By Claude-Étienne Armingaud, Nóirín McFadden and Keisha Phippen
The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.
The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.
For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.
The more eye-catching proposed changes in the Bill include:
- The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
- Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
- More exemptions from the requirement to obtain consent to cookies.
- Much higher fees for breach of PECR.
The Bill will now progress through various Parliamentary stages over the coming months in order to become law.