Data Protection and Digital Information Bill: What is it?
Last month, UK Government announced a new, ambitious Bill to tackle data protection. Entitled ‘The Data Protection and Digital Information Bill’, it has been produced largely in response to the ‘Data: A New Direction’ consultation. The new Bill also seeks to tackle the key issues of digital identity and Smart Data schemes.
This Bill aims to reform UK data protection laws, in what some are calling a ‘Brexit dividend’.
Some commentators have found the new Bill underwhelming. Critics of GDPR had hope for sweeping reforms to UK Data laws. Considering the desire for frictionless trade with the EU, this was always unlikely.
Below we outline some of the biggest changes the Bill proposes.
The Information Commissioner’s Office (ICO)
The ICO would be reformed and renamed under this Bill. Under UK GDPR, the ICO has many responsibilities but no framework for guiding how it can meet manage them.
The new ‘Information Commission’ will inherit all the functions of the ICO but with comprehensive objectives and new responsibilities. The governance structure would also change to have a statutory board like other departments, such as the DBS.
Cookies and tracking
Current laws mean it is illegal for businesses to store or access user information unless they have provided explicit informed consent. The exception to this is the ‘strictly necessary’ cookies which are required for users to access a service.
The Bill seeks to allow tracking technologies to be used in a wider range of situations without the need to acquire user consent first. In general, this appears to be for enabling improvements to services rather than acquiring user information.
This includes things like:
Collecting statistical data to help businesses improve their service
Collecting data that allows services to adjust to users' devices
Enabling software updates
The Bill also provides a whole host of further clarifications over cookies and trackers.
Subject Access Requests
Under GDPR, every individual has the legal right to request a copy of all the data that an organisation holds about them. These data subject access requests (DSARs) sound simple but can actually be a huge burden for businesses. Sometimes becoming extremely costly.
The Bill still allows DSARs but outlines situations where organisations can either refuse to comply with a request or charge a fee. This is where requests are deemed to be ‘vexatious or excessive’. This would be up to the organisation to decide.
Will it cause problems with the EU?
Now that the UK has left the EU, the government is able to amend UK data protection laws as freely as they like. In theory. In practice, it's still important to take EU GDPR into account to ensure frictionless trading with our neighbours.
UK GDPR is formally recognised by the EU as providing adequate protections for personal data. This means they deem it essentially equivalent to their own standards. This recognition allows UK businesses to continue to exchange data with the EU.
There is concern that the new bill could threaten the frictionless transfer of data between the UK and EU. If the Data Protection and Digital Information Bill cause UK standards to deviate too far from the EU’s, it could pose a serious issue to ongoing trade between the two.
However, the development of the bill has been done in consultation with the European Commission to try and prevent this. Although unlikely to be a problem, backbench amendments could force the government to alter the bill to the point the EU change their decision.
What next?
The Bill is due to go for its second reading in Parliament on September 5th. This will be MPs first opportunity to debate the proposed changes and suggest amendments.