On September 5, 2022, following the election of the new UK Prime Minister, the UK Government decided not to proceed with the second reading and other motions relating to the Data Protection and Digital Information Bill (the “Bill”), which was due to have taken place on the same day. According to the Leader of the House of Commons, this Bill was pulled as “to allow Ministers to consider the legislation further”.
The Bill was first introduced by the UK Government to the UK Parliament on July 18, 2022, following the UK Government’s consultation back in September 2021, entitled “Data: a new direction”. The consultation detailed the UK Government’s proposed reforms to the UK’s data protection regime following Brexit, in particular, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) that forms part of retained EU law in the UK, with an aim to create “a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards”. The consultation came shortly after the European Commission adopted two adequacy decisions in respect of the UK on June 28, 2021, allowing for the free flow of personal data from the EEA to the UK without requiring additional appropriate safeguards to be put in place.
The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations, providing organisations with greater flexibility on how to comply with certain aspects of the data protection legislation, and improving the clarity of the framework. For example, the Bill would reform the existing accountability framework under the GDPR (such as removing the need to conduct “data protection impact assessments” (which is replaced by an “assessment of high risk processing”), appoint a “data protection officer”, or appoint a UK representative for controllers or processors not established in the UK) and introduce a risk-based approach to international transfers of personal data. The Bill also envisages expanding the rights of organisations with respect to their processing of personal data, such as by removing certain restrictions on the use of automated decision-making, and by expanding the categories of cookies that may be used without the data subject’s consent.
That said, the Bill has been widely regarded as an evolution, rather than a revolution, from the GDPR. The new UK Government’s decision to pull the Bill now leaves uncertain the future of the UK’s data protection regime. For now, we can only wait and see whether the new Prime Minister would decide to take a more aggressive approach in reforming the UK’s data protection regime, and whether the new direction could risk the UK’s adequacy status under the GDPR.