27 March 2023
International update 2023 – 1 of 6 Insights
The UK GDPR is substantially the same as the EU GDPR but the government has long targeted it for reform, arguing that the GDPR is unnecessarily complicated and a burden on businesses.
The government introduced the Data Protection and Digital Information Bill (DPDI1) to Parliament in July 2022 after a lengthy consultation process. It covered reforms to the UK GDPR, Data Protection Act 2018 and PECR, but also:
The second reading of the Bill was postponed during the Truss government so that "Ministers [could] consider this legislation" after which the then DCMS Secretary of State Michelle Donelan hinted it would be changed. You can read more about DPDI1 here.
The newly created Department for Science, Innovation and Technology (DSIT), has published the Data Protection and Digital Information (No.2) Bill (DPDI2). DPDI2 is largely similar to its predecessor with mostly minimal changes and clarifications. Unfortunately, it still operates by amending existing legislation rather than producing a complete piece of draft new legislation which makes it hard to digest – we hope a Keeling schedule will be published soon which would effectively show tracked changes.
Points to note about DPDI2 compared with DPDI1 include:
The government has also published a summary of key EHCR issues under the Bill and information standards for health and social care.
The more than six month delay between publication of DPDI1 and DPDI2 does not seem to have resulted in significant changes, therefore pleasing neither those who thought the Bill did not move far enough away from the UK GDPR, nor those who wanted to see less divergence.
For those organisations already compliant with the UK GDPR, few changes will be necessary, although in some cases, they may be desirable, especially where businesses are not also required to comply with the EU GDPR. Nonetheless, there are significant changes and cross-EU border businesses will need to adapt to parallel regimes.
The government continues to assert that the planned changes to the UK data protection regime will not jeopardise EU adequacy although no confirmation of that has been made by the EU. The Secretary of State has considerable scope in the area of data exports so much will depend on whether the government chooses to effectively grant UK adequacy (although the terminology is not the same as the EU's) to countries not similarly approved by the EU.
DPDI2 is considered likely to have a relatively smooth path to enactment given some of the government's original, more radical proposals were dropped following the initial consultation period, and is likely to pass this year. The application date will be set out by the Secretary of State with enabling provisions coming in immediately and a number of sections (including in relation to representatives of controllers or processors not established in the UK) coming in two months after the Bill becomes law.
Debbie Heywood looks at the latest proposals for changing UK data privacy law following the publication of a second Data Protection and Digital Information Bill.
27 March 2023
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.
24 April 2023
by Multiple authors
Liisa Thomas of Sheppard Mullin Richter & Hampton LLP summarises the complexities of the USA's patchwork approach to privacy regulation.
15 May 2023
Trilegal's Nikhil Narendran and Karishma Sundara look at the changes ahead for India's data and technology regulatory framework.
15 May 2023
Borden Ladner Gervais' Elisa Henry, Candice Hévin, and Marguerite Rolland look at the laws which make up Canada's data privacy regulatory framework.
15 May 2023
MinterEllison's Sonja Read, Susan Kantor, Christina Graves, Helen Lauder and Paul Kallenbach look at the proposed reforms to Australia's Privacy Act 1988.
10 May 2023
by Debbie Heywood and Victoria Hordern