UK government introduces new Data Protection and Digital Information Bill

March 9, 2023

The UK government has introduced a new Data Protection and Digital Information Bill to parliament. This follows its initial introduction last summer. Last year’s Bill has been withdrawn and a new one introduced.

According to the government, the Bill aims to:

  • Introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of the GDPR and providing businesses with more flexibility about how they comply with the new data laws;
  • Ensure that the new regime maintains data adequacy with the EU, and wider international confidence in the UK’s data protection standards;
  • Reduce the amount of paperwork organisations need to complete to demonstrate compliance;
  • Support international trade without creating extra costs for businesses if they already comply with current data regulation;
  • Provide organisations with confidence about when they can process personal data without consent; and
  • Increase public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making.

As well as these aims, the Bill will increase fines for nuisance calls and texts to be either up to four per cent of global turnover or £17.5 million, whichever is greater, and aims to reduce the number of consent pop-ups people will see online (like cookie walls).

The Bill will also establish a framework for the use of trusted and secure digital verification services, which allow people to prove their identity digitally.

The government also says that the Bill will strengthen the Information Commissioner’s Office through the creation of a statutory board with a chair and chief executive, so “it can remain a world-leading, independent data regulator and better support organisations to comply with data regulation”.

What else does the Bill do?

The government argues that current data laws are unclear about how scientists can process personal data for research purposes. It wants the Bill to update the definition of scientific research to clarify that commercial organisations will benefit from the same freedoms as academics to carry out innovative scientific research, such as making it easier to reuse data for research purposes. It says that this will reduce costs and encourage more scientific research in the commercial sector. The definition of scientific research in the new Bill is non-exhaustive, in that it remains any processing that “could reasonably be described as scientific” and could include activities such as innovative research into technological development.

The Bill will remove some EU GDPR requirements and will require only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms keep processing records. This could include, for example, where organisations are processing large volumes of sensitive data about people’s health.

The new rules also aim to provide more clarity about when organisations can process personal data without needing consent or when weighing up their own interests in processing the data against an individual’s rights for certain public interest activities. This could include circumstances where there is a public interest in sharing personal data to prevent crime, safeguard national security or protect vulnerable individuals.

Innovative technologies like AI and Quantum computing have the potential to create widespread benefits, such as improving the delivery of healthcare services and reducing the risk of fraud. These technologies often rely on automated decision making, where significant decisions are made about people with no human involvement, or profiling, where an automated process analyses or predicts aspects about a person, such as their abilities or behaviours. The government wants organisations to be able to use automated decision-making with more confidence, and the right safeguards are put in place for people about whom those decisions are taken. This means people will be made aware when such decisions are made and can challenge and seek human review when those decisions may be inaccurate or harmful.

The Bill clarifies that profiling is subject to the same safeguards for automated decision-making when a significant decision is taken about a person with no meaningful human involvement. As an example, if a person is denied a job or a loan because an automated decision has been taken without meaningful human impact, they can challenge that decision and request a human to review the outcome instead.

The reforms introduced by the Bill aim to ensure that businesses, AI developers and individuals will have greater clarity about when safeguards for solely automated decision-making must apply. These measures aim to maintain the UK’s data protection standards and help provide more transparency and accountability for decisions made by computer algorithms.

The government says that it is committed to maintaining high data protection standards and continuing the free flow of personal data between like-minded countries, which power services such as GPS navigations, smart home technology and content streaming services.

The updated Bill also provides that businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if they already comply with UK data laws.