Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: Data Protection and Digital Information Bill - have the 'commonsense' changes created an 'innovative' data protection regime for post-Brexit UK?

The Data Protection and Digital Information (No. 2) Bill was first introduced to Parliament by the UK Government on March 8, 2023. Following consultation and progress through Parliament, the UK Government unveiled a raft of changes to the proposal in November 2023, renaming the legislation the Data Protection and Digital Information Bill (the Bill), all of which it deemed 'commonsense.' In its 'Changes to data protection laws to unlock post-Brexit opportunity' press release of the same date, the UK Government indicated that the changes would 'safeguard the public, prevent fraud, and unlock Brexit opportunities' creating an 'innovative data protection regime' that will 'allow the country to realize new post-Brexit freedoms which are expected to deliver new economic opportunities…of at least £4 billion.' This is all part of the UK's ambition to be a business-friendly jurisdiction for technology innovation. 

The Bill is expected to become law this spring. In a prior piece, we scrutinized the impact of some of the Government's pro-business ambitions for the prior version of the Bill. Below, Natalie Farmer, Director and Foreign Legal Consultant at Fieldfisher (Silicon Valley) LLP, examines a number of the latest changes and whether they can deliver the innovation and opportunities promoted by the UK Government's press release. It is worth keeping in mind that changes to the UK data protection regime that result in a watering down of protections for the individual may cause the UK to lose its adequacy status, restricting the free flow of data between the EU and the UK. Such a result is unlikely to translate to 'economic opportunities' for UK businesses trading with the bloc. 

akinbostanci/E+ via Getty Images

Scope of searches in response to data subject access requests 

In relation to data subject access requests, businesses often grapple with the question of whether they have done enough. Searches of internal databases and records are often time-consuming and may require material computing resources; even after significant energy has gone into these searches, there is always the possibility that responsive data may have been missed. The Bill tries to increase certainty around this obligation by clarifying that a data subject is only entitled to the personal data the controller is able to provide based on a 'reasonable and proportionate' search. 

Assessment

While there will likely be debate over what amounts to 'reasonable and proportionate' in this context, this clarification of data subjects' access right signals that falling short of perfect will not land data controllers in regulatory hot water. A good faith search of internal systems that are likely to be responsive should meet this standard. This lives up to the UK Government's 'business-friendly' pledge, although guidance around what is reasonable and proportionate will be essential. 

Processing in reliance on international law 

The UK General Data Protection (UK GDPR) recognizes 'substantial public interest' as a basis on which to process personal data. Such public interest is required to be laid down by domestic law and is done so as a schedule to the Data Protection Act 2018. The Bill proposes allowing a basis established in certain international laws (specifically, treaties entered into between the UK and another jurisdiction) to also qualify under the substantial public interest ground. The Secretary of State will have broad discretion to designate a treaty as falling within the relevant schedule of the Data Protection Act for this purpose. 

Assessment

This change introduces a significant expansion of the public interest ground. Given the discretion handed to the Secretary of State, this offers unlimited opportunity to find processing activities as being necessary in the public interest. This may be valuable for businesses but, depending on the degree to which the Secretary of State exercises its discretion, could be considered a material departure from the existing regime (and, importantly, the EU GDPR). 

Secretary of State veto rights over ICO codes of practice removed 

Currently, under UK data protection law, the Information Commissioner's Office (ICO) must seek approval from Parliament prior to the publication of codes of practice. Under an earlier legislative proposal, all codes of practice produced by the ICO would first be submitted to the Secretary of State (who would have the power to reject the code and require the resubmission of drafts by the ICO, taking into account the Secretary of States comments), before submission to Parliament for final approval. 

Concerns were raised over the impact these changes could have on the independence of the ICO; in the latest proposal, the Secretary of State's effective veto right has been substituted for a more consultative approach in which the Secretary of State has the opportunity to publish comments and recommendations (with the ICO being under no obligation to implement the recommendations, only to take them into consideration). The ICO was notably vocal in its support for this amendment. 

Assessment 

ICO codes of practice offer essential guidance to businesses on how the ICO interprets the law and what practices it considers to be compliant or not. As such, any streamlining of the publication process for codes of practice is to be welcomed. Whether the consultative approach results in a faster publication process remains to be seen. Concerns have been expressed that requiring the ICO to justify why it has chosen not to comply with the Secretary of State's recommendation may still fetter the ICO's independence. Any judgement on the real value of this change must, accordingly, be deferred. 

Data breach reporting under the PECR 

Under the Privacy and Electronic Communications Regulations 2003 (PECR), service providers (i.e., organizations that provide a service that allows members of the public to send electronic messages, such as telecoms or internet service providers) are required to report personal data breaches to the ICO within 24 hours. The Bill proposed to align the PECR's personal data breach reporting obligations with the GDPR (i.e., reporting of a breach 'without undue delay, and, where feasible, not later than 72 hours after having become aware'). The UK Government has indicated that these changes will 'ease the burdens on industry by giving more time for data controllers to report data breaches.' 

Assessment 

The softening of the PECR requirements will be welcomed by businesses and the alignment of the reporting requirements with the GDPR does live up to the commonsense intentions of the UK Government. In practice, businesses that have discovered a breach are likely to spend the first 24 hours containing the incident and mitigating risks. Permitting additional time to report the incident to the regulator is likely to take the pressure off businesses whose resources would be better deployed elsewhere. Whether this is an 'innovative' step by the UK Government is, however, questionable; the ICO announced in early 2023 that it intended to cease the enforcement of breaches made under the PECR as part of its ICO25 strategic plan to reduce costs to business. It noted that service providers making reports under the PECR often cited human error, small numbers of affected data subjects, and proactive measures to address and prevent future breaches. Therefore, the UK Government has essentially consolidated the ICO's existing position. 

New powers to tackle social security benefits fraud 

The Bill introduces amendments to UK social security legislation to allow the UK Government to access individuals' bank accounts to identify whether claimants of social security benefits continue to meet the eligibility criteria (i.e., where savings may have increased above a certain level or where an individual spends more time abroad than is permissible). The UK Government asserts that the new measures could save UK taxpayers up to £600 million over the next five years. 

Conscious of the privacy implications regarding these new powers, the UK Government proposes that banks and financial institutions only share the data necessary for the Department of Work and Pensions to establish whether a claimant has exceeded the threshold for benefits eligibility and data could not be requested that was more than a year old. 

Assessment 

This may be a novel way to tackle social security fraud which, according to the UK Government, resulted in overpayments reaching £8.3 billion in 2022-2023. However, the proposals are highly intrusive and, as noted by the ICO, though the UK Government is clearly seeking to address a legitimate aim, it is questionable whether this is a proportionate way of achieving that aim. The change gives rise to various privacy issues as well as implications under Article 8 of the European Convention on Human Rights (the right to respect for private and family life, home, and correspondence) and seems susceptible to challenge. 

Data preservation for social media platforms 

The Bill introduces a new data preservation process to the Online Safety Act (OSA), which received Royal Assent in October 2023. The proposal would enable the Office of Communications (Ofcom), the regulator responsible for enforcing the OSA, to issue preservation notices to regulated services in circumstances where a coroner is investigating the suspected suicide of a child. Preservation notices would require regulated services (e.g., social media platforms, messaging services, video-sharing platforms, file-sharing services, and search engines) to retain relevant information for a year (extendable in six-month increments by Ofcom where required). Current rules do not require service providers to retain personal data for longer than necessary resulting in data being deleted in the ordinary course. Consequently, coroners may not have access to the 'full picture' as part of their investigations and inquests. 

Assessment 

During the passage of this legislation through Parliament, the UK Government indicated that this proposal would 'help families and law enforcement understand if online activity contributed in any way to a child's death.' Given the critical importance of preserving evidence related to online harms and the weighty obligations of storage limitation and data minimization under the UK GDPR, this is arguably more than a commonsense addition; this could have a tangible benefit to families who have lost children to suicide. 

Biometric data retention 

The Bill proposes to amend the Counter-Terrorism Act 2008 in relation to the use and retention of biometric data for national security purposes. The proposals would enable UK law enforcement to retain biometric information (including DNA profiles and fingerprints) relating to individuals who may pose a national security threat where such data is provided by the International Criminal Police Organisation (INTERPOL). Such biometric information could be retained for as long as an INTERPOL notice remains in force. 

Assessment 

While national security is another legitimate aim, the proposal does not require that there is an assessment of the necessity or proportionality of the data retention, nor does it impose a positive obligation to review the status of INTERPOL notices to ensure they remain live (and that, accordingly, the sensitive data is held for only as long as is necessary). This is therefore another example of core data protection principles being ignored. 

The ICO's approach to issuing notices 

Current UK data protection law allows the ICO to issue notices (e.g., information, enforcement, or penalty notices) by electronic means, only where consent has been obtained from the individual or entity. The Bill removes this consent requirement and allows a notice to be provided via an email address that is either published or where the ICO believes on reasonable grounds that the notice will come to the attention of the individual or an officer of the company. A new provision also includes a rebuttable presumption that email notices are issued 48 hours after sending. 

Assessment 

This qualifies as a commonsense change that is likely to reduce the red tape for the ICO and enable more effective enforcement of the UK data protection regime, including against non-UK businesses. 

Conclusion 

Changes introduced by the latest iteration of the Bill are wide-ranging. They include commonsense administrative changes to ICO processes, as well as serious and intrusive rights for the UK Government to access personal data. Taken as a whole, it is difficult to determine whether the proposed new regime is truly innovative or an overall watering down of data protection in pursuit of Government priorities. It remains to be seen whether this new framework can deliver economic opportunities to the tune of £4 billion, but jeopardizing UK adequacy (due to the reduction of data protection rights) cannot be ruled out. 

The Bill was examined line by line in the Committee stage of the House of Lords on March 27, 2024, and the Committee stage continues on April 15, 2024, when further amendments will be discussed. The Bill is expected to come into force during the spring of 2024. 

Natalie Farmer Director (Registered Foreign Legal Consultant with the State Bar of California) 
[email protected] 
Fieldfisher (Silicon Valley) LLP, Palo Alto