General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom , Geo-Specific

UK Reintroduces Bill Proposing Modifying Country's GDPR

Civil Society and Tech Firms Warn Against Modifying the European Privacy Law
UK Reintroduces Bill Proposing Modifying Country's GDPR
Houses of Parliament on the River Thames in London (Image: Shutterstock)

The U.K. government is proposing modifications to the European privacy law adopted as British law before the U.K. left the European Union, telling Britons the changes will save billions of pounds over the coming decade. Critics say the proposal waters down privacy rights and could lead to increased surveillance of vulnerable populations. Some tech companies have said a U.K. version of the law will lead to greater regulatory costs.

See Also: Expert Panel | Data Classification: The Foundation of Cybersecurity Compliance

Technology Secretary Michelle Donelan on Wednesday reintroduced the legislation, the Data Protection and Digital Information Bill, after the government had pulled it from consideration in September 2022 for additional work.

"Our new laws release British businesses from unnecessary red tape," Donelan said Wednesday, vowing that "no longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR."

Adherence to the GDPR is a cornerstone of a June 2021 agreement that allows commercial data flows to continue crossing the English Channel through mid-2025. The U.K. assimilated the GDPR as domestic law in 2018 ahead of the country's withdrawal from the European Union.

Donelan in late 2022 said the government would replace the GDPR with a "truly bespoke British system of data protection." The bill she introduced Wednesday isn't a complete replacement. Among its changes, it would empower the government to authorize permissionless data processing "for the purposes of a recognized legitimate interest" such as national security and crime. The law already recognizes the "administration of justice" as a legitimate motive for processing personal data without prior consent.

The government says paperwork requirements would go down due to limiting compliance documentation to "organizations whose processing activities are likely to pose high risks to individuals' rights and freedoms" such as entities that process large volumes of health data. The changes would also loosen GDPR restrictions on automated decision-making.

Civil rights groups were quick to criticize the bill. More than two dozen organizations, led by Open Rights Group, signed a letter calling the proposal "undemocratic."

"U.K. residents need more protection against pervasive surveillance and unfair dismissals at work, against data misuses by law enforcement and public authorities, against the exploitation of their medical conditions and vulnerabilities for commercial purposes," they wrote.

A number of small and midsize British software businesses in late 2022 urged the government not to proceed with the bill's reintroduction, saying a divergence from the GDPR in the U.K. would add to their regulatory burden rather than decrease it.

"Companies will need to remain compliant with GDPR in any situation," the October letter states.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.