The Data Protection and Digital Information Bill, the UK’s post-Brexit replacement for the EU’s GDPR data regime, was debated in Parliament yesterday. MPs flagged concerns around the free flow of data for global companies, geopolitical issues such as data adequacy with the EU, rising legal costs for businesses and human interventions for automated decision-making.
During a second reading of the bill, Julia Lopez, minister for data and digital infrastructure, told the House of Commons that the new legislation would rid small businesses of complex rules and high costs that they face under GDPR. She also said it would reduce the number of consent pop-ups that people use to give permission for websites to collect data about their visits.
“This bill will maintain the high standards of data protection that British people rightly expect,” Lopez said. “But it will also help the people who are using our data to make our lives healthier, safer, and more prosperous. That’s because we’ve co-designed it with those people, to ensure that our regulation reflects the way real people live their lives and run their businesses.”
The government says that the new regulation will contribute £4.7bn to the economy over ten years. The Department for Science, Innovation and Technology (DSIT) says this will come from an increase in fines for nuisance calls and texts. Companies could face sanctions of up to £17.5m or up to 4% of global turnover, whichever is greater.
The Data Protection and Digital Information Bill was first proposed last September, but work on the new law was paused during Liz Truss’s short spell as prime minister. A new version subsequently appeared earlier this year, which DSIT says has been co-designed with businesses.
However, the government has yet to make its impact assessment for the second version of the legislation public. Parliament’s Regulatory Policy Committee (RPC) has apparently seen a copy, having published its opinion on the impact assessment, which outlines overall savings to businesses is £98.3m. Lopez told the House of Commons on Monday that small businesses will save £90m in compliance costs.
“Businesses that do not have the time, the money or the staff to spend precious hours doing unnecessary form-filling are currently being forced to follow some of the same rules as a billion-dollar technology company,” she said. “We are therefore cutting the amount of pointless paperwork, ensuring that organisations only have to comply with rules on record-keeping and risk assessment when their processing activities are high-risk.”
She went on to say that the government is proposing to rid companies of “excessively demanding requirements to appoint data protection officers”, something which is mandated under GDPR.
“Those changes will not just make the process simpler, clearer and easier for businesses, they will make it cheaper too,” she continued. “We are expecting micro and small businesses to save nearly £90m in compliance costs every year: that is £90m more for higher investment, faster growth and better jobs.”
The DSIT minister also covered artificial intelligence and how the bill could “unlock the potential” of the technology.
“The bill will ensure that organisations know when they can use responsible automated decision-making and that people know when they can request human intervention where those decisions impact their lives, whether that means getting a fair price for the insurance they receive after an accident or a fair chance of getting the job they have always wanted,” she explained.
Data Protection Bill ‘doesn’t go far enough’ – MPs
MPs said that they felt the bill was a missed opportunity, especially given the lengthy process that proceeded it.
“For the most part, the bill does not represent significant change from the existing GDPR framework,” Darren Jones, Labour MP for Bristol North West and chair of Parliament’s Business, Energy and Industrial Strategy committee, told the House. “There are some changes to paperwork and the appointment of officers, but nothing radical.”
The shadow secretary of state for digital, Lucy Powell, also added her concerns that the proposed legislation didn’t “rise to the challenges” presented by AI and social media companies such as TikTok: “It tweaks around the edges of GDPR, making an already dense set of privacy rules even more complex,” Powell said.
She argued that the bill missed the opportunity afforded to the UK by leaving the EU, questioning whether it would achieve its aims in practice.
“Now that we have left the EU, we need new legislation to ensure that we both keep pace with new developments and make the most of the opportunities,” Powell said. “In many areas, however, the bill threatens to take us backwards.
“First, it may threaten our ability to share data with the EU, which would be seriously bad for business,” she continued. “Given the astronomical cost to British businesses should data adequacy with the EU be lost, businesses and others are rightly looking for more reassurances that the Bill will not threaten these arrangements.”
Opposition party MPs also asked for assurances that private companies would not benefit commercially from personal health data without consent.
“The bill undermines individual rights,” Powell said. Many of the areas in which the Bill moves away from GDPR threaten to reduce protection for citizens, making it harder to hold to account the big companies that process and sell our data. Subject access requests are being diluted, as the Government are handing more power to companies to refuse such requests on the grounds of being excessive or vexatious.
“They are tilting the rules in favour of the companies that are processing our data,” she continued. “Data protection impact assessments will no longer be needed, and protections against automated decision-making are being weakened.”
Some MPs asked questions regarding the independence of the Information Commissioner’s Office (ICO) under the proposed legislation.
“The Secretary of State will have greater powers when it comes to some of the statutory codes that the ICO adheres to, but those powers will be brought to this House for its consent,” explained Lopez. “The whole idea is to make the ICO much more democratically accountable.” She went on to say that she didn’t believe the concerns around ICO’s independence were “justified or legitimate”.
Industry experts remain concerned about the proposed Data Reform Bill
Outside of Parliment, industry experts told Tech Monitor of their concerns regarding the proposed legislation.
Tim Heywood, data protection, public law and procurement partner, at law firm gunnercooke, said that the bill represented a “major shift in policy for the UK” in making the rights of people secondary to the commercial interests of businesses.
“This might well be welcomed by many Tech Monitor readers but no one should underestimate the significance of this shift. It is seismic,” he says. “It is timely to remember that regulation is not the enemy of innovation. Good regulation – that is law created on the back of informed, open and honest debate about society’s needs – is the friend of all of us, business people included.
“Businesses cannot expect to operate in a vacuum,” Heywood adds. “Trust needs to be built and earned. The idea of ‘consent’ only works if that consent is fully informed and freely given.”
Data experts are also trepidatious about whether the current data adequacy agreement with the EU will be in jeopardy under the Data Reform Bill.
Natalie Cramp, CEO of data consultancy Profusion, told Tech Monitor that compatibility failures with GDPR would mean more costs for businesses: “One of the key issues around the bill is whether it lives up to its goal of ensuring businesses can continue to use their existing international data transfer mechanisms to share personal data overseas,” Cramp says
“This is very important to UK businesses, as failure to make it compatible with, for example, GDPR, will mean that companies which deal with EU citizen’s data will have to comply with both sets of legislation – which will significantly increase costs.”
Sarah Pearce, a partner at law firm Hunton Andrews Kurth, says the bill is light on detail.
“While the sound of a ‘common-sense led approach’ is to be welcomed, it sounds like it may be challenging to demonstrate to EU authorities that the UK Bill has retained a sufficient level of “essential equivalence” to EU data protection laws in order to be able to keep hold of its adequacy decision with the EU,” she told Tech Monitor.
“The proposals around international data transfers are encouraging but somewhat unclear,” Pearce says, adding: “If it means the UK would no longer require an analysis of the third country to which personal data is being transferred, it is potentially worrying from an adequacy decision perspective. It isn’t clear to me at this stage that this is what they are suggesting, we need more detail.”
The bill has now moved into committee stage, where it will be scrutinised further.