Tinker, Tailor, or Wholesale Reform? The UK’s Data Protection and Digital Information (No.2) Bill

On 8 March 2023 the UK Government released a new version of the Data Protection and Digital Information Bill (the Bill), which is intended to make a series of changes to the UK’s data protection framework found in the UK GDPR, the Data Protection Act 2018 (DPA ‘18) and the Privacy and Electronic Communications Regulations.

If enacted, what will be its effect? Is this proposed tailoring of the existing framework significant, or just tinkering around the edges?

Introduction

The previous version of the Bill was introduced in July 2022 but has now been withdrawn. The Bill’s new iteration makes a number of clarifications and carve outs, seeking to simplify the UK’s data protection regime now that the GDPR has been in force some five years. The Bill makes a series of changes (either to the existing framework or the Bill’s prior iteration), including in relation to accountability, legitimate interests, and international transfers.

Accountability

One change from the status quo in the Bill is in respect of organisations’ accountability. When it comes to record keeping, previously only small organisations that did not carry out high risk processing, for example processing high volumes of health data, were exempt from maintaining records of that activity. Under the Bill, any controller or processor that does not undertake high risk processing would now be exempt from keeping records of processing.

Whilst this may come across as a significant change, organisations will still need to evidence accountability; controllers will need to show evidence of processes and procedures for handling data in accordance with data protection principles. Large and international corporations may also adopt standard procedures across jurisdictions, meaning in practice the apparent “watering down” may not be taken up.

Legitimate Interest

The Bill’s previous iteration proposed that organisations would not be required to carry out a balancing exercise to rely on legitimate interests where those interests were “recognised”. The Bill continues with this general approach but now provides examples that track the UK GDPR’s recitals, including with respect to intra-group transmission of personal data where necessary for administration, crime-prevention, and direct-marketing.

This might be viewed as a slight expansion of the ambit of legitimate interest as a basis for processing.  Controllers will still need to carry out impact assessments, but the likelihood that legitimate interest will be an appropriate basis appears to have increased slightly.

Scientific Research

In the Bill, organisations carrying out research will be treated as falling under the banner of “scientific research” (thereby making the data more freely available for transfer and use by others) where the processing involved could “reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. Whilst it remains to be seen how this will operate in practice, this apparent loosening of controls will no doubt be welcomed by commercial research firms and others for whom this definition may apply. 

International Transfers

The Bill does not seek to tinker with the UK’s international transfers regime. The Bill’s previous iteration introduced a new test for assessing adequacy, being whether the destination jurisdiction offered “materially lower” protections than that available under the UK GDPR (in which case the transferee jurisdiction would not have adequacy and the proposed transfer would be unlawful). The Bill makes clear that mechanisms lawfully entered before the Bill would continue to be valid.  Companies who have spent time and energy implementing valid transfer mechanism will no doubt welcome the apparent consistency here.

Adequacy

One might think some of the Bill’s changes (not all of which are included in this article) may risk the UK’s EU adequacy status. The UK Government has since acknowledged that any changes to the UK’s regime cannot risk its adequacy status. That said, the UK’s adequacy status is not a matter for the UK government. How the EU considers some of the proposed changes, including those regarding record keeping discussed above, remains to be seen. 

Effect

There are real changes in this Bill that practitioners and industry participants will need to consider.  That said, the Bill is not the GDPR-replacement some popular commentators might have you believe, slashing regulation and creating a new ‘Singapore-on-Thames’ for data. The UK is not diverging wholesale from EU rules and norms, specifically not – we have been assured – in a way that would jeopardise its “adequacy” status.

What is more, in an attempt to simplify – to “cut red tape” – in the Bill the UK Government has created another document to consult; the GDPR and the DPA ’18 are not going anywhere.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

Tinker, Tailor, or Wholesale Reform? The UK’s Data Protection and Digital Information (No.2) Bill

On 8 March 2023 the UK Government released a new version of the Data Protection and Digital Information Bill (the Bill), which is intended to make a series of changes to the UK’s data protection framework found in the UK GDPR, the Data Protection Act 2018 (DPA ‘18) and the Privacy and Electronic Communications Regulations.

If enacted, what will be its effect? Is this proposed tailoring of the existing framework significant, or just tinkering around the edges?

Introduction

The previous version of the Bill was introduced in July 2022 but has now been withdrawn. The Bill’s new iteration makes a number of clarifications and carve outs, seeking to simplify the UK’s data protection regime now that the GDPR has been in force some five years. The Bill makes a series of changes (either to the existing framework or the Bill’s prior iteration), including in relation to accountability, legitimate interests, and international transfers.

Accountability

One change from the status quo in the Bill is in respect of organisations’ accountability. When it comes to record keeping, previously only small organisations that did not carry out high risk processing, for example processing high volumes of health data, were exempt from maintaining records of that activity. Under the Bill, any controller or processor that does not undertake high risk processing would now be exempt from keeping records of processing.

Whilst this may come across as a significant change, organisations will still need to evidence accountability; controllers will need to show evidence of processes and procedures for handling data in accordance with data protection principles. Large and international corporations may also adopt standard procedures across jurisdictions, meaning in practice the apparent “watering down” may not be taken up.

Legitimate Interest

The Bill’s previous iteration proposed that organisations would not be required to carry out a balancing exercise to rely on legitimate interests where those interests were “recognised”. The Bill continues with this general approach but now provides examples that track the UK GDPR’s recitals, including with respect to intra-group transmission of personal data where necessary for administration, crime-prevention, and direct-marketing.

This might be viewed as a slight expansion of the ambit of legitimate interest as a basis for processing.  Controllers will still need to carry out impact assessments, but the likelihood that legitimate interest will be an appropriate basis appears to have increased slightly.

Scientific Research

In the Bill, organisations carrying out research will be treated as falling under the banner of “scientific research” (thereby making the data more freely available for transfer and use by others) where the processing involved could “reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. Whilst it remains to be seen how this will operate in practice, this apparent loosening of controls will no doubt be welcomed by commercial research firms and others for whom this definition may apply. 

International Transfers

The Bill does not seek to tinker with the UK’s international transfers regime. The Bill’s previous iteration introduced a new test for assessing adequacy, being whether the destination jurisdiction offered “materially lower” protections than that available under the UK GDPR (in which case the transferee jurisdiction would not have adequacy and the proposed transfer would be unlawful). The Bill makes clear that mechanisms lawfully entered before the Bill would continue to be valid.  Companies who have spent time and energy implementing valid transfer mechanism will no doubt welcome the apparent consistency here.

Adequacy

One might think some of the Bill’s changes (not all of which are included in this article) may risk the UK’s EU adequacy status. The UK Government has since acknowledged that any changes to the UK’s regime cannot risk its adequacy status. That said, the UK’s adequacy status is not a matter for the UK government. How the EU considers some of the proposed changes, including those regarding record keeping discussed above, remains to be seen. 

Effect

There are real changes in this Bill that practitioners and industry participants will need to consider.  That said, the Bill is not the GDPR-replacement some popular commentators might have you believe, slashing regulation and creating a new ‘Singapore-on-Thames’ for data. The UK is not diverging wholesale from EU rules and norms, specifically not – we have been assured – in a way that would jeopardise its “adequacy” status.

What is more, in an attempt to simplify – to “cut red tape” – in the Bill the UK Government has created another document to consult; the GDPR and the DPA ’18 are not going anywhere.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

News and Insights

Podcasts

Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast

Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.

July 15, 2026

Publications

Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report

Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.

July 14, 2026

Publications

Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law

Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.

July 7, 2026

Publications

In New York Law Journal, The True Lender Doctrine and the OppFi Decision

Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.

July 1, 2026

Event

Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference

On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.

July 1, 2026