UK privacy reform progresses - Data Protection and Digital Information Bill in Parliament (again)

The new draft of the Data Protection and Digital Information (No. 2) Bill, containing the Government’s data protection reform proposals, was introduced to Parliament on Wednesday 8 March. This ended months of uncertainty after the original proposals were paused in September last year (in the week Liz Truss became Prime Minister).

While the new proposals replace the previous version of the legislation (and restart the Parliamentary process at first reading stage again), the vast majority of the content remains the same as the original proposals. The Bill retains the same structure and covers the same components, both in respect of the data privacy regime and beyond (including frameworks for ‘Smart Data’ and digital identity verification schemes) (as outlined in my July 2022 blog). We understand that the Government expects the Bill to receive Royal Assent in no more than a year, and, they believe, with minimal amendment.

While the Secretary of State announced the replacement of the UK GDPR with a new “British data protection system” in her November conference speech, the Bill does not make any major structural changes to the current UK DP law and retains the same approach as its predecessor, to amend the current UK GDPR and Data Protection Act 2018. Many of the headline features of the previous Bill remain, including changes to the ICO and uplift of e-marketing penalties to align with those under the UK GDPR.

The new version of the Bill does contain some amendments that will be welcome to business, and appears to answer some areas of uncertainty that were raised by the previous iteration, including:

• organisations only need to maintain records of processing activities (ROPAs) where they are carrying out high risk processing activities, with no restriction tied to the organisation’s number of employees;
• the new regime will not require existing international transfers/ SCCs to be re-analysed or repapered (again) –  it confirms that appropriate safeguards (e.g. SCCs) that are put in place and lawful before the DPDI Bill takes effect, will remain so afterwards; and
• on the automated decision making rules (central to the use of many AI systems) with, for example, further guidance being provided on how to determine whether there has been ‘meaningful human involvement’ in a decision.

The Secretary of State has made clear that the Bill has been subject to a detailed co-design process with industry, business, privacy and consumer groups to determine how the original draft could be improved.  However, there are some areas where further change could have been helpful to business, such as around the use of Data Subject Access Requests in the context of litigation and it is disappointing that the opportunity was not taken to do so. That said, businesses will be heaving a sigh of relief that the Government has said that compliance with the current UK regime will be also be compliance with the new one. The question for companies to consider over the coming months is therefore if they want, and are able, to change any of their internal processes and governance to reflect any of the relaxations.

Status update: Since the time of writing, the Bill has now progressed through second reading (on 17 April) and the committee stage (during May) of its legislative journey. A version of the Bill, as amended by the Public Bill Committee has been published (here), but reflects mainly minor or technical Government amendments, as none of Labour’s proposed amendments were agreed. The Bill now progresses to the report stage, where further amendments are possible, followed by third reading. No dates for these stages have yet been announced but a ‘carry-over’ motion for the Bill has been approved, allowing the Bill to be carried over to the next parliamentary session and extending its potential timeline beyond this autumn (when the current session is due to end).