UK government introduces data reforms legislation to Parliament

Proposed changes to UK’s data protection regime include new grounds for data processing, significant powers for the secretary of state to direct the regime’s application, and fewer restrictions on law enforcement’s use of data

Politics 14:33 21.07.2022

The UK government’s plans to reform data protection laws have been criticised by campaigners and lawyers for giving too much power to ministers over privacy and data sharing, as well as reducing digital rights and safeguards.

The Data Protection and Digital Information Bill, which was introduced to Parliament on 18 July 2022, provides more detail on reforms to the UK’s post-Brexit data protection landscape.
 
While the government claims the reforms will protect citizens better while unburdening businesses, lawyers and civil society groups are worried that the changes could lead to a lower standard of data protection and undermine digital rights contained within the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
 
Formerly known as the Data Reform Bill, the updated Bill was described by Matt Warman, minister for media, data and digital infrastructure, as an “opportunity to seize the benefits of Brexit and transform the UK’s independent data laws”.
 
Warman said the burdens of the UK’s current data protection requirements have held businesses back from realising the benefits of greater personal data use, adding: “By focusing on outcomes, not box-ticking, we will unburden businesses from prescriptive requirements and empower them to protect personal data in the most proportionate and appropriate way. Our changes could create around £1bn in business savings over 10 years.
 
“The Bill will sustain and scale the UK’s approach to supporting international data flows by capitalising on its independent status to strike partnerships with some of the world’s fastest-growing economies. Reforms will ensure that the mechanisms to transfer personal data internationally are secure and flexible to help British businesses grow.”
 
The introduction of the 192-page Bill comes a month after the government published its official response to a consultation on the Data Reform Bill in June 2022, in which it pledged to press ahead with a number of changes to the UK’s post-Brexit data protection framework.
 
Suggested changes included removing organisations’ requirements to designate data protection officers (DPOs), ending the need for mandatory data protection impact assessments (DPIAs), introducing a “fee regime” for subject access requests (SARs), and removing the requirement to review data adequacy decisions every four years. All of these are now included in the updated Bill in some form.
 
“We now have confirmation of what the UK’s post-GDPR data framework is intended to look like,” said Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy and cyber security practice. “Nips and tucks rather than a full facelift, although many of the small changes could have significant effects in practice and likely won’t go unnoticed as the Bill moves through Parliament.
 
“The GDPR isn’t perfect and it would be foolish for the UK not to learn from those lessons in its own approach, but it’s walking a tightrope between improvements to the current framework and performative changes for the sake of ripping up Brussels red tape. My initial impressions of the Bill are that the government has struck the balance in favour of business and overlooked some civil society concerns, so I would think that reduced rights and safeguards for individuals will be areas that are targeted for revision before the Bill is finalised.”   
 
There are also concerns that the direction of travel the UK is taking could lead to it losing its data adequacy status with the European Union (EU), which allows the continued free flow of data between UK businesses and those in the bloc.
 
The European Commission granted the UK data adequacy in June 2021, but warned that this may yet be revoked if the UK’s new data protection rules diverge significantly from the EU’s.
 
MEPs have also previously argued that UK laws allowing government agencies to access and retain bulk data on individuals who are not under suspicion is inconsistent with the GDPR, and that data sharing between UK signals intelligence agency GCHQ and the US National Security Agency “would not protect EU citizens or residents”.
 
But Warman said: “The EU does not require countries to have the same rules to grant adequacy, so it is our belief that these reforms are compatible with maintaining a free flow of personal data from the European Economic Area.”
 
Further changes
While the June 2022 consultation response previewed many of the intended changes to UK data protection law, the updated Bill goes into more detail and makes a number of further changes that were not previously announced.
 
For example, one of the most significant additions to the Bill is that it would make any data processing lawful if it is conducted for a “recognised legitimate interests”, which are listed in Annex 1 of the Bill’s text. As it stands, the legitimate interests that provide a lawful basis for data processing include: national security, public security and defence; emergencies and crime; safeguarding vulnerable individuals; and democratic engagement.
 
However, the Bill would also give the secretary of state sweeping powers to extend or reduce the list of legitimate interests that organisations can use as grounds for data processing, as well as to amend almost any aspect of the legislation through further regulations, thereby circumventing parliamentary debate on future changes.
 
Mariano delli Santi, legal and policy officer at Open Rights Group (ORG), said: “The Bill will remove the balancing test for data uses based on [a list of] legitimate interests. That is to say, an interest will be considered legitimate even if it is harmful. The government will have the power to amend this list as soon as we are looking the other way.”
 
He added: “This translates as: the government wants to have the power to establish arbitrary lawful grounds for data uses that lack definition, foreseeability and safeguards against abuses. Parliament will be asked to rubber-stamp what the government proposes.”
 
On top of new powers for the secretary of state, the Bill also contains provisions to water down Article 22 GDPR restrictions that protect people from solely automated decision-making.
IEPF issued a statement regarding Azerbaijani children at the UN Human Rights Council

News line

Russia accuses Ukrainian military chief of ordering downing of war prisoner plane
22:10 05.07.2025
Türkiye supports firefighting operations in Syria’s Latakia
22:00 05.07.2025
UNRWA calls for immediate fuel delivery to Israel-blockaded Gaza before shutdown of basic services
21:45 05.07.2025
Pashinyan: Armenia needs new constitution
21:20 05.07.2025
UN chief condemns Russia's recent 'series of large-scale' attacks on Ukraine
21:00 05.07.2025
Kazakh servicemen arrive in Azerbaijan to participate in Tarlan - 2025 exercise
20:45 05.07.2025
Erdogan: US has crucial role in achieving ceasefire in Gaza
20:20 05.07.2025
Building collapse in Pakistan kills 15
19:45 05.07.2025
Turkish FM Fidan to attend 17th BRICS Leaders Summit in Rio de Janeiro
19:30 05.07.2025
Australia pledges $283M for green energy project by explosives maker
19:10 05.07.2025
OPEC+ speeds up oil output hikes, adds 548,000 bpd in August
18:45 05.07.2025
Inter completes signing of Ange-Yoan Bonny from Parma
18:20 05.07.2025
Turkish president sees Zangazur corridor 'as part of the geoeconomic revolution'
18:00 05.07.2025
Turkish president urges Azerbaijan, Russia to show restrain amid tension
17:45 05.07.2025
China says war 'not a solution' to Iranian nuclear issue
17:15 05.07.2025
At least 18 people injured after fire alert on Ryanair plane in Majorca as passengers abandon jet & leap from wing
17:00 05.07.2025
Azerbaijani PM meets with UNESCAP executive secretary
16:45 05.07.2025
Lebanese president affirms coordination with Syria, warns against sectarian tensions
16:15 05.07.2025
21 killed in Israeli strikes on tents, school-turned-shelters in Gaza Strip
16:00 05.07.2025
Turkish construction sector takes on international projects worth $6.2B in first half of 2025
15:45 05.07.2025
Azerbaijani woman wrestler becomes European champion
15:30 05.07.2025
Mayor: Death toll in Russian attacks on Kyiv reached two
15:15 05.07.2025
Texas floods kill 24 people and leave many missing from girls' summer camp
14:45 05.07.2025
Conor McGregor has interest in White House fight after Trump's UFC idea
14:30 05.07.2025
Netanyahu era sees 40% surge in Israeli settlements in occupied West Bank
14:15 05.07.2025
Equatorial Guinea sues France in UN court to block sale of Paris mansion
14:00 05.07.2025
US president 'disappointed' over phone call with Putin
13:45 05.07.2025
Academy of Azerbaijan`s State Security Service hosts graduation ceremony
13:30 05.07.2025
Azerbaijan and Pakistan ink memo in Khankendi
13:15 05.07.2025
Trump says there could be Gaza deal next week
13:00 05.07.2025
First flight from Türkiye to Syria launched
12:45 05.07.2025
US marks its 249th anniversary of independence
12:30 05.07.2025
Azerbaijan's role in regional integration discussed at London conference
12:00 05.07.2025
Uzbek Minister: Mirziyoyev's visit to Azerbaijan crucial for dev’t of transport links
11:45 05.07.2025
Trump says US will start talks with China on TikTok deal this week
11:30 05.07.2025
Prime Minister of Pakistan Muhammad Shehbaz Sharif concludes visit to Azerbaijan
11:15 05.07.2025
Pakistani premier proposes low-emissions corridor at Economic Cooperation Organization summit
11:00 05.07.2025
Rwanda pledges to deliver on its part of US-brokered peace deal with DR Congo
10:45 05.07.2025
Hezbollah rejects calls to disarm before end of Israeli ‘aggression’ against Lebanon
10:30 05.07.2025
Trump says Gaza ceasefire deal may come next week after ‘positive’ Hamas response
10:15 05.07.2025
Hamısı