Technology Secretary Michelle Donelan introduces Data Protection and Digital Information Bill today
New common-sense-led UK version of the EU’s GDPR will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online
Strengthened data regime will save UK economy more than £4 billion over next 10 years and ensure that privacy and data protection are securely protected
New data laws to cut down pointless paperwork for businesses and reduce annoying cookie pops-up are being introduced by the government today in Parliament.
The Data Protection and Digital Information Bill was first introduced last Summer and paused in September 2022 so ministers could engage in a co-design process with business leaders and data experts – ensuring that the new regime built on the UK’s high standards for data protection and privacy, and seeks to ensure data adequacy while moving away from the ‘one-size-fits-all’ approach of European Union’s GDPR.
Data is fundamental to fuelling economic growth in all areas of society from unlocking medical breakthroughs to helping people travel, manage their finances and shop online. It is vital to the development and use of innovative technologies such as artificial intelligence.
Data-driven trade generated 85 per cent of the UK’s total service exports and contributed an estimated £259 billion for the economy in 2021.
The improved bill will:
Introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws
Ensure our new regime maintains data adequacy with the EU, and wider international confidence in the UK’s comprehensive data protection standards
Further reduce the amount of paperwork organisations need to complete to demonstrate compliance
Support even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation
Provide organisations with greater confidence about when they can process personal data without consent
Increase public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making
Today’s data reforms are expected to unlock £4.7 billion in savings for the UK economy over the next 10 years and maintain the UK’s internationally renowned data protection standards so businesses can continue to trade freely with global partners, including the EU.
Science, Innovation and Technology Secretary Michelle Donelan said:
“Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs.
“Our system will be easier to understand, easier to comply with, and take advantage of the many opportunities of post-Brexit Britain. No longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR.”
“Our new laws release British businesses from unnecessary red tape to unlock new discoveries, drive forward next generation technologies, create jobs and boost our economy.”
Alongside these new changes, the Bill will increase fines for nuisance calls and texts to be either up to four per cent of global turnover or £17.5 million, whichever is greater, and aims to reduce the number of consent pop-ups people see online, which allow websites to collect data about an individual’s visit.
The Bill will also establish a framework for the use of trusted and secure digital verification services, which allow people to prove their identity digitally if they choose to do so. The measures will allow customers to create certified digital identities that make it easier and quicker for people to prove things about themselves.
The Bill will strengthen the Information Commissioner’s Office (ICO) through the creation of a statutory board with a chair and chief executive, so it can remain a world-leading, independent data regulator and better support organisations to comply with data regulation.
Julian David, TechUK CEO, said:
“TechUK welcomes the new, targeted package of reforms to the UK’s data protection laws, which builds on ambitions to bring organisations clarity and flexibility when using personal data.”
“The changes announced today will give companies greater legal confidence to conduct research, deliver basic business services and develop new technologies such as AI, while retaining levels of data protection in line with the highest global standards, including data adequacy with the EU.”
Chris Combemale, Chair of the DPDI Business Advisory Group and CEO of the Data & Marketing Association (DMA UK), said:
“The DMA has collaborated with the government throughout the Data Protection and Digital Information Bill (DPDI)’s development to champion the best interests of both businesses and their customers. We are confident that the bill should act as a catalyst for innovation and growth, while maintaining robust privacy protections across the UK – an essential balance which will build consumer trust in the digital economy.”
John Edwards, UK Information Commissioner, said:
“I welcome the reintroduction of the Data Protection and Digital Information Bill and support its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society.
“The Bill will ensure my office can continue to operate as a trusted, fair and independent regulator. We look forward to continuing to work constructively with the Government to monitor how these reforms are expressed in the Bill as it continues its journey through Parliament.”
Ministers have co-designed the Bill with key industry and privacy partners on amendments which will give organisations greater flexibility over how they can comply with the regime while maintaining high data protection standards.
Unleashing more scientific research
Current data laws are unclear on how scientists can process personal data for research purposes, which holds them back from completing vital research that can improve the lives of people across the country.
The Bill has updated the definition of scientific research to clarify that commercial organisations will benefit from the same freedoms as academics to carry out innovative scientific research, such as making it easier to reuse data for research purposes. This will reduce paperwork and legal costs for researchers, and will encourage more scientific research in the commercial sector. The definition of scientific research in the new Bill is non-exhaustive, in that it remains any processing that ‘could reasonably be described as scientific’ and could include activities such as innovative research into technological development.
Reducing unnecessary paperwork even further
The existing European version of GDPR takes a highly prescriptive, top-down approach to data protection regulation which can limit organisations’ flexibility to manage risks and places disproportionate burdens on small businesses.
Ministers have improved the Bill to further cut down on the amount of paperwork organisations need to complete to show compliance. Now, only organisations whose processing activities are likely to pose high risks to individual’s rights and freedoms will need to keep processing records. This could include, for example, where organisations are processing large volumes of sensitive data about people’s health.
The new rules will give organisations more clarity about when they can process personal data without needing consent or weighing up their own interests in processing the data against an individual’s rights for certain public interest activities. This could include circumstances where there is a public interest in sharing personal data to prevent crime, safeguard national security or protect vulnerable individuals.
Increasing public and business confidence in AI technologies
Innovative technologies like AI and Quantum computing have the potential to create widespread benefits, such as improving the delivery of healthcare services and reducing the risk of fraud. These technologies often rely on automated decision making, where significant decisions are made about people with no human involvement, or profiling, where an automated process analyses or predicts aspects about a person, such as their abilities or behaviours.
The UK’s existing data protection laws are complex and lack clarity for solely automated decision-making and profiling which makes it difficult for organisations to responsibly use these types of technologies.
The Bill ensures organisations can use automated decision-making with more confidence, and that the right safeguards are in place for people about whom those decisions are taken. This means people will be made aware when such decisions are made and can challenge and seek human review when those decisions may be inaccurate or harmful.
New measures set out today clarify that profiling is subject to the same set of robust safeguards for automated decision making when a significant decision is taken about a person with no meaningful human involvement.
For instance, if a person is denied a job or a loan because an automated decision has been taken without meaningful human input, they can challenge that decision and request a human to review the outcome instead.
As a result of these reforms, businesses, AI developers and individuals will have greater clarity about when these important safeguards for solely automated decision-making must apply. These measures maintain the UK’s high data protection standards and help provide more transparency and accountability for decisions made by computer algorithms.
Supporting international data sharing
The UK is committed to maintaining high data protection standards and continuing the free flow of personal data between like-minded countries, which power services such as GPS navigation, smart home technology and content streaming services.
The updated Bill ensures businesses can continue to use their existing international data transfer mechanisms to share personal data overseas if they are already compliant with current UK data laws. This will ensure British businesses do not need to pay more costs or complete new checks to show they’re compliant with the updated rules.