UK – Data Protection and Digital Information (No. 2) Bill
Update, October 2024, this bill was dropped following the 2024 election.
The Data Protection and Digital Information (No. 2) Bill is a UK Bill currently (July 2023) passing through the Committee stage of the Commons. It covers much of the same ground as the existing UK GDPR legislation which at present is similar to the EU GDPR having been carried across and re-packaged following Brexit. It will effect changes in UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. The overarching aim is to take into account knowledge gained from running the existing GDPR and to make the legislation simpler and cheaper for businesses to implement.
It is unlikely that any major changes to the concept of GDPR will occur as the UK government will wish to maintain ‘adequacy’ with the existing EU GDPR. The concept of ‘adequacy’ defines data protection legislation to be essentially equivalent across borders and permits the free flow of personal data between UK and EU based organisations.
Unravelling the impact of the law is confused by the now defunct Data Protection and Digital Information Bill. This was withdrawn on 8th March 2023 after being introduced on 18th July 2022 and only reaching its 1st reading in the Commons. The snappily named ‘No 2’ Bill had its 1st reading on 8th March when the original Bill was withdrawn and in 2 months has made significantly more rapid progress passing to the Committee stage on 10th May 2023. Putting the 144 word ‘long title’ of both Bills through a text comparison engine revealed that these are identical. A legal insight into the changes reveals that the Bills are substantially similar.
The contents of the Bill could yet change but in its present state it has been highlighted as a weakening of data protection law by the Open Rights Group. The ICO allege that:
- Data protection rights will be weakened with stricter barriers to the access of data from concerned individuals and longer wait times for access or processing of complaints.
- Accountability will be less strict with looser record keeping requirements.
- The Secretary of State will be able to interfere in the affairs of the regulatory body; the Information Commissioner’s Office (ICO).
- Protections will be lowered for personal information transferred abroad including countries with weaker data protection legislation.
If the issues raised prove to be well founded it could result in a move of data harvesting operations to the UK from a stricter regime within the EU. This is unlikely to be the consequence of reduced costs and paperwork that the government has intended.