Fresh proposals for UK data protection reform expected

Joe Jones, director of research and insights at the International Association of Privacy Professionals (IAPP), said the Department for Science, Innovation and Technology would “release proposals for a new UK GDPR” next week. UK secretary of state for science, innovation and technology Michelle Donelan is due to give a speech at an IAPP London conference on Thursday 9 March.

According to Jones, the new proposals will contain changes to those contained in the Data Protection and Digital Information (DPDI) Bill. The DPDI Bill was introduced into UK parliament last July, but its progress has since stalled – there has been no second reading of the Bill to-date.

Jones formerly worked as director of international data transfers at the previous Department for Digital, Culture, Media and Sport before joining IAPP earlier this year and before the recent reorganisation of government departments which has seen responsibility for data protection policy shift away from the now Department for Culture, Media and Sport to the new Department for Science, Innovation and Technology.

Jones said: “A lot has changed since last July, when the first draft of the soon-to-be-replaced Bill was published: new leadership at the highest levels of [government], new Whitehall structures, and lots of full-spectrum stakeholder consultation on the ‘co-design’ of a new framework. Some things are the same, such as the team of consummate civil servants and the UK government's objective to make positive improvements to the GDPR while maintaining high data privacy standards. We can be sure that there will be changes in next week's Bill compared to last July's draft.”

The plans to replace the DPDI Bill with fresh proposals for a new UK GDPR come as a notional deadline for finalising updates to the existing UK GDPR moves closers.

Under the current draft of the Retained EU Law (Reform and Revocation) Bill (the REUL Bill), which is passing through the UK parliament, the UK GDPR would be repealed from UK law from 31 December this year – unless ministers decide to preserve or replace the provisions before then. The REUL Bill also removes most special EU law features of any retained EU law that is preserved beyond that date.

The existing UK GDPR is one of a number of pieces of legislation that originated as EU law and was retained on the UK statute book at the point of Brexit. It is the bedrock of the UK’s data protection framework, though it is supplemented significantly by the UK Data Protection Act (DPA) 2018 and other legislation.

At present, the DPA 2018 allows the UK GDPR to have priority over domestic legislation in some cases if that domestic legislation does not comply with the GDPR. However, the REUL Bill, if enacted in its current form, would reverse that priority rule where it applies to any retained direct EU legislation, like the UK GDPR, though it provides for government ministers to specify exceptions where the original priority rule should still apply.

It seems likely that the government’s fresh proposals for a new UK GDPR will make provision for replacing the existing UK GDPR and address the question of priority, but it also seems likely that there will be a need for an accelerated parliamentary timetable for any new Bill if it is to be passed and enacted before the end of 2023.

The reported move to replace the DPDI Bill with fresh proposals for reform follows a period of significant political change in the UK.

The DPDI Bill was introduced into parliament when Boris Johnson was prime minister last July. However, its second reading was subsequently delayed following his resignation as leader of the governing Conservative party and then again “to allow ministers to consider the legislation further” when Liz Truss took over from Johnson as party leader and prime minister.

In a speech at the Conservative party conference in Birmingham in October last year, then secretary of state for digital, culture, media and sport Michelle Donelan said the Truss government would “co-design with business a new system of data protection”. She criticised the current regime, which revolves around the UK GDPR, as being a “regulatory minefield” that is particularly difficult for smaller organisations and businesses to navigate. Donelan’s speech prompted speculation that the government would seek to make significant changes to the DPDI Bill, or even withdraw it entirely from parliament for a complete rethink.

However, Truss’ resignation as prime minister later in October 2022 brought further change at the top of government, with Rishi Sunak succeeding her in the role. MLex reported in November that the Sunak government intended to hold an informal consultation on the DPDI Bill before it was brought back to parliament, and in recent weeks there have been reports on possible amendments the Sunak government is considering making to the original Bill.

Last month, MLex reported that Paul Scully, parliamentary under secretary of state at the new Department for Science, Innovation and Technology, had told an event that he thought it unlikely the DPDI Bill would be passed before the current parliamentary session expires in the autumn.