UK Data Protection: Exploring the most recent amendments

The Data Protection and Digital Information Bill (DPDIB) reforms the UK General Data Protection Regulation (GDPR) and other important EU-derived legislation.

In late November 2023, a 124-page amendment paper was approved by the House of Commons after a relatively short period of Parliamentary debate.

This article recaps the UK’s data protection reform process so far, explains the bill’s current status, and explores some of the most important recent amendments across areas such as data subject rights, regulation, and financial data.

A brief history of the DPDIB

After several years of ambiguous press releases envisioning a more innovative, less prescriptive data protection regime, the first meaningful details of the UK government’s reforms emerged in September 2021 with the “Data: A New Direction” consultation.

Some of the consultation’s proposals did not make it into the DPDIB, such as abolishing the UK GDPR’s automated decision-making rules and reintroducing a blanket fee for exercising data subject rights.

The first version of the DPDIB was laid before Parliament in July 2022. Owing to one of several recent changes in government, the original bill stalled at the “first reading” stage in the UK’s lower legislative chamber, the House of Commons.

A new version of the bill, the “DPDIB No. 2”, was introduced in March 2023 by the newly-created Department for Science, Innovation and Technology (DSIT).

Outline the DPDIB No. 2

The DPDIB No. 2 contains many proposed reforms to UK data protection, privacy, and information law, including:

• A new definition of “personal data” that includes a “reasonable means” test to ascertain whether information relates to an identifiable individual
• A new legal basis for processing: An exhaustive set of “recognized legitimate interests” which do not require the controller to conduct a “balancing test”
• The replacement of the Data Protection Officer (DPO) role with the new post of “Senior Responsible Individual” (SRI), who must be appointed from within an organization’s senior management
• Revised processes in areas such as Records of Processing Activities (RoPA), Data Protection Impact Assessments (DPIAs), and international data transfers
• The replacement of the Information Commissioner’s Office (ICO) with an Information Commission consisting of a Chief Executive Officer (CEO) and executive and non-executive board members
• Changes to the Privacy and Electronic Communications Regulations (PECR), including new exemptions from the “cookie consent” rules and a significant rise in the maximum fine.

The November 2023 DPDIB No. 2 amendments

On 29 November, 124 pages of amendments to the DPDIB No. 2 were laid before the House of Commons, giving Members of Parliament (MPs) just one week of debate.

Below is an exploration of some of the most important amendments.

Data Subject Rights

In responding to a data subject rights request, such as a person’s request to access, correct, or delete their personal data, the amendments state that a controller will only be required to conduct a “reasonable and proportionate” search to locate the relevant information.

Although this change would arguably narrow the scope of data subject rights, the concept of a “reasonable and proportionate” search is in line with established case law and guidance from the ICO.

UK-US Data Access Treaty

The bill establishes that controllers may disclose personal data pursuant to a 2019 treaty between the UK and the US known as the “Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime”.

ICO Codes of Practice

The DPDIB No. 2 provided a new process for the ICO when adopting Codes of Practice. The ICO has previously adopted Codes of Practice in areas such as children’s online services, data-sharing, and direct marketing.

Under the current Data Protection Act 2018 (DPA 2018), the ICO must seek approval for the final version of a Code of Practice from both Parliament and the Secretary of State (the government) simultaneously.

The original iteration of the DPDIB No. 2 provided that the ICO must obtain governmental approval for a Code of Practice before laying the code before Parliament. The Secretary of State could order the ICO to rewrite its code indefinitely before seeking Parliamentary approval.

Under the November amendments, the ICO will only need to consider government recommendations regarding its Codes of Practice rather than being required to obtain governmental approval before laying a code before Parliament.

Disclosures about recipients of welfare benefits

A controversial amendment would give the government new powers to require banks to disclose information about their customers, with an aim to tackle welfare fraud.

The amendment allows the government to serve an “account information notice” that requires a bank to disclose information about a customer’s banking history, provided that the person receives certain welfare benefits (including child benefits and state pensions).

When will the DPDIB No. 2 pass?

The 29 November DPDIB No. 2 amendments proceeded to the UK’s second legislative chamber, the House of Lords, within a week, without the need to withdraw the bill and submit a DPDIB No. 3.

The DPDIB No. 2 is now at “committee stage” at the House of Lords, one of the final phases in the lawmaking process.

The DBDIB No. 2 could become law by Spring 2024 at the earliest.