The UK Data Protection and

Digital Information Bill

On July 18, 2022, the U.K. government introduced the Data Protection and Digital Information Bill to Parliament. Previously known as the
Data Reform Bill, it is the result of a consultation from 2021 and its aim is to update and simplify the U.K.’s data protection framework.
According to the U.K. government, the new legal framework created by the DPDI Bill will reduce burdens on organizations while
maintaining high data protection standards.

Given that the current U.K. data protection framework essentially mirrors the EU General Data Protection Regulation and EU ePrivacy framework,
this comparative analysis considers the changes proposed by the DPDI Bill by reference to the relevant EU law provisions and addresses the following
practical questions:

→ Whether the U.K. approach is more or less onerous than the EU provision.
→ Whether applying the EU interpretation in the U.K. will be compliant.
→ Whether there is an advantage in relying on the U.K. approach.

Taking these factors into account, the proposed legislative changes are color-coded in the table below as follows:

Positive impact for ease of compliance Neutral impact for ease of compliance Negative impact for ease of compliance

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 1
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

EU GDPR

Definitions

Article 4 and Recital 26 (Definition of personal data) Clause 1(3) (Definition of personal data) → The U.K. approach reduces uncertainty as to when
The EU GDPR applies to ‘personal data.’ Personal data The DPDI Bill retains the same basic definition. data is anonymized in a manner which is likely to
is defined as any information relating to an ‘identified However, it further clarifies when data is related to benefit the controller.
or identifiable’ individual. An identifiable individual an identified or identifiable individual and when it → Applying the EU interpretation in the U.K. will
is one who can be identified directly or indirectly. should be considered anonymous. Information will be compliant.
To determine whether an individual is indirectly only be considered as identifiable by a person other → Marginal advantage in relying on the
identifiable, account should be taken of all the means than the controller or processor if that other person U.K. approach.
‘reasonably likely’ to be used, such as singling out, will, or is likely to, obtain the information as a result
either by the controller or by another person. of the processing. If they are not or are not likely
Anonymous data is data that is not related to an to obtain the information, this will be considered
identified or identifiable natural person, and is not in anonymous information.
scope of the Regulation.

Article 4 and Recitals 159, 160, 162 (Definition of Clause 2 (Definition of research and → The U.K. approach is similar but may reduce
research and statistical purposes) statistical purposes) uncertainty in a way which is beneficial to
The EU GDPR contains various exemptions where The DPDI Bill moves much of the interpretative controllers processing personal data for scientific
personal data is being processed for scientific or guidance from the recitals into the main body of the research purposes.
historical research purposes or statistical purposes. U.K. GDPR. The interpretations remain broadly similar, → Applying the EU interpretation in the U.K. will
However, these terms are not defined in the body of although there are some helpful clarifications, such as generally be compliant.
the EU GDPR. that scientific research means ‘any research that can → Marginal advantage in relying on the
Instead, recitals 159, 160 and 162 contain interpretive reasonably be described a scientific, whether publicly U.K. approach.
guidance. For example, recital 159 states that scientific or privately funded’.
research should be interpreted in a broad manner,
and provides examples of technological development
and demonstration, fundamental research, applied
research, privately funded research and studies
conducted in the public interest in the area of
public health.

cont.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 2
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Definitions

Article 4 and Recital 33 (Consent for Clause 3 (Consent for scientific research) → The U.K. approach provides legal certainty but
scientific research) The DPDI Bill moves the substance of the recital into does not alter the intent of the existing EU recital.
The EU GDPR requires that where consent is relied on the body of the U.K. GDPR but does not substantively → Applying the EU interpretation in the U.K. will
as the lawful basis for processing, the consent must alter its meaning. be compliant.
be given for a specific purpose of processing. → The U.K. approach provides additional
This can cause challenges in the context of legal certainty.
exploratory scientific research, where it may not be
possible to fully identify the objective of the research
at the outset.
The main body of the EU GDPR does not provide
a solution to this, although recital 33 notes that
individuals should be allowed to consent to areas of
research where in keeping with recognized ethical
standards, and when individuals are given the
option of consenting only to part of the research
where practical.

Principles and lawful grounds of processing

Article 6(1)(e) and (f) (Lawfulness of processing) Clause 5 and Schedule 1, Annex 1 (Lawfulness → The U.K. approach removes the requirement to
The EU GDPR requires that all processing has a of processing) conduct a balancing test when processing for a
lawful ground. One of these lawful grounds is that The DPDI Bill removes the need to assess whether legitimate interest specified in Annex 1.
the processing is necessary for the purposes of processing for certain ‘recognised’ legitimate interests → Applying the EU interpretation in the U.K. will
the legitimate interests of the controller or a third is overridden by the interests or rights of the be compliant.
party, and those interests are not overridden by the data subject. → The U.K. approach makes it simpler to process
interests or fundamental rights of the data subject. These ‘recognized’ legitimate interests are laid data for recognized legitimate interests.
Relying on this lawful ground requires conducting a out in Annex 1. A procedure is set out for the
balancing test on a case-by-case basis. U.K. government to add to this list in the future.
An alternative legal basis is where the processing The current list focuses on ‘public interests’ such
is necessary for the performance of a task carried as national security, public security, defense,
out in the public interest or in the exercise of official emergencies, preventing crime, safeguarding and
authority vested in the controller. democratic engagement.

cont.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 3
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Principles and lawful grounds of processing

Article 5(1)(b) and Article 6 (Purpose Clause 6 and Schedule 2, Annex 2 (Purpose → The U.K. approach reduces uncertainty in a way
limitation principle) limitation principle) which is mostly beneficial to controllers.
The EU GDPR requires that personal data be collected The DPDI Bill maintains a similar general test for → Applying the EU interpretation in the U.K. will
for specified, explicit and legitimate purposes and determining whether processing for a new purpose is be compliant.
not further processed in a manner incompatible with ‘compatible.’ However, it introduces a list of additional → The U.K. approach makes it simpler to comply with
those purposes (‘purpose limitation’ principle). scenarios where processing for a new purpose will be the purpose limitation principle.
The EU GDPR sets out factors to consider when considered as compatible.
determining whether processing for a new purpose The new ‘compatible scenarios are laid out in clause
is ‘compatible’ with the initial purpose. It also states 6 and Annex 2. A procedure is set out for the U.K.
that further processing for purposes of archiving in government to add to this list in future. The current
the public interest, scientific or historical research, or list is extensive and includes processing for research,
statistics will not be considered incompatible with the archiving and statistics, several other ‘public interest’
original purpose. purposes as well as, for example, to enable controllers
to comply with their legal obligations. The ‘compatible
purposes’ are somewhat restricted when the initial
processing is based on consent.
The DPBI Bill also clarifies that processing is not
lawful simply because it is being carried out for
purposes which are compatible with the purposes for
which it was collected.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 4
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Data subject rights

Article 12 and Articles 15-22 (Vexatious or excessive Clause 7 and Clause 8 (Vexatious or excessive → The U.K. approach expands the circumstances
requests and time limits for responding) requests and time limits for responding) under which a request may be refused and
The EU GDPR provides data subjects with certain The DPDI Bill replaces the EU GDPR’s ‘manifestly provides helpful clarity that the clock does not
rights exercisable against controllers, including unfounded or excessive’ threshold for refusing continue to run whilst waiting for the requestor
the right of access, right to rectification, right to requests with a new ‘vexatious or excessive’ to provide any necessary information that
erasure, the right to restrict processing, right to data threshold. is requested.
portability and right to object. The DPDI Bill outlines several factors to be considered → Applying the EU interpretation in the U.K. will
Requests cannot be refused unless the controller can when determining whether requests meet this be compliant.
demonstrate it is not in a position to identify the data threshold, together with examples of requests which → The U.K. approach makes it simpler to comply
subject or if the request is manifestly unfounded or may do so. Among other things, controllers will now with individuals’ rights.
excessive. The EU GDPR states that this may be the be able to take into account their resources and may
case in particular because of their repetitive character be able to refuse requests intended to cause distress,
but does not explicitly define these terms. not made in good faith, or which are an abuse
Controllers have one month from receipt of the of process.
request to respond substantively, although this may The DPDI Bill also clarifies that the time period
be extended by two further months where necessary, for responding to a request does not run whilst
taking into account the complexity and number waiting for a requestor to confirm their identity
of requests. (if requested), provide any reasonably necessary
clarifications requested by the controller, or to pay
any fees due.

Article 13 and Article 14 (Information to be provided Clause 9 (Information to be provided to → The U.K. approach makes it less onerous to
to data subjects) data subjects) comply with transparency obligations when
The EU GDPR requires controllers to provide certain The DPDI Bill expands this exemption such that it also processing personal data collected directly
transparency information to the data subject. applies to processing personal data which has been from the data subject for research, archiving or
collected directly from the data subject for research, statistical purposes only.
There are certain exemptions to this requirement.
In particular, where personal data has not been archiving or statistical purposes only, where providing → Applying the EU interpretation in the U.K. will
obtained directly from the data subject, it is not such information would be impossible or require be compliant.
necessary to provide the information where it would disproportionate effort. → The U.K. approach is simpler to comply with
(a) be impossible, (b) involve disproportionate effort, when processing personal data collected directly
or (c) undermine the objectives of the processing. from the data subject for research, archiving or
Instead, it is sufficient to take appropriate steps to statistical purposes only.
protect the data subject, which must include making
the information publicly available (for example via a
privacy notice).

cont.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 5
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Data subject rights

Article 22 (Automated decision-making) Clause 11 (Automated decision-making) → The U.K. approach relaxes the restrictions on
The EU GDPR provides data subjects with a right not The DPDI Bill substitutes the whole of Article 22 with the use of solely automated decision-making but
to be subject to decisions based solely on automated a new provision by which processing based solely makes the safeguards that apply to data subjects
decision-making, including profiling, which have legal on automated decision-making is only restricted and more explicit.
or similarly significant effects, but this is subject to subject to certain conditions where it involves the → The EU approach would be broadly compliant
certain exemptions. processing of special category data. in the U.K., although organizations will need to
A controller carrying out solely automated decision- The safeguards that apply to solely automated consider whether they are providing sufficient
making under this provision must also implement decision-making have been clarified and arguably information to data subjects about solely
certain measures to safeguard the data subject, such expanded, to include an obligation for controllers automated decisions.
as providing the right to obtain human intervention. to provide the data subject with information about → The U.K. approach makes it marginally simpler
the decisions. Measures also must be put in place to comply with the rules on solely automated
to enable the data subject to make representations decision-making.
about the decisions, obtain human intervention and
contest the decisions.
The definition of solely automated is also clarified to
mean decision making that involves no meaningful
human involvement.

Accountability

Article 24, Article 25 and Article 28 Clause 12 (General obligations) → The explanatory notes suggest this change is
(General obligation relating to technical and The DPDI Bill makes a minor amendment to these intended to give controllers more flexibility as
organizational measures) provisions to require ‘appropriate measures, to the measures they put in place. As drafted
Under the EU GDPR, controllers and processors have including technical and organizational measures,’ however, the new language suggests that the
certain accountability obligations when processing rather than merely ‘appropriate technical and new measures must still include technical and
personal data. organizational measures.’ organizational measures.

Controllers must implement appropriate technical → The EU approach would be broadly compliant in
and organizational measures to demonstrate the U.K.
their compliance with EU GDPR and must only → The U.K. approach is intended to allow for greater
use processors that provide sufficient guarantees flexibility, although it is unclear that the current
to implement appropriate technical and language achieves this.
organizational measures.

cont.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 6
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Accountability

Article 27 (Representatives for controllers or Clause 13 (Removal of requirement for → The U.K. approach is less onerous than the EU
processors not established in the EU) representatives for controllers or processors position.
The EU GDPR requires controllers and processors outside the U.K.) → Applying the EU interpretation in the U.K. will be
that are not established in the EU to appoint an EU The DPDI Bill removes the requirement for controllers compliant (but unnecessary).
representative in certain circumstances. and processors not established in the U.K. to appoint → The U.K. approach significantly simplifies
a U.K. representative. compliance.

Article 30 (Records of processing activities) Clause 15 (Duty to keep records) → The U.K. approach largely maintains the obligation
The EU GDPR requires controllers and processors to The DPDI Bill maintains the obligation for controllers to keep records of processing, although it may
keep a record of their processing activities. and processors to keep a record of processing which be less onerous for smaller companies not
is broadly similar to that required under the EU GDPR. conducting high risk processing.
For controllers, the records must include the name
and contact details of the controller, the purpose However, the exemption from record-keeping → Applying the EU requirements in the U.K.
of processing, the categories of the data and data requirements has been expanded, such that it applies will broadly be compliant, although the U.K.
subjects, the recipients of the data, any transfers to any organization with less than 250 persons which requirements may require more specificity (for
to a third country or international organization, does not conduct high-risk processing. example, an obligation to record who the data has
(where possible) the retention of the data and been shared with, rather than merely categories
(where possible) the security measures implemented. of recipient).
Processors are subject to a more limited set of record → The U.K. approach may be less burdensome for
keeping obligations. companies with less than 250 employees.
There is an exemption for organizations of under 250
persons, but only where the processing is not likely
to result in a high risk, is not occasional, and does not
include special category data or criminal data.

cont.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 7
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Accountability

Article 35 (Data protection impact assessment) Clause 17 (Assessment of high-risk processing) → The U.K. approach largely maintains the
The EU GDPR requires controllers to carry out a data The DPDI Bill requires controllers to carry out an requirement to undertake a DPIA.
protection impact assessments where there is high assessment of high-risk processing. → Applying the EU interpretation in the U.K. will
risk processing in relation to new technologies. The assessment needs to include a summary of the be compliant.
purpose, an assessment of whether the processing → The U.K. approach does not lower the standards
is necessary for the purpose, an assessment of that trigger the requirement to undertake an
the risks to individuals, and a description of the assessment of high-risk processing.
proposed mitigations.
However, the list of specific circumstances in which
a DPIA is considered necessary under the EU GDPR,
such as in relation to the processing of large scale
special category data, has been removed.

Article 36 (Prior consultation) Clause 18 (Consulting the Commissioner prior → The U.K. approach removes this obligation by
The EU GDPR requires controllers to consult the to processing) making regulatory consultation optional.
supervisory authority where the processing has been The DPDI Bill makes it optional to consult the → Applying the EU interpretation in the U.K. will be
designated high risk in a DPIA in the absence of Information Commissioner prior to processing that compliant (but unnecessary).
measures to mitigate the risk. has been designated high risk by an assessment, in → The U.K. approach significantly simplifies
the absence of measures to mitigate the risk. compliance.

cont.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 8
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Accountability

Articles 37-39 (Designation, position and tasks of Clause 14 (Senior responsible individual) → The U.K. approach largely maintains the
data protection officer) The DPDI Bill requires controllers and processors requirement to appoint a DPO, now called SRI.
The EU GDPR requires controllers and processors to to appoint a senior responsible individual if the → Applying the EU interpretation in the U.K. will
appoint a data protection officer if the processing controller or processor carries out high risk be compliant.
is carried out by a public authority, if the processing processing or is a public body. → The U.K. approach does not lower the standards
is on a large scale, or if there are large amounts of Under the DPDI Bill the tasks are different for that trigger the appointment of an SRI.
special category data being processed. controllers and processors.
The DPO’s tasks involve informing their organization The tasks for a controllers’ SRI involve monitoring
of their processing obligations, monitoring compliance with data protection legislation, ensuring
compliance with the data protection legislation, their organization has updated measures to ensure
providing advice on data protection impact compliance, informing their organization of their
assessments and acting as the point of contact and processing obligations, organizing training for
cooperating with the supervisory authority. employees, dealing with complaints on personal data
processing, dealing with personal data breaches and
acting as the point of contact and cooperating with
the Information Commissioner.
For a processor, the SRI’s tasks involve monitoring
compliance and acting as a point of contact and
cooperating with the Information Commissioner.

International data transfers

Articles 44-50 (Transfers of personal data to third Clause 21 and Schedule 5 (Transfers of personal data → The U.K. approach largely maintains the regime
countries and international organizations) to third countries and international organizations) dealing with international data transfers,
International transfers of personal data may only take The DPDI Bill covers the whole international data although it provides flexibility for the Secretary
place subject to certain conditions, namely: transfers regime in a schedule. of State to approve transfers subject to the data
protection test.
→ The third country ensures an adequate level of The Secretary of State may approve transfers of
protection for the personal data. personal data to a third country or international → Applying the EU interpretation in the U.K. will
organization through regulations if the so-called ‘data be compliant subject to specific restrictions
→ In the absence of that adequate level of introduced by the Secretary of State in the
protection, the controller or processor wishing to protection test’ is met, considering factors including
the desirability of facilitating transfers of personal public interest.
transfer the data provides appropriate safeguards.
data to and from the U.K. Transfers may also be made → The U.K. approach does not necessarily allow
→ In the absence of an adequate level of protection subject to appropriate safeguards or derogations. greater flexibility in meeting the legal requirements
or of appropriate safeguards, a transfer fits within However, the Secretary of State may restrict to legitimise international data transfers.
one of the derogations for specific situations. transfers where necessary for important reasons
of public interest.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 9
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Research safeguards

Article 89 (Safeguards for processing for Clause 22 (Safeguards for processing for → The U.K. approach is more onerous that the EU
research purposes) research purposes) provision, in that it introduces specific additional
The EU GDPR contains various exemptions where The DPDI Bill maintains the focus on data safeguards which must be complied with.
personal data is being processed for scientific or minimization as a safeguard. It also mirrors existing → Applying the EU interpretation in the U.K. will not
historical research or statistical purposes. In order provisions in the UK Data Protection Act 2018 by alone ensure compliance.
to benefit from these exemptions, ‘appropriate specifying that: → Controllers relying on the research or statistical
safeguards’ must be applied to the processing. → The processing must not be likely to cause exemptions in the U.K. will need to ensure they
The EU GDPR specifies that these safeguards must substantial damage or distress to the data subject. have applied the specified safeguards.
ensure respect for the principle of data minimization, → The processing is not carried out for the purposes
for example by pseudonymizing and anonymizing of taking measures or making decisions with
data where possible, but leaves EU member states respect to a particular data subject (except for
to further elaborate on what additional safeguards approved medical research).
might be necessary.
The DPDI Bill enables the U.K. government to
introduce further safeguards.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 10
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Privacy and Electronic Communications Directive 2002 as amended by Directive 2009/136/EC of the European Parliament and of the Council
(ePrivacy Directive)

Article 5 (Cookies and similar technologies) Clause 79 (Cookies and similar technologies) → The U.K. approach is generally less onerous than
Organizations are restricted from storing/accessing The DPDI Bill introduces an expanded range of the EU position, allowing cookies and similar
information, such as cookies and similar technologies, exemptions to the consent requirement including: technologies to be used for a broader range of
on the terminal equipment of a user unless users purposes without consent.
→ For the purpose of collecting statistical
have given their consent or the strictly necessary information about an information society service → Applying the EU interpretation in the U.K. will
exemption applies. in order to improve that service. generally be compliant.

→ For enabling the way in which a website appears or → The U.K. approach will expand the purposes for
functions in order to adapt to the preferences of which cookies can be used without consent, but
the user. requires changes to consent mechanisms and
objection processes.
→ For the installation of necessary security updates
to software on a device.
→ To identify the geolocation of an individual in
an emergency.
For each of these exemptions to apply (other than for
emergency geolocation), the user must be provided
with clear and comprehensive information and a
simple means of objecting.

Article 13 (Opt-out exemption) Clause 82 (Out-out exemption) → The U.K. approach expands the circumstances
The general rule for the use of electronic mail for The out-out exemption is being expanded to apply to under which the out-out exemption can be
direct marketing purposes is prior consent. non-commercial organizations so that they will also relied upon.

However, organizations can send electronic marketing be able to send electronic marketing communications → Applying the EU interpretation in the U.K. will
communications to customers without prior consent without consent for the purposes of furthering be compliant.
where they obtained the contact details in the charitable, political or other non-commercial → The U.K. approach makes it easier for
context of a previous sale or provision of goods or objectives, if they obtained the contact details in the non-commercial organizations to undertake
services, subject to providing them with the right course of the individual expressing interest or offering direct marketing.
to opt-out. support to the objective.

cont.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 11
 EU Law Provision UK Approach
Practical Analysis
EU GDPR and ePrivacy Directive Data Protection and Digital Information Bill

Privacy and Electronic Communications Directive 2002 as amended by Directive 2009/136/EC of the European Parliament and of the Council
(ePrivacy Directive)

Article 15a (Duty to notify the Commissioner of Clause 85 (Duty to notify the Commissioner of → The U.K. approach goes beyond what is strictly
unlawful direct marketing) unlawful direct marketing) required by EU law.
The powers of supervision and enforcement are The DPDI Bill introduces a duty on providers of public → Applying the EU position in the U.K. will not
delegated to member states to determine and electronic communication services and networks to necessarily be sufficient for providers of electronic
therefore not specified at an EU-level. report to the Information Commissioner suspicious communications services and networks.
activity relating to unlawful direct marketing. As → U.K. providers of electronic communications
a consequence, a new power is introduced for the services and networks will need to introduce new
Information Commissioner to issue fines of up to processes in order to detect and report suspicious
1,000 pounds to service providers and network activity relating to unlawful direct marketing.
providers who violate the regulation.

Article 15a (Enforcement powers) Clause 86 (Enforcement powers) → The U.K. approach goes beyond what is strictly
The powers of supervision and enforcement are The current U.K. enforcement powers under the required by EU law.
delegated to member states to determine and Privacy and Electronic Communications Regulations → There is no direct impact on the compliance
therefore not specified at an EU-level. have been expanded to broadly reflect those available measures that need to be taken compared with
under the U.K. GDPR. This includes making cookie the EU.
and electronic direct marketing infringements → Organizations that are operating websites, mobile
subject to increased fines of up to 20 million euros applications and performing direct marketing
or 4% of annual worldwide turnover, whichever in the U.K. should be aware of the considerable
is higher, compared with a maximum of 500,000 increase in potential penalties for infringements.
pounds previously.

In conclusion, the Data Protection and Digital Information Bill covers a significant number of important provisions across both the GDPR and the ePrivacy
framework. However, none of the proposed changes represent a radical departure from the current law in the EU and the U.K. It is clear that with the DPDI
Bill, the U.K. government has sought to simplify compliance, but not to eliminate the basic rules of U.K. data protection law. Therefore, from a compliance
perspective, the essential similarities between the two regimes will not cease to exist once the DPDI Bill becomes law.

The UK Data Protection and Digital Information Bill  •  International Association of Privacy Professionals  •  iapp.org 12