The UK Government has relaunched its efforts to reform the UK’s data protection regime, with the Data Protection and Digital Information Bill (No. 2) (the “Bill“) being introduced to Parliament on Wednesday 8 March. The Bill supersedes a previous version that was originally published in July 2022 (see our previous legal update).

Mark A. Prinsley
Mark Prinsley is a partner and heads the technology practice in the London office, and is a member of the firm’s Cybersecurity & Data Privacy practice. He concentrates on technology transactions, in particular IT projects and outsourcing.
A substantial element of Mark’s practice involves data protection issues and he has worked extensively for clients in the pensions and financial services sector designing and implementing GDPR compliant systems for the collection and processing of personal data by businesses and related sub-contractors, commercial transactions involving data sharing and reaction to data breach scenarios including managing data breach notifications. Recent projects Mark has worked on involving personal data include working for an automobile manufacturer implementing a connected vehicle programme globally, a supplier of facial recognition technology on methods of marketing that technology in Europe in compliance with data protection laws and for an insurtech business licensing technology and services to enable life insurers to underwrite life cover for diabetics using AI.
European Commission Publishes U.S. Draft Adequacy Decision
On 13 December 2022, the European Commission published its draft adequacy decision for EU-U.S. data transfers. The draft decision follows the EU-U.S. announcement of an agreement on a new EU-U.S. Data Privacy Framework (“DPF”) in March 2022 as well as the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“Executive Order”) signed…
EU SCC Looming Deadline
Companies that rely on standard contractual clauses (“SCCs”) for transferring personal data from the European Economic Area (“EEA”) to jurisdictions not considered to offer an adequate level of data protection under the EU General Data Protection Regulation must ensure that none of their existing contracts use the old SCCs after 27 December 2022.
Businesses are…
ICO’s Updated Guidance on International Personal Data Transfers Offers an Alternative Approach to Carrying Out Transfer Risk Assessments
The UK Information Commissioner’s Office (the “ICO”) published new guidance on transfer risk assessments (“TRAs”) and a template for carrying out a TRA.
All businesses are required to carry out TRAs, also known as local law assessments or transfer impact assessments, when transferring personal data subject to the UK GDPR outside the United Kingdom using…
Deadline to Update Template Contracts to Address International Personal Data Transfers Outside the UK
Companies that rely on standard contractual clauses for transferring personal data from the United Kingdom to jurisdictions not considered to offer an adequate level of data protection under the UK General Data Protection Regulation can no longer use the old EU standard contractual clauses in new contracts as of today, Wednesday 21 September 2022.…
UK Government Sets Out its Plans for UK Data Protection Reform
The UK Government has published its response to the consultation on its proposed reform of the UK’s data protection regime (which we have provided further information on in our previous legal update available here.) Whilst the UK Government has proposed several incremental reforms to the UK’s data protection laws that will diverge from the…
European Commission’s Q&A on the New Standard Contractual Clauses
On 25 May 2022, the European Commission published Questions and Answers for the New Standard Contractual Clauses to provide practical guidance on the use of standard contractual clauses (SCCs) and help organisations with their General Data Protection Regulation (GDPR) compliance efforts. The Commission confirmed that the Q&A document will be regularly updated.
Queen’s Speech Confirms UK Data Protection Reform
The Queen’s Speech 2022 (the “Speech”), given on 10 May 2022 (available here), details the UK Government’s priorities for the year. Although its focus was primarily on the cost of living crisis and proposed economic measures, the Speech confirmed that the UK’s data protection regime will be reformed by way of the ‘Data…
US and EU Announce New Trans-Atlantic Data Privacy Framework
On March 25, 2022, the United States and the European Union jointly announced an “agreement in principle” to a new trans-Atlantic data privacy framework to facilitate the cross-border transfer of personal data (the “Framework”).1 As part of the Framework, the US has made “unprecedented commitments” related to intelligence collection and surveillance practices.2 The…
Standard contracts for transfers of personal data outside the UK enter into force
Today, 21 March 2022, the International Data Transfer Agreement (IDTA) and the UK Addendum to the EU standard contractual clauses have entered into force.
The IDTA and the UK Addendum can be used for transfers of personal data outside the UK to countries that are not considered “adequate” by the UK Government. You can read…