Insights UK Data Protection and Digital Information Bill: first reading in House of Lords

Contact

As reported by Wiggin previously, the Data Protection and Digital Information Bill (“DPDI”), originally published in March 2023, proposes several changes to the existing UK data protection regime as set out in UK GDPR. Following its first and second reading in the House of Commons, the DPDI entered the Report Stage, and a number of amendments were proposed. These were debated and then voted on at the Bill’s third reading on 29 November 2023.

The amendments approved by the House of Commons were numerous (the draft DPDI has grown from 224 to 300 pages) and, although many are technical in nature, others could represent significant changes to the UK data protection regime. These include a provision that, in responding to subject access requests, controllers are only required to undertake reasonable and proportionate searches for personal data and other information. Another relates the Information Commissioner’s Office’s (“ICO”) independence in fixing codes of practice. The original DPDI provided that the ICO had to provide codes of practice to the Secretary of State for approval; this has now been amended to provide that the ICO must consider recommendations from the Secretary of State about a code of practice before the code is laid before Parliament for approval. Another amendment relates to the obligation to notify personal data breaches under the Privacy and Electronic Communications Regulations 2003 to the ICO no later than 24 hours after the detection of the personal data breach, where feasible. This has been amended to require the notice to be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”

Concerns have been raised that changes to the UK data protection regime risk jeopardising the European Commission’s finding of “adequacy” in respect of the UK, which ensures that personal data can continue to flow freely from the EU. It remains to be seen whether this will be the case. In the House of Commons debate on the amendments in November, Sir John Whittingdale, Minister for Data and Digital Infrastructure stated “I can guarantee that there is nothing in the Government’s proposals that we believe puts data adequacy at risk.”

The DPDI had its first reading in the House of Lords on 6 December 2023, a formality that signals the start of a Bill’s journey through the Lords. Its second reading in the House of Lords, where the DPDI will be debated, is scheduled to take place on 19 December 2023.

For more information, click here.

Expertise