Posted: 04/07/2024
Following the announcement of the general election, the Data Protection and Digital Information (DPDI) Bill has been one of the legislative casualties that was unable to be passed during the ‘wash-up period’. However, given that it enjoyed broad parliamentary support and was nearing the end of the legislative process, it may be reintroduced now that the Labour Party has formed a new government.
The DPDI Bill has had a protracted legislative journey, having been introduced into Parliament on 18 July 2022, reintroduced as a new bill on 8 March 2023, then carried over into the 2023/2024 parliamentary year. While appearing to be nearing a conclusion, it is rumoured that it was not possible to finalise in time due to controversial late-stage amendments added by the Department of Work and Pensions, requiring banks to share their customers’ data with the department to help it tackle benefit fraud. It is understood that Labour opposed these late-stage amendments.
The DPDI Bill had been heralded by the Information Commissioner as ‘an important milestone in the evolution of the UK’s data protection regime’, intended to simplify and update the UK’s data protection framework (including the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations).
Aimed at reducing the compliance burden on private organisations, it would relieve them of some record-keeping and risk assessment requirements for lower risk data processing. It also aimed to make the rules clearer and easier to comply with, by creating a ‘white list’ of ‘recognised legitimate interests’ (such as public safety, crime prevention, safeguarding and responding to emergencies). In these circumstances, data processing would be allowed without the need to conduct a detailed balancing exercise.
Another key proposal was the change of the current role of data protection officer (who must act independently and report to an entity’s senior management), to a ‘Senior Responsible Individual’ (who must be part of senior management).
However, in reality, the DPDI Bill represented a fine tuning of data protection law, not a radical shift. The UK government cannot diverge too far from the EU GDPR without risk of the UK losing its EU ‘adequacy’ status (which enables the continued free flow of personal data from the EU). It would have been helpful for small organisations, but not so much for international ones, which would still be subject to the EU GDPR if they process the personal data of EU residents. As a result, they would probably decide to continue complying with that, and not take advantage of the ‘lighter touch’ UK regime in respect of UK residents.
There were also some more controversial aspects, such as consent for research (the new provisions would have been more favourable for public bodies than private companies), as well as removing safeguards on automated decision making.
The news of the DPDI Bill being shelved will be disappointing for clients engaging in low-risk data processing, with 66% of small and medium businesses supporting reforms to data protection laws. However, it is likely that, with a new Labour government now in power, there will be similar reform on the way.
This article was co-authored by Emily Philpott, trainee solicitor in the commercial, IP, and IT team.
This article has been updated since its original publishing date, to reflect the outcome of the general election.