The Data Protection and Digital Information (No. 2) Bill is the latest and most successful attempt to modify data protection law in the UK post-Brexit. The first draft was presented to Parliament in July 2022 and this second version was introduced in March this year.
This blog gives an overview of the main changes most likely to affect our customers if the Bill is passed. We explain how the legislative process works, then run through key changes and how it may affect UK organisations.
We will update this page as the Bill progresses, so keep checking back for updates.
Proposed legislation is referred to as a ‘bill’. It is presented to Parliament and needs to be approved by the House of Commons and the House of Lords to receive Royal Assent and become law. Thereafter, it is known as an ‘Act of Parliament’.
The journey of a bill
Whether a bill starts in the Commons or the Lords, the process is broadly the same.
First and second reading
The first reading is generally a formality, where the short title of the bill is read and there is no debate. It can take place at any time in a parliamentary session. The bill is then published for the first time.
The second reading usually takes place no sooner than two weekends after the first. The bill is debated, then in the Commons, MPs vote on whether the bill should be given its second reading. If the vote is positive, the bill progresses to the next stage. If the bill started in the Lords, there is a debate but no vote.
This usually takes place within two weeks of the second reading. The bill is examined in detail at this stage. If the bill is a public bill, it will usually be formally timetabled after it has passed the second reading.
In the House of Commons, the Public Bill Committee considers most bills at committee stage. The committee may seek evidence from people or groups outside Parliament that have expertise in the subject area(s) covered by the bill.
Every clause of the bill is considered, and amendments may be proposed and discussed, although if a bill is being fast-tracked through the House of Commons, it will receive less consideration.
In the House of Lords, the process is broadly the same and the government cannot restrict the subjects discussed or impose a time limit on this stage.
At this stage, the bill is returned to the House of Commons/House of Lords and any amendments are debated. Further amendments may also be proposed.
In the Commons, there is no set timescale for this stage, but in the Lords, it usually starts within 14 days of the end of the committee stage. How long this stage lasts depends on the length or complexity of the proposed legislation.
The third reading generally follows immediately after the report stage and is the final opportunity for the bill to be debated (Commons) and checked for effectiveness and workability (Lords).
In the Lords, amendments can be made at this stage if the issue raised has not been fully considered and voted on during earlier stages, but this is not the case in the Commons.
The bill is then presented to the other House for its first reading. If the bill started in the Commons, it is either sent back by the Lords after its third reading if amendments have been proposed or it is sent to the monarch for Royal Assent if the Lords proposed no amendments.
If the bill started in the Lords, it returns to the Lords for consideration of any changes proposed by the Commons.
After a bill has been through both Houses, Royal Assent is required before it can become law, though this is just a formality. The bill then becomes an Act of Parliament. There is no set timetable between the relevant stages in the Houses and Royal Assent.
After Royal Assent, announcements are made in the Houses. The legislation can take effect at once, after a set period or at a later date (by virtue of a commencement order issued by a government minister).
DPDI (No. 2) Bill: Where is it in the parliamentary process?
The Data Protection and Digital Information (No. 2) Bill (the DPDI Bill) is a public bill. It was introduced by Michelle Donelan, the Secretary of State for Science, Innovation and Technology, and it started its legislative journey in the House of Commons on 8 March 2023 (first reading).
The DPDI Bill received its second reading on 17 April and is now at committee stage, which means a line-by-line examination of the proposed legislation will take place and the views of experts and interest groups will be sought.
So, what does this mean? It means that we do not have a sense of whether the Bill will be amended. We will know that at the end of the committee stage, which is tabled to conclude by 13 June 2023.
DPDI (No. 2) Bill: What is it?
Michelle Donelan’s announcement publicising the introduction of the bill states that the Bill will do away with a bulky, overly complex, one-size-fits-all European law with “an agile, British, bespoke, common-sense alternative that is tailored to the needs of [British] businesses and our culture”.
It is proposed legislation that seeks to amend (among other laws) the UK GDPR, the DPA 2018 and the PECR.
The key reforms are substantively the same as those in the first version of the Bill (issued under the Johnson government in 2022 but withdrawn for further consultation and then deprioritised by successive Conservative party leaders) save for amendments introduced following a public consultation process.
It is important to note that the Bill is amending legislation; it is not a wholesale replacement of the UK GDPR. This means most of the UK GDPR stays ‘as is’, with tweaks and adjustments.
The government published a Keeling Schedule (a ‘redline’ document showing how acts will change) for the UK GDPR, DPA 2018 and PECR on 10 May.
We have summarised the key changes below.
UK GDPR and the Data Protection Act 2018
What it means
Article 4(1) (amended) and (1A) and (1B) (new)
Looks to clarify the definition of ‘personal data’.
On the face of it, the amendments appear to clarify the definition. It remains to be seen (probably through case law) how this new definition will be interpreted and the effects of those interpretations.
Article 4(3) and (4) (new)
The definition of ‘scientific research’ is expanded to include “any research that can reasonably be described as scientific, whether publicly or privately funded” for commercial or non-commercial activity, including statistical research.
The definition is quite broad, but this aligns with the existing UK GDPR recital in this area.
The change is likely to provide some clarification for researchers, but research is still a complicated legal area, so the addition of this definition is unlikely to substantively simplify research projects.
Article 6(1)(ea) (new)
A new lawful basis has been added to Article 6: “processing is necessary for the purposes of a recognised legitimate interest”.
Article 6 is further amended to add in a power for the Secretary of State to add to that list in the future.
This change will mean that, in some predetermined circumstances, organisations will not have to conduct a legitimate interests assessment before relying on Article 6(1)(ea) as a lawful basis.
There are six instances in which legitimate interests will be preapproved, and these include safeguarding vulnerable adults; detecting, investigating or preventing crime or apprehending or prosecuting offenders; and where the processing is necessary for the disclosure of personal data for the purposes of a task carried out in the public interest.
This change is likely to be most beneficial for third-sector/non-commercial organisations, particularly those that work with the public sector. It will provide clarity and remove a layer of administration.
However, organisations will still need to have processes and procedures in place to demonstrate their accountability regarding the new provision.
Note: Public authorities themselves will still be unable to rely on legitimate interests.
Article 6(9) (new)
This new provision lists three examples where legitimate interests may apply (other than those scenarios that will be recognised legitimate interests): direct marketing, intra-group transmission of personal data for internal administrative purposes, and security of network and information systems.
They reflect the position set out in recitals 47 to 49 of the UK GDPR. The list of examples is non-exhaustive.
While it might be useful to have these examples included in the legislation, they were already provided in recitals 47–49 (albeit the recitals are not legally binding) and organisations will still need to complete a legitimate interests assessment before carrying out the activity.
We suspect that, in practice, organisations might interpret these examples as being part of the recognised legitimate interests.
If this happens, the concern is organisations will not be considering how their processing will affect individuals and it may water down the rights the law grants to data subjects.
Article 8A (new)
This provision relates to the use of personal data for a new, compatible purpose.
It clarifies the requirements and supplies a list of circumstances where the compatibility test will be met.
These amendments replicate existing requirements in the recitals to the UK GDPR, so they are not contentious.
Purpose compatibility can be a difficult assessment for some organisations to undertake, so including the requirements in the substantive legal provisions is likely to be welcomed.
It will be interesting to see if the ICO updates its guidance in this area to supplement the legislative change and provide further clarifications.
Article 12A (new)
Introduction of a section to address “vexatious or excessive requests” (to replace “manifestly unfounded and excessive” requests) and inclusion of examples that may be considered “vexatious”.
The new law will include the circumstances that need to be considered before a request can be found to be “vexatious or excessive”.
This change is therefore likely to be welcomed, particularly for organisations that regularly receive DSARs that are aimed at pre-litigation disclosure or systematically made on a perceived understanding of causing administrative headaches.
Article 22 (removed and replaced with Articles 22A to 22C)
Currently, there is a general prohibition (subject to exceptions) against decisions based solely on automated processing that have legal effects on individuals.
The new provisions are not generally prohibitive, and the exceptions are replaced with restrictions and safeguards.
The Bill also includes a provision for the Secretary of State to make regulations.
The restrictions are largely the same as the existing exceptions, save that the Article 9 condition (processing is necessary based on a substantial public interest) is added and will be applicable where the automated processing involves special category data.
The safeguards include measures such as enabling data subjects to make representations and providing them with information about the decisions made.
Whether the safeguards are sufficient to protect the rights and freedoms of individuals remains to be seen; it is likely the effects of these provisions will be played out in case law.
It will be interesting to see how the ICO translates the safeguards into practical guidance.
Article 27 (removed), together with ancillary changes
Removal of requirement for organisations based outside the UK but caught by the UK GDPR to appoint a UK representative.
On the face of it, this will probably be seen as a very positive change by global organisations. It speaks to the government’s rhetoric on the removal of administrative ‘red tape’ and cost saving.
However, organisations based outside the UK will still need to respond to UK data subject rights requests; if they do not have English-speaking employees, there will still be a cost to translate communications, albeit that cost is likely to be lower than the cost of appointing a UK representative.
Article 30 (removed and replaced with Article 30A)
The requirement to maintain an Article 30 report will apply only to organisations processing data that is likely to result in a high-risk to the rights and freedoms of individuals.
Article 30 reports can be time-consuming for clients to complete and keeping them up to date can be challenging when organisations have competing interests and strains on their resources.
However, in the worst cases, when an organisation is under scrutiny by the ICO or is in receipt of a data subject rights request, it must be able to explain what data it holds, where it is stored, what it is used for and who it is shared with.
That context is crucial to understand how an organisation handles personal data and if done properly, this information can be found in an Article 30 report. So even if organisations are not processing high-risk personal data, best-practice advice is likely to be to continue to maintain one.
It is also worth remembering that an Article 30 report can add immense value to the operations of an organisation.
Articles 35 and 36 (amended)
Removal of data protection impact assessments (DPIAs) and replaced with an assessment of high-risk processing.
The law will no longer list the circumstances that require a risk assessment or set out everything a risk assessment should address.
The requirements for an assessment have also been narrowed in scope to cover only high-risk processing.
The requirement to consult the ICO before undertaking high-risk processing has also been removed.
For those organisations with existing, well-established risk assessments, this can only be a positive change. Being able to align data protection risk assessments with existing risk processes will make risk administration slicker.
But it could be argued that this could be done with the existing DPIA requirements as the current law does not mandate a specific mechanism (e.g., the ICO’s template) to be used to conduct DPIAs.
Whether the requirement is a DPIA or an assessment of high-risk processing, the danger that these documents remain a ‘tick-box exercise’ only is still there.
Privacy activists are also likely to view these changes as watering down the protections for individuals.
However, there is nothing to stop those organisations that genuinely want to embed data protection in their activities, regardless of whether the personal data involved is high-risk, to require colleagues to complete a risk assessment, however that risk assessment is labelled.
Article 36 (amended)
Removal of statutory requirement to consult with the ICO before undertaking high-risk activities involving personal data.
Prior consultation would be optional under the new law.
For those organisations that are not well versed in perceiving, articulating and investigating risks to data subjects through the processing of their personal data, coupled with the watering down of the DPIA provisions, this could have serious implications for data subjects.
Articles 37 to 39 (removed and replaced with Articles 27A to 27C)
Removal of statutory requirement to appoint data protection officers (DPOs) and replaced with SRI (senior responsible individual).
The tasks of an SRI are like a DPO but could now be delegated. This is currently already done in practice, particularly for smaller organisations that cannot justify retaining a permanent member of staff for this role or might struggle to fill the role, so statutory provisions on delegation is not a ground-breaking change.
This amendment is not likely to make much difference for larger organisations with more resources; if they currently have a DPO or otherwise assign responsibility for data protection compliance, those existing arrangements are likely to continue ‘as is’.
This is because those employees will already be reporting to the organisation’s board/senior management team and will likely already be line managed by a director or other senior employee.
The threshold for appointing an SRI is lower than the current threshold to appoint a DPO.
Aimed at encouraging data subjects to resolve complaints directly with data controllers, before involving the ICO, this change introduces circumstances under which the ICO can refuse to act on a complaint it receives.
This change will prevent data subjects going straight to the ICO with any grievances before they have engaged with the data controller.
By giving data controllers time (45 days) to handle complaints, this will hopefully reduce escalation to the ICO. This strikes us as a very sensible addition.
Part 5 (amendments) and Schedule 12A (new)
The amendments here relate to the ICO. The Information Commissioner is currently a corporation sole.
The Information Commissioner delegates their roles and responsibilities, and is supported by the ICO.
The proposed changes will replace the corporation sole with a statutory board, headed up by a chair and chief executive.
The Secretary of State can appoint members to the statutory board and determine the number of members the board may have.
Of all the proposed changes in the Bill, this is perhaps the most contentious area from the perspective of the EU/UK adequacy decision.
Many privacy campaigners and organisations have highlighted that these changes will risk the ICO’s independence.
If the ICO cannot be seen to be objectively and appropriately championing and upholding the rights of data subjects, other supervisory authorities in Europe and the European Commission itself are likely to view this as undermining the aim of the GDPR – to protect the rights and freedoms of individuals.
Privacy and Electronic Communications (EC Directive) Regulations 2003
What it means
Section 2(1) (new)
Adds a definition of “direct marketing”.
It will be defined as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. Previously defined in the DPA 2018.
Although this is new in the PECR, the definition replicates that in the DPA 2018.
Regulation 6 (amended)
Currently, all cookies that are not strictly necessary for a website to function require consent.
The proposed changes will see the introduction of further circumstances where cookies can be deployed without consent (“exceptions”) and the category of “strictly necessary” cookies will be expanded.
Note: Consent for marketing cookies will still be needed.
Users must still be provided with clear and comprehensive information about what the cookies are there to do, and they should also be provided with a means to object or opt out, so in practice, little will change with respect to cookie banners.
The cookies that will not require consent include those used for statistical purposes to determine how a service or website is used so that improvements could be made, those used to adapt how the service or website is displayed in line with the user’s preferences, and enabling software to be updated where it is necessary to ensure the security of the device.
The cookies added to the category of ‘strictly necessary’ cookies include those used to protect the information provided while accessing a service, to prevent or defect fraud, and to prevent or detect technical faults with the service.
This change is likely to be welcomed by organisations as it will provide more flexibility, support them in evaluating their offerings and potentially enable diversification as needed to suit how those offerings are accessed in practice.
Regulation 6A (new)
Introduces a power for the Secretary of State to make statutory instruments to amend the exceptions.
Statutory instruments are secondary legislation, which, as the UK Parliament website acknowledges, can be complex.
It is understood that most statutory instruments must be considered by both Houses of Parliament, but the legislative process is shortened, which by implication suggests the same level of scrutiny applied to primary legislation will not apply to any secondary legislation that flows from the Bill once it becomes law.
While it is not unusual for such a power to be included in primary legislation, it has the potential to fast-track further changes to the circumstances in which consent is needed for cookies, and with it, reducing the control data subjects have over the personal data collected via cookies.
Regulation 6B (new)
Introduces a power for the Secretary of State to make statutory instruments to approve technical solutions that enable users to manage their preferences automatically when browsing the Internet.
This power will enable the government’s longer-term plan for the UK to legislate against the use of cookie banners altogether (hinted at in the government’s response to the first bill’s consultation).
However, the technology needed is not currently available, therefore the abolition of cookie banners is not currently a position that will be legislated for.
Regulation 22(3A) (new)
Extension of the soft opt-in to charities, political organisations and other non-commercial entities.
If this new provision proceeds, these organisations will not have to obtain consent from data subjects to send them direct marketing by email if they have expressed an interest in or been offered or provided with support, as long as they have been given the opportunity to refuse their information being used in this way.
There is no doubt this will be a welcome change, particularly by the third sector.
Schedule 1 (new)
Monetary penalties for breach of provisions relating to cookies and electronic marketing to be brought in line with GDPR penalties.
This will increase the maximum fine from £500,000 to £17.5 million/4% of total worldwide annual turnover.
This is arguably the main area in which ICO regulation currently takes place, so in practice we may see an increase in media coverage for cases where fines are imposed, as hard-hitting fines make for good headlines.
However, in practice, organisations should challenge any fine they receive and provide evidence in mitigation, and this should encourage a dialogue with the ICO that might lead to a reduction in the monetary penalty notice issued. This occurs currently in respect of GDPR penalties.
What do we think about it?
It is not expected that the Bill will become law within the current parliamentary session (Parliament rises for the summer recess on 20 July).
Although the Conservatives will be keen to ensure it is passed before the general election expected in late 2024, as it will likely be something they can point to as a post-Brexit victory that they will want to shout about on the campaign trail.
Organisations were allowed a two-year implementation before the EU GDPR came into effect, but it is expected that most of the new provisions will come into effect straight away.
For those organisations that already comply with the EU/existing UK GDPR, this is unlikely to be concerning as they will be compliant with the new UK law, but for those organisations still going through an implementation programme, it could be disruptive both in terms of time and cost.
In practice, the changes proposed are not as ground-breaking as some reports might have organisations believe.
There are tweaks and adjustments but nothing substantive for most organisations. Global organisations will be the most affected as the changes may introduce dual regulatory regimes. For example, if your business offers goods or services to or monitors the behaviour of individuals in the EU, as well as the UK, it will be caught by both the EU GDPR and the UK GDPR.
To date, the difference between the legislation has been perfunctory, particularly given the EU/UK adequacy decisions.
The Bill, if passed, will result in the UK diverging from the EU GDPR for the first time, which could add a layer of compliance to those businesses operating across borders if they choose to adjust their UK compliance to take advantage of some of the flexibility the new law will offer.
However, those organisations could continue to follow the EU GDPR if the flexibilities add little to no value to their operational processes and there is no material benefit to making changes.