On 29 Nov., the proposed U.K. Data Protection and Digital Information Bill moved a step closer to passage.

The U.K. House of Commons voted to avoid recommitting the bill following the recent introduction of U.K. government-backed amendments, instead moving the proposal to the report stage of consideration. If the recommittal vote succeeded, the bill and its proposed changes would've moved back to the committee debate.

The bill, originally published 8 March — the first day of IAPP's Data Protection Intensive in London — seeks to make various reforms to the U.K. General Data Protection Regulation and Data Protection Act 2018.

In his opening remarks in the House of Commons, Sir John Whittingdale, the Minister for Data and Digital Infrastructure, emphasized the "important and essential" role the bill plays.

"The current one-size fits all top-down approach to (data protection) that we inherited from EU has led to public confusion, has impeded the effective use of personal data to drive growth and competition and support key innovation … this bill seizes on post-Brexit opportunity," Whittingdale said.

Proposed amendments

On 24 Nov., the U.K. government and a number of other members of U.K. Parliament tabled over 120 pages of amendments to the bill. The government amendments are most relevant, given the majority the government commands in the House of Commons. Indeed, the government assesses the impact of the amendments taken together with the remainder of the bill to benefit the U.K. economy by up to GBP10.6 billion over the next 10 years, up from the GBP9.1 billion estimate of the impact of the bill as originally proposed.

The following were included in the "raft of common-sense" amendments, introduced via government amendments:

  • A new legal basis for U.K.-based telecommunications companies processing personal data, special category data and criminal record data for the purposes of complying with orders issued under the U.K.-U.S. Data Access Agreement.
  • Clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. In Parliament, the minister noted controllers should make the "best possible efforts" but said it is important to allow controllers to limit efforts in ways that reflect U.K. case law. He noted when the personal data requested is of low importance as an example of a time conducting a search might be unreasonable and disproportionate. This builds on the bill's original proposals to replace the "manifestly unfounded or excessive" threshold for refusing data subject rights requests with a "vexatious or excessive" threshold.
  • Removing the original proposal whereby the secretary of state could effectively veto codes of practice issued by the U.K. Information Commissioner's Office. Amended provisions permit the secretary of state to share nonbinding recommendations with the commissioner. This amendment comes after concerns from a number of stakeholders in both the U.K. and EU emphasized the risk of such a veto impacting the independence of the U.K. ICO and, by extension, threatening the durability of the EU's adequacy decision for the U.K..
  • Permitting the ICO to serve notices to organizations via email, without needing to obtain prior consent. This brings the investigative powers of the ICO in line with other existing U.K. regulators.
  • New powers to require personal data from third parties, including financial services providers, to support U.K. government efforts to reduce benefits fraud. Currently, the Department for Work and Pensions can only undertake fraud checks on an individual basis when there is already a suspicion of fraud. The new proposals would allow, under certain conditions, regular checks to be carried out on bank accounts held by benefit.
  • A proposed "data preservation process" would require social media companies to retain any relevant personal data related to a child that died through suicide. Current rules do not require social media companies to hold on to such data for longer than necessary, meaning personal data could be deleted as part of a platform's routine maintenance when a user is identified as deceased. Under the proposed amendment, the personal data could then be used in subsequent investigations or inquests by coroners.

There are many other amendments, of a technical and targeted nature, ranging from the use of biometric data for national security purposes to the use of personal data by elected representatives and other political campaigners to the sharing of personal data by private archivists with public archives, among other proposals.

The government's emphasis, commitment and reassurance that the proposed reforms should not imperil the EU adequacy decision for the U.K. remains unchanged, by dint of maintaining "the highest standards of data protection," and how adequacy and the track record of how past EU adequacy decisions does not require point-by-point replication of laws. Rowing back on the proposed secretary of state veto over ICO codes of practice will help smooth over concerns in Brussels relating to the independence of the ICO.

The bill, read alongside the proposed amendments, is now over 300 pages. It has become what's often termed a "Christmas tree" bill, whereby stakeholders including government departments, members of Parliament and industry stakeholders have sought inclusion of discrete legislative reforms. More often the reforms seek to address lived, real-world or perceived friction with the existing data protection regime, rather than anything wholesale or philosophical. Despite its volume and the variety of its proposals, passage of the bill is expected for Spring 2024.