General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom , Geo-Specific
UK Reintroduces Bill Proposing Modifying Country's GDPR
Civil Society and Tech Firms Warn Against Modifying the European Privacy LawThe U.K. government is proposing modifications to the European privacy law adopted as British law before the U.K. left the European Union, telling Britons the changes will save billions of pounds over the coming decade. Critics say the proposal waters down privacy rights and could lead to increased surveillance of vulnerable populations. Some tech companies have said a U.K. version of the law will lead to greater regulatory costs.
See Also: Expert Panel | Data Classification: The Foundation of Cybersecurity Compliance
Technology Secretary Michelle Donelan on Wednesday reintroduced the legislation, the Data Protection and Digital Information Bill, after the government had pulled it from consideration in September 2022 for additional work.
"Our new laws release British businesses from unnecessary red tape," Donelan said Wednesday, vowing that "no longer will our businesses and citizens have to tangle themselves around the barrier-based European GDPR."
Adherence to the GDPR is a cornerstone of a June 2021 agreement that allows commercial data flows to continue crossing the English Channel through mid-2025. The U.K. assimilated the GDPR as domestic law in 2018 ahead of the country's withdrawal from the European Union.
Donelan in late 2022 said the government would replace the GDPR with a "truly bespoke British system of data protection." The bill she introduced Wednesday isn't a complete replacement. Among its changes, it would empower the government to authorize permissionless data processing "for the purposes of a recognized legitimate interest" such as national security and crime. The law already recognizes the "administration of justice" as a legitimate motive for processing personal data without prior consent.
The government says paperwork requirements would go down due to limiting compliance documentation to "organizations whose processing activities are likely to pose high risks to individuals' rights and freedoms" such as entities that process large volumes of health data. The changes would also loosen GDPR restrictions on automated decision-making.
Civil rights groups were quick to criticize the bill. More than two dozen organizations, led by Open Rights Group, signed a letter calling the proposal "undemocratic."
"U.K. residents need more protection against pervasive surveillance and unfair dismissals at work, against data misuses by law enforcement and public authorities, against the exploitation of their medical conditions and vulnerabilities for commercial purposes," they wrote.
A number of small and midsize British software businesses in late 2022 urged the government not to proceed with the bill's reintroduction, saying a divergence from the GDPR in the U.K. would add to their regulatory burden rather than decrease it.
"Companies will need to remain compliant with GDPR in any situation," the October letter states.