The U.K. released draft data protection reform of its General Data Protection Regulation. On Wednesday, U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan introduced the Data Protection and Digital Information (No. 2) Bill to Parliament.
The first version of the reform bill was originally proposed by the government in July 2022 but was put on pause last September in the wake of Liz Truss's then-appointment as prime minister.
"Co-designed with business from the start," Donelan said, "this new bill ensures that a vitally important data protection regime is tailored to the U.K.'s own needs and our customs."
Donelan will be a featured keynote speaker Thursday at the IAPP Data Protection Intensive: U.K. here in London.
"Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR," she said. "Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy."
In line with last summer's draft bill, the new proposal will increase fines for nuisance calls and texts up to either 4% of global turnover or 17.5 million GBP, whichever is greater. Additionally, the bill would reduce the amount of consent pop-ups on websites, the government stated in a press release.
The reform bill will also reorganize the Information Commissioner's Office to include a statutory board with a chair and chief executive.
ICO Commissioner John Edwards said, "The Bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the Government to monitor how these reforms are expressed in the Bill as it continues its journey through Parliament."
Notably, the bill would require businesses to conduct records of processing only when it is high-risk data, such as, for example, someone's health data. It would also clarify that profiling is subject to the same set of rules as automated decision-making when a "significant decision is taken about a person with no meaningful human involvement."
Regarding international data flows, the bill will use existing transfer mechanisms "if they are already compliant with current U.K. data laws," the release states.
During a panel session Wednesday afternoon, IAPP Research and Insights Director Joe Jones, who previously worked for the U.K. government in this space, said, "If you're compliant with the EU GDPR, you'll be compliant with the U.K."
Jones also wrote about the top 10 takeaways from the new reform bill.
U.K. Department for Science, Innovation and Technology Data Policy Director James Snook said there was a lot of consultation from a wide range of stakeholders. "It was really helpful to get insight from organizations," he said, which "gave politicians and policy makers key awareness to what was important to organizations."
Snook also said there "is a lot of similarities" to last year's reform bill, which "isn't surprising because the initial bill flowed from formal consultations as well." After a second "intense consultative effort," stakeholders "identified areas where we could go further" while retaining EU adequacy but adding more legal clarity.
"For the most part," Snook said, "this is not a new regime but, hopefully, provides opportunities for organizations to be more flexible and have more clear rules in the U.K." He also pointed out the reforms would eliminate burdens for small and medium-sized businesses.
ICO Deputy Commissioner Emily Keaney said the ICO "worked closely with its DSIT colleagues as they've been going through the process. Our role has been to provide advice and input." She said they've also offered their technical experience and shared insight from their engagement with organizations regarding what businesses have found complicated and what could be more clear. Keaney also noted they provided input from the public regarding what bothers them.
Prior to the bill's official release Wednesday, Liberal Democrat House of Lords Spokesperson for Science, Innovation and Technology Tim Clement-Jones said during a keynote panel that he is a "fan" of the current U.K. data protection regime "and not wholly on board with tinkering with it," though, he said clarity "on certain things" such as legitimate interests and research make sense.
Looking ahead for what is next for the bill, Snook said a second reading will take place in a "handful of weeks." It will then head for legislative committees for review.
If you want to comment on this post, you need to login.