Introducing the UK’s Data Protection and Digital Information Bill

“Through this Bill we will realise the opportunities of responsible data use whilst maintaining the UK’s high data protection standards.” This was how the new Minister for Media, Data and Digital Infrastructure, Matt Warman MP, framed the new Data Protection and Digital Information Bill (the DPDI Bill) as he announced its introduction to Parliament. The much anticipated new DPDI Bill received its first reading in the House of Commons on Monday (18 July), despite concerns that recent upheaval in Westminster may have delayed its progress.

The DPDI Bill follows the government’s response to the ‘Data: a new direction’ consultation (which we discussed in our previous blog here), and reflects many of the positions outlined by the government in that document, including:

• changes to the definition of personal data, to confirm a subjective test for whether information is personal data or anonymous;
• removing the requirements for consent for non-intrusive cookies, such as audience measurement ones and, in Matt Warman’s words, “pav[ing]the way for the removal of irritating banners for other types of cookies when browser-based or similar solutions are sufficiently developed”;
• amending and expanding the current Article 22 rules on automated decision-making (the proposals for which we discussed in our blog on the consultation’s new rules for AI last autumn); 
• changing the current accountability framework, with current UK GDPR requirements for mandatory DPOs making way for new requirements for a ‘senior responsible individual’ and existing ROPA requirements being replaced with requirements to ‘maintain an appropriate record of processing’ together with a refreshed small business exemption – however the DPDI Bill makes no specific reference to the ‘privacy management programme’ concept included the consultation. It remains to be seen whether this will be included in regulatory guidance or dropped completely;
• simplifying some of the legal requirements around the use of personal data in scientific research;
• raising the maximum penalties under the PECR regime to bring them in line with those under the UK GDPR;
• reforming the ICO, so the regulator becomes a body corporate with the new title of the ‘Information Commission’. It will also take on, a new hierarchy of statutory priorities (including the promotion of innovation and competition and consideration of strategic priorities set by DCMS) and new reporting requirements;
• introducing a limited ‘white list’ of legitimate interests for which no balancing exercise is required. As outlined in the government’s consultation response this list is narrow and relates to public interest processing purposes (e.g. prevention of crime, safeguarding children) rather than commercial ones, and does not extend to bias monitoring, detection and correction in AI systems (as was suggested in the original consultation); and
• changes to the UK rules on international transfers of personal data. Some of these are more minor (e.g. amalgamating the rules in one place where previously they were spread between the UK GDPR and DPA 2018) and some appear potentially more significant. Examples include the move to a new ‘data protection test’ requiring a ‘not materially lower’ standard of protection in the recipient country in place of the current GDPR requirement for protection to be ‘not undermined’ (interpreted as essential equivalence), and clarification on how organisations should approach this ‘data protection test’ for transfers using SCCs –  i.e. they must act reasonably and proportionately, taking into account all the circumstances of the transfer.

The DPDI Bill as a whole will take time to digest for both practitioners and those in Westminster - a number of its provisions have relatively complex drafting and/or were not fully unpacked in the consultation documents (e.g. the international transfer provisions, those relating to the new ‘vexatious or excessive’ standard for refusing or charging for DSARs, the new provisions on automated decision-making and those relating to the removal of the requirement for Article 27 representatives in the UK).

Alongside the data protection regime reforms, the DPDI Bill’s 192 pages include a number of other components relating to:

• the establishment of a framework to support digital identity verification to enable individuals to verify their identities in a digital context without reliance on paper documents;
• a number of separate initiatives to facilitate data sharing in specific scenarios across the public and private sectors, such as between health and social care services and in connection with Smart Data schemes (e.g. that facilitate customers comparing and switching between account providers); and
• the digitisation of the UK’s birth and death registers.

Organisations have also had the ICO’s new three year strategy, ICO25, and a new AI policy paper and action plan (discussed in our recent blog) to consider this week. ICO25 sets out the regulator’s purpose, objectives and values and a shift in approach they aim to achieve. The strategy is designed to anticipate and look beyond changes to the regulator set out in the government’s reform proposals, however, it is foreseeable that both the ICO’s strategy and the DPDI Bill may yet be subject to amendment. We will maintain a close watching brief over the coming months as we continue to consider their wider implications.