8 Min Read

Data Protection and Digital Information (No.2) Bill passes second reading stage but concerns remain

Read More

By Jade Kowalski & Stuart Hunt

|

Published 15 May 2023

Overview

Initial parliamentary discussions on the Data Protection and Digital Information (No 2) Bill (“the Bill”) have highlighted those issues likely to be the most contentious elements of the Bill during the legislative process.

The Bill passed the second reading stage in the House of Commons on 17 April 2023. The consideration of the Bill had proceeded to the committee stage for additional detailed scrutiny. The House of Commons Public Bill Committee called for written evidence from those with a special interest in the DPDI (No.2) Bill, with the first two sittings of the Public Bill Committee taking place on 10 and 11 May. Further sittings are scheduled for 16 and 18 May 2023, with the Committee expected to report by 13 June.

Within the second reading Parliamentary discussions about the Bill,  many of the interventions from across the political spectrum focused on the issue of preserving the European Commission’s adequacy finding in respect of the UK. The Minister for Data and Digital Infrastructure, Julia Lopez, was keen to emphasise that there is no intention to create regulatory disruption for businesses, particularly those that trade with the European Union, and that the Government has been in constant contact with the European Commission about the proposals.

Despite those reassurances, numerous contributors to the second reading highlighted their concerns and those of business. Lucy Powell, MP for Manchester Central argued that the Bill “weakens our existing data protection regime and could put our EU adequacy agreement at risk.

The Labour MP, Daniel Zeichner, also highlighted that for UK organisations operating globally “it is quite hard to see the point of this Bill… as the EU GDPR has extraterritorial effect, they are still going to need to meet those standards for much of what they do.”

Further concerns with the Bill were advanced:

  • The proposed significant expansion of ministerial powers to make regulations to amend the legislation (including the list of “recognised legitimate interests”) without the need for full parliamentary process. The expansion of powers was noted as a specific concern of the European Commission. It was highlighted during the second reading that further clarity on the scope of those powers will be discussed at committee stage.
  • The creation of the Information Commission to replace the Information Commissioner’s Office (ICO). This change will provide additional Ministerial influence over various issues, including the setting of strategic priorities, codes of practice and the need for consultation on impact assessment. The Minister highlighted that the Bill has the support of the current Information Commissioner.
  • The reduction of protection of individual rights, due to, as contended, the dilution of subject access requests, with greater power given to companies to refuse requests on the grounds that they are ‘excessive or vexatious’. The meaning of those words was identified as vague and open to interpretation.
  • The weakening of protection against automated decision-making. It was argued that the Bill relaxes existing protections prohibiting fully autonomous decision-making relating to a significant decision, and places the burden on a consumer to successfully bring a complaint against a company taking a decision about them in a wholly automated way.

Commenting on what is not contained within the Bill, it was submitted that the Bill does not adequately respond to the challenges of new technological advances and how it affects data protection. Instead the Bill per Lucy Powell MP, tweaks “around the edges of GDPR, making an already dense set of privacy rules even more complex.”  She argued that the Bill does not deal with the current uses of modern data processing, such as pooling information to analyse trends and predict behaviours across a population, nor does it deal with the algorithms analysing data which are said to replicate and entrench existing societal biases.

It is clear that the provisions of the Bill will not be granted a clear path through to Royal Assent,  and whilst the Government’s majority may reduce the prospect of significant changes being made to the existing draft, the outcome of the details discussions at committee stage will be awaited with interest. One of the committee members, Lucy Powell MP, stated that she would “look forward to addressing some of those serious shortcomings in committee.

Also of note, a “carry-over” motion was agreed which will enable consideration of the Bill to resume in the next parliamentary session if it not concluded during the current one; an important procedural action which would have otherwise meant that it would automatically fail. 

We will continue to provide updates on the Bill as it now moves through the committee stage. It should be noted that the Data Protection Act 2018 went through a significant number of amendments during the Parliamentary process and therefore, we expect that the DPDI (No.2) Bill will receive a similar level of scrutiny through it’s journey.

 

Authors