On 29 November 2023, the UK’s Data Protection and Digital Information Bill (DPDI) passed its final stages in the House of Commons with 267 votes to 30.
The Parliamentary session lasted over 4 hours and MPs on both sides of the House highlighted their concerns about the Bill’s lowering of data protection standards. In particular, the proposed permissions for the Department of Work and Pensions to view individuals’ financial information was cited as a serious problem.
Despite opposition and numerous warnings from privacy professionals, including The DPO Centre, the Bill will now move to the House of Lords, where it will undergo further examination. As the Lords is self-regulating, there is no limit to the debate time. Further amendments can be tabled, but these are usually addressed at the third reading.
Initial reactions from Data Protection Officers (DPOs) and privacy professionals include disappointment that their concerns were disregarded. In June 2023, The UK Data Protection Index results illuminated the extent of apprehension within the data protection industry. Responses revealed an overwhelmingly negative view towards the proposed benefits of the Bill, which will see the UK deviate from the EU Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR).
Ben Seretny, Head of DPOs at The DPO Centre said:
‘There has been limited success in addressing the concerns raised by both individuals and various industry leaders, even with the amendments made following the first consultation in 2022. The changes will loosen the current regulatory standards set by the GDPR, but without clear, actionable guidance, this will bring further uncertainty and confusion to many organisations.’
The proposed changes to the existing UK General Data Protection Regulation (The UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.) include an alteration to the definition of Information which relates to an identified or identifiable natural person., subject access requests and the obligations of controllers and processors. The The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (The United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) would also be abolished and replaced by an Information Commission, led by a chief executive who would be appointed by non-executive members.
The most significant proposed changes, and those that could have significant ramifications for organisations include:
The shift from Europe’s strict approach to data protection could have far reaching implications, especially for data processing across multiple jurisdictions.
Rob Masson, CEO of The DPO Centre said:
‘The government’s decision to press forward with implementing this legislation is incredibly disappointing. Whilst countries across the globe are implementing ever-more robust data protection legislation, the UK seems intent on going in the opposite direction and lowering standards. By creating a further compliance standard, the proposed The proposed Data Protection and Digital Information (DPDI) Bill aims to amend and supplement the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulation (PECR). is going to make it more difficult for all but the smallest of UK organisations, not easier, despite the Bill’s stated intentions.’
Whether the implementation of the Bill can achieve the government’s goal of saving businesses £4.7 billion over the next 10 years remains to be seen, but hope remains that the House of Lords will engage in a more measured debate.
We shall continue to monitor the Bill’s progress in these final stages, providing updates and comments as soon as we have details.
For more news and insights about data protection follow The DPO Centre on LinkedIn