Data Protection and Digital Information Bill: briefing note

Update

Following Prime Minister Rishi Sunak’s announcement that a General Election is to be held on 4 July, UK Parliament was dissolved on 30 May and all Parliamentary activity was subsequently suspended. Whilst this Bill did not receive Royal Assent and become an Act, it did receive a carry-over motion (a motion which allows a Bill to continue its progress from one parliamentary session into next). We can expect to see further details once Parliament resumes on or after 9 July 2024.

Update - 28 May 2024

The Data Protection and Digital Information Bill has been dropped in anticipation of the impending dissolution of Parliament on 30 May 2024. The Bill was scheduled to be considered at the report stage in the House of Lords on 10 June.

Data Protection and Digital Information Bill

16 March 2023

The Data Protection and Digital Information (No.2) Bill aims to reform the existing UK data protection regime following Brexit, namely the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  

Who’s affected 

The Bill will impact individuals in addition to private and public sector organisations.  

A more flexible and less burdensome regime will be welcomed by businesses operating in the UK, especially SMEs and those operating in the public sector. It may also entice organisations to bring more business to the UK and encourage innovation. On the other hand, if the proposals are considered to diverge too far from the EU’s data protection regime, the UK’s adequacy status could be at risk. 

Purpose of the Bill 

The main purpose of the Bill is to create a new pro-growth and pro-innovation data protection framework that reduces burdens on organisations and boosts the economy. The proposed regime also aims to ensure that data can be used to empower citizens and improve their lives via more effective delivery of public healthcare, security, and government services. 

Key measures of the Bill 

These aim to: 

  • Give organisations greater confidence about the circumstances in which they can progress personal data without consent. 
  • Simplify the rules around the use of personal data for scientific research and technological development. The Bill will help cement the UK’s position as a science and technology superpower, as well as increase public and business confidence in AI.  
  • Create a clear and more stable regime for international data transfers, with the aim to facilitate trade, enhance the work of law enforcement and national security agencies, support innovation and help people stay connected across borders.  
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health-related treatments by helping improve appropriate access to data in health and social care contexts. 
  • Amend the requirement for controllers to keep data processing logs, unless there is a high risk to individuals. This applies to, for instance, medical records.  
  • Create grounds for organisations to reject ‘vexatious or excessive’ requests or charge a reasonable fee for such requests.  
  • Require public electronic communication service and network providers to report unlawful direct marketing activity and establish a monetary penalty for non-compliance.  
  • Replace the Information Commissioner’s Office (ICO) with the Information Commission and enable the regulator to take stronger action against organisations who breach data rules. 
  • Reduce the amount of paperwork that organisations need to complete to demonstrate compliance and lower compliance costs.  

Timeline 

The Data Protection and Digital Information Bill was announced in the Queen’s Speech 2022 and first introduced to the House of Commons on 18 July 2022. However, it was subsequently shelved due to the change of leadership in the Conservative Party that occurred on 5 September 2022.  

A revised draft (Data Protection and Digital Information (No.2) Bill) was introduced to parliament on 8 March 2023.  

Update - 20 April 2023 - Second Reading of the Bill at the House of Commons

The Bill returned to Parliament for its Second Reading at the House of Commons on 17 April 2023.

During the debate, MPs expressed concerns about the complexity of the Bill and implications for businesses, the impact that it might have on the UK’s data adequacy status with the EU, as well as the independence of the ICO. The Opposition also commented that the Bill does not go far enough in terms of ‘fostering a climate of open data’, but welcomed its overarching principles.

The Bill will now enter House of Commons Committee Stage. It will be scrutinised by Public Bill Committee, which is scheduled to be concluded by Tuesday 13 June 2023.

Update – 8 March 2023 – Publication of the Data Protection and Digital Information (No.2) Bill

The No.2 Bill follows on and supersedes the original Data Protection and Digital Information Bill that was introduced by UK Government in July 2022. The original Bill was withdrawn on 8 March 2023 and the No.2 Bill was presented on the same day.

Update - 3 March 2023 – Data Protection and Digital Information Bill to return to Parliament next week

It has been reported this week that the Data Protection and Digital Information Bill will not return in this Parliamentary session. Michelle Donelan, Secretary of State for Science, Innovation and Technology, later announced that the Bill would be returning to Parliament next week.

Update - 16 February 2023 – New department to lead on the Data Protection and Digital Information Bill

Last week, Prime Minister Rishi Sunak unveiled a new Department for Science, Innovation and Technology and appointed Michelle Donelan as science secretary. It has now been confirmed that the Data Protection and Digital Information Bill will sit under the newly created department.

Update - 21 November 2022 - Data Protection and Digital Information Bill delayed until further notice

The second reading of the Data Protection and Digital Information Bill (the Bill) in the House of Commons was delayed following Liz Truss’s appointment as Prime Minister in September 2022. The new UK Government is yet to confirm its position on the data protection legislation, but it is likely that the Bill will return to parliament under Rishi Sunak’s premiership. 

Update - 17 August 2022 - Announcement of the Data Protection and Digital Information Bill

The Data Protection and Digital Information Bill aims to reform the existing UK data protection regime following Brexit, namely the General Data Protection Regulation (GDPR). The Bill’s announcement in the Queen’s Speech follows the UK Government's consultation entitled ‘Data: a new direction’, which was published in September 2021.

The Bill will impact individuals in addition to private and public sector organisations. 

A more flexible and less burdensome regime will be welcomed by businesses operating in the UK, especially SMEs and those operating in the public sector. The new legislation may even entice organisations to bring more business to the UK. On the other hand, if the proposals are considered to diverge too far from the EU’s data regime, the UK’s adequacy status could be at risk.

The 'Queen's speech 2022: background briefing notes' outlines that the purpose of the Bill is to:

  • Take advantage of the “benefits of Brexit” to generate a trusted world class data rights regime.
  • Create a new pro-growth data protection framework that reduces burdens on businesses and boosts the economy.
  • Modernise the Information Commissioner’s Office (ICO) to take stronger action against organisations who breach data rules.

The briefing notes outlines the derived outcomes of the Bill is to:

  • Make sure that data can be used to empower citizens and improve their lives, via more effective delivery of public healthcare, security, and government services.
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.
  • Create a clearer regulatory environment for personal data use that will fuel responsible innovation.
  • Simplify the rules around research to cement the UK’s position as a science and technology superpower.

The Bill was introduced to the House of Commons on 18 July 2022, in the week leading up to parliament’s summer recess. The Bill’s second reading is expected to take place on 5 September 2022.

Interestingly, neither candidate for the Conservative leadership challenge, Liz Truss nor Rishi Sunak has discussed the Bill in much detail. However, Sunak has announced that reform of the data protection landscape will be one of his top priorities, and Truss in particular has pledged to review all EU laws retained in the UK that hinder UK growth.

 

Update - 7 November 2023 - The King’s Speech

The Data Protection and Digital Information Bill was first introduced in the Queen’s Speech of May 2022.  A revised draft, titled the Data Protection and Digital Information (No.2) Bill (the Bill), was introduced to Parliament on 8 May 2023.  The Bill is at the report stage in the House of Commons.

As announced in the King’s Speech on 7 November 2023, the Bill has been carried over and will continue to progress through the legislative process in this new parliamentary session.

Related items:

Related content