The UK Data Protection and Digital Information (No 2) Bill (DPDIB) is moving swiftly through Parliament. It proposes to amend various aspects of the UK General Data Protection Regulations (GDPR) and Data Protection Act (DPA) 2018.
Speaking in the House of Commons, Sir John Whittingdale, the Minister for Data and Digital Infrastructure, stated:
What is the background to the Data Protection and Digital Information Bill?
The European Union GDPR made sweeping changes to data protection across the EU. Due to the adoption of the GDPR in 2018, many businesses and organisations made considerable changes to their data protection and privacy procedures, for example, ensuring website visitors could ‘opt-in’ to marketing materials and newsletters and updating their privacy policies.
In January 2020, the UK left the EU. It enacted the UK GDPR, which is virtually identical to its EU counterpart. Britain was also granted ‘adequacy’ by the EU, meaning the EU Commission concluded that the UK’s data protection laws are ‘adequate’; therefore, additional safeguards are not required when sending personal data to and from an EU State.
As the UK is no longer part of the EU, it can create its own data protection and privacy laws. However, to protect the economy, it must ensure that any changes do not risk Britain’s adequacy status and continue to provide confidence to all its other trading partners (i.e. most of the globe) that people’s personal data is safeguarded in the UK.
What changes to data protection law does the DPDIB propose?
When introducing the revised DPDIB in the House of Commons in March 2023, the RT Hon. Michelle Donelan MP stated that the new data protection regime proposed by the Bill would save the UK economy £4 billion over the next ten years.
The main changes are:
- Data controllers must only conduct reasonable and proportionate searches responding to data subject access requests. This will be greatly appreciated by organisations subject to the current UK GDPR, as a data subject access request must be actioned unless they are ‘manifestly unfounded or excessive’. The DPDIB lowers the threshold for refusal to ‘vexatious or excessive’.
- The ICO will have permission to serve notices by email without obtaining prior consent.
- Social media companies will need to retain personal data relating to a child who dies by suicide for the purposes of investigations and inquests.
- The efficiency of data protection for law enforcement and national security partners is improved – encouraging better use of personal data where appropriate to help protect the public.
How will the DPDIB help businesses?
Aside from the changes to the ability to refuse to action a data subject access request, Michelle Donelan stated when introducing the Bill that she and other Ministers had consulted with many stakeholders to ensure it worked for “as many people and businesses as possible“. These consultations resulted in the following overall objectives for UK data protection laws in the future:
- Reduce compliance costs and reduce the amount of paperwork that organisations need to complete to demonstrate data protection compliance.
- Reduce burdens by enabling businesses to continue to use their existing cross-border transfer mechanisms if they are already compliant.
- Give organisations greater confidence about the circumstances in which they can use personal data without consent.
- Increase public and business confidence in AI technologies.
One change made to the version of the DPDIB tabled in November 2022 was the removal of provisions which would have permitted the Secretary of State to veto codes of practice issued by the UK Information Commissioner’s Office (ICO). Under version two of the Bill, the Secretary of State will be limited to sharing nonbinding recommendations with the ICO. The reason for this change is both UK and EU stakeholders expressed concern that giving the Secretary of State a veto power would compromise the ICO’s independence and thus threaten Britain’s adequacy status.
When is the UK Data Protection and Digital Information (No 2) Bill expected to become law?
The Bill is over 300 pages long and includes input from numerous stakeholders. Despite its comprehensiveness, the Bill is expected to receive its Royal Assent this spring.
What should data controllers and data processors do now?
Until the Bill becomes law, it is business as usual. Much of the Bill concerns itself with technical aspects of data protection and specific areas, such as the use of personal data by politicians and election campaigners.
I will update this article once the Bill receives Royal Assent in order to explain the definitive changes to data protection and privacy laws that will affect businesses and charities.
To discuss any of the points raised in this article, please contact Ann-Maree Blake or fill in the form below.
