The Data Protection and Digital Information (DPDI) Bill is the first major piece of data protection legislation since the UK left the European Union (EU) four years ago. Instead of completely replacing existing legislation, the DPDI bill revises the UK’s existing data protection regime.
For many years, the UK’s data protection regime was aligned with that of the European Union. In 2016, the General Data Protection Regulation (GDPR) was published, which was a major change in data protection policy for the European Union, which had not been updated for nearly two decades. GDPR was enacted into UK law as a raft of data protection policies, most notably the Data Protection Act 2018. The GDPR has gone on to become the de-facto standard for data protection around the world.
Leaving the EU meant that the UK was no longer part of the EU’s data protection regime. However, as the UK’s data protection legislation aligned with the EU’s, it was straightforward for the UK to gain a data adequacy agreement, which is essential for EU-based organisations to freely share data with those outside the EU.
It has been two years since the DPDI bill was first laid before Parliament in 2022, and it is currently at the committee stage in the House of Lords.
Any changes to the UK’s data protection policies will be scrutinised by the European Commission to confirm whether the data adequacy agreement remains valid. The EU has already questioned the UK regarding the intrusive nature of the Investigatory Powers Act 2016.
The DPDI bill introduces a regulatory framework for online identification, called digital verification services, but without any legal requirement for the enforcement of online IDs. While the UK’s core data protection policies remain roughly in line with the EU’s, the DPDI loosens some of the regulatory elements. However, this is only applicable to those organisations that are not operating within the EU.
“If you have a business that also has operations in the EU, then you’ve effectively got two regimes now, which were the same, but are now starting to start to diverge in certain areas,” says Daniel Tozer, a partner specialising in a technology and data law for Keystone Law.
One of the proposed changes is the removal of the requirement for data protection impact assessments. Instead, organisations will be expected to carry out assessments for high-risk processing.
“You will still need to do assessments, where there’s high-risk processing of data involved, but there will be more flexibility as to how to do them. You won’t need to follow specific templates or requirements,” says Anthony Lee, a partner specialising in information technology for Gunnercooke. “Many businesses are going to see that as a good thing as it will reduce the compliance burden.”
One of the core changes is that the DPDI bill removes the need for a data protection officer (DPO). Instead, the duties of the DPO can be assigned to that of a senior responsible individual, such as a chief information officer (CIO) or chief marketing officer (CMO).
The potential to remove the DPO has both positive and negative impacts. Currently, the DPO is an independent figure within the executive team who is responsible for ensuring the appropriate data protection policies are followed. However, in most cases, data protection authorities will want to speak to the people responsible for processing data, such as the aforementioned chief information officer, so combining the roles makes sense.
“The whole purpose of the senior responsible individual is that it should be somebody who’s making the decisions, for example, about how to use a marketing list or what datasets to use for analytics,” says Tozer. “These are the people who say yes or no to those things, so you can understand why, from that position, they are the person that the ICO wants to be able to talk to.”
However, there is also the argument that combining the roles of a DPO with that of a CIO or CMO could lead to conflicts of interest. Even if the duties of the senior responsible individual were delegated, there would be a conflict between wanting to maximise usability of data and ensuring full adherence to data protection policies.
The DPDI has loosened some of the data protection policies regarding automated data processing without the data subject’s consent, provided it has no meaningful impact upon the subject themselves.
The DPDI bill would also replace the Information Commissioner’s Office (ICO) with the Information Commission. While the public body would lose some of its independence and neutrality, due to the chief commissioner being assigned by the secretary of state, it would also have increased powers and be able to assign greater fines for data breaches and failures to follow data protection regulations.
In the current draft of the DPDI bill, much of the wording regarding the changes is not as clear as it could have been. The use of subjective terminology leaves some ambiguity in a number of areas around what would and would not be permissible regarding data processing within the UK.
“We can expect test cases to appear quickly in the UK courts. The ICO will likely be particularly hot on automated decision-making, because many businesses use some form of automated decision-making in their practices,” says Tozer.
Will the DPDI bill meet EU standards?
The changes that the DPDI bill will bring to the UK’s data protection regime would only affect those organisations operating within the country. If an organisation is operating in a European country, they will still be expected to adhere to the GDPR. Since many UK-based organisations operate in European countries, this legislation will have negligible impact on business.
“If a business has operations in the UK and Europe, it will probably make sense to continue to comply with GDPR across the board rather than having one set of procedures for the UK and a different set for Europe,” says Lee.
An additional risk is that if the UK’s data protection regime is deemed by the European Commission to have been noticeably weakened by the DPDI bill, then the UK could lose its data adequacy agreement. Should this happen, then any company operating within the EU that needs to share data with a company in the UK would need contractual data sharing agreements.
“If the bill, in its current form, is passed, you could see the UK potentially losing its adequacy status because the European Commission takes the view that the new law is not essentially equivalent to the GDPR or there could be Schrems-type challenge,” says Lee.
“If that happens, then data moving from the likes of France or Germany to the UK would need to be done through standard contractual clauses or other some other form of adequacy framework with all that entails. That will cause concern, and you may well find that businesses in European countries will be rather less inclined to allow their data to be moved to the UK for fear of being non-compliant.”
If the UK did lose its data adequacy agreement, this would lead to increased costs for those companies providing data and services to the UK and could even result in them refusing to operate within the country, due to increased legal and contractual obligations expected of them.
“The New Economics Foundation has estimated that losing the adequacy decision will cost between £1bn and £1.6bn in legal fees alone,” says Mariano delli Santi, legal and policy officer for the Open Rights Group. “This would be just for having the lawyer reviewing your contracts and changing the clauses.”
The DPDI bill is currently making its way through Parliament, but its enactment into UK law is not guaranteed. Claiming some benefits from Brexit – via the loosening of regulatory requirements – has been a recent focus for the current administration’s policies. However, with the impending summer recess in July and a general election expected before the end of the year, it is by no means guaranteed.
If the DPDI bill is not given royal assent by the time of the general election, it may not come into force. The Labour Party is currently leading in the UK opinion polls, and as its policies differ from those of the Conservative Party, the DPDI bill may not be pursued any further or may take a different form.
The DPDI bill offers some limited regulatory benefits for organisations, especially startups and small and medium-sized enterprises (SMEs), solely operating in the UK. However, any company expanding into the EU would still need to tighten their data protection policies to meet GDPR’s standards.
“There is a real risk that the bill won’t make it on to the statute books before the next general election. If we have a Labour administration on the other side of the election, which is looking increasingly likely, it may well abandon the bill,” says Lee.
“In the circumstances, it probably makes sense to continue to comply with the current regime, particularly if you’ve got an international flavour to your business, rather than investing time and resources in gearing up to a legislation which may never see the light of day.”