical analysis, website customization, software updates, or emergency situations. However, users must still receive clear information about the purpose of cookie storage and have the ability to object to it easily.
The Data Protection and Digital Information (No.2) Bill is yet to pass its second reading in the House of Commons. While it may not introduce revolutionary changes, its potential adoption signals the UK’s willingness to explore independent paths in data protection regulations post-Brexit.
Opinion: This new bill represents a significant step towards enhancing the UK’s position as a global leader in data protection and digital innovation. By streamlining compliance requirements and reducing administrative burdens, businesses can focus on leveraging data to drive growth and innovation. While aligning with the fundamental principles of the UK GDPR, this bill demonstrates the UK’s commitment to creating a business-friendly regulatory landscape that fosters innovation and economic prosperity.