UK Data Protection Reform: The Data Protection and Digital Information (No.2) Bill


3 minute read | March.29.2023

On 8 March 2023, the UK Government’s Department for Science, Innovation and Technology introduced the new Data Protection and Digital Information (No.2) Bill (the “DPDI”) to the UK Parliament.

What is the DPDI?

The DPDI seeks to reform the UK’s existing data protection regime (including the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003). Importantly, the DPDI will not replace these laws, but instead, it will amend and supplement the existing text in certain key areas.

What are the key areas of reform under the new DPDI?

The overarching objective behind the UK government’s data protection reform is to transition away from the EU’s “one size fits all” approach under the EU GDPR towards a more flexible, business friendly approach to data protection compliance (without sacrificing the protection afforded to individual data subjects).

In its announcement, the UK Government emphasised its ambition to unlock innovation, new technologies and business opportunities and to release businesses from “unnecessary red tape”. Below we have outlined some of the key proposed practical changes which are intended to give organisations greater flexibility when approaching privacy compliance.   

  • Definition of personal data: the DPDI proposes a “reasonableness” threshold when determining whether information directly or indirectly relates to an individual. Meaning that whether information that is deemed “personal data” will be determined on whether the individual is identifiable by reasonable means at the time of processing; or whether the organisation ought to reasonably know that another person could identify that individual by reasonable means at the time of processing.
  • Legitimate interests: the DPDI seeks to provide further clarification around processing situations which would be deemed necessary for an organisation’s legitimate interests. It now includes some practical examples which are more common in businesses, for example, processing that is necessary for (a) direct marketing, (b) intra-group transmission of personal data for internal administrative purposes and (c) for ensuring security of networks and systems.

  • Purpose limitation: the DPDI sets out several instances where organisations may conduct further processing of personal data that it has already collected so as to encourage innovation. The examples include scientific or historical research, archiving in the public interest and statistical purposes.

  • Definition of research: the DPDI provides clarity over the circumstances in which processing will be considered “research” and shall include (i) scientific research, whether carried out as a commercial or non-commercial activity, (ii) processing for technological development or (iii) a study on public health.

  • Data subject requests: organisations will be able to refuse data subject requests in instances where the controller deems them to be “vexatious or excessive.”

  • Record of processing activities: the DPDI proposes that a ROPA will only be required in instances where the controller carries out high-risk processing.

  • Data protection impact assessment: will be replaced with an “assessment of high-risk processing” and will only be required in instances of high-risk processing.
  • Simplifying cookie banners: the DPDI proposes to expand the instances where organisations can use cookies (or similar technologies) without the user’s prior consent, including:
    • Analytics cookies used for statistical purposes (i.e., to make improvements to the service);
    • To enhance functionality of the service;
    • To provide security updates to software;

    (Note that organisations will be required to give users the right to object to the above use cases, but they will no longer be required to obtain prior consent)

    • In emergency situations, where the geographical position of the user is to be obtained for emergency assistance.

  • Strictly Necessary Exemption: the DPDI also outlines additional examples of when cookies could be considered strictly necessary, such as:
    • Protection of information provided in connection with the service requested;
    • To ensure security of the user’s device;
    • To detect fraud;
    • To prevent or detect technical faults;
    • To authenticate the identity of a user; or
    • Maintain a record of user selections on the service.

What happens next?

In the next few weeks, the DPDI will progress to the second reading stage in the UK Parliament. It will be examined in further detail by Parliament and relevant subject experts and may undergo further changes.