The latest Data Protection and Digital Information Bill (No. 2) has been introduced to the House of Commons by the Department for Science, Innovation and Technology (DSIT), promising savings for businesses of up to £4.7bn over ten years. But privacy experts are concerned that the new draft means personal data could end up in the wrong hands.
In her statement on the new draft bill, Technology Secretary Michelle Donelan said: “Better data access and use is at the heart of our mission to grow the economy, improve the lives of everyone in the UK […]. Data is fundamental to economic growth, scientific research, innovation, and increasing productivity.” In 2021, 85% of the UK’s total service exports (£259bn) was data-driven trade.
The dubbed “common-sense-led UK version of the EU’s GDPR” was first introduced in July 2022 but paused to allow co-design with businesses across the UK. DSIT says that it has consulted with business leaders and data experts on the new draft to maximise benefits for the UK economy as well as the removal of unnecessary admin and expense.
However, civil rights organisations have told Tech Monitor that the new draft could infringe data protection further.
The latest Data Protection and Digital Information Bill could be ‘worse than the last’
In a statement, Abigail Burke, policy manager at Open Rights Group, said that the bill fails to address the privacy concerns raised by civil society and could also harm businesses.
“It appears that the revised version of the Data Protection and Digital Information Bill will be worse than the last, posing an even greater threat to our privacy rights,” she said. “The Government seems intent on undermining our ability to have control over our data, instead greatly expanding the power of businesses and government departments to collect, process and re-use our data in new ways.
Back in June 2022, the Open Rights Group were part of 30 civil society organisations that wrote to the then Secretary of State for DCMS, Nadine Dorries, over concerns that privacy and civil society organisations had not been included in the drafting of the Bill. And only this week, they wrote an open letter to Donelan asking for the Bill to be scrapped and for the process to start again.
Data Protection and Digital Information Bill: damaging to business?
Burke also points out that the new Bill could be potentially damaging to the economy as it risks failing to meet EU adequacy requirements.
“Conservative estimates found that the loss of the adequacy agreement would cost £1bn-1.6 bn in legal fees alone, not including the cost resulting from disruption of digital trade, investments, and the relocation of UK businesses to the EU,” she argues.
“Navigating multiple data protection regimes would create extra costs for many businesses, who will have to adapt their processes to two sets of regulations,” she continues. “In addition, scrapping good governance measures such as data protection officers exposes businesses to uninsured risks, and reputational damage arising from data breaches.”
The government says the new Bill is compatible with the UK’s existing international data transfer agreements, including the adequacy deal with the EU. However, the European Commission is able to cancel the adequacy pact if it feels data protection standards in the UK are slipping below those GDPR offers to European citizens.
Civil liberties and privacy campaign group Big Brother Watch also has concerns about the Bill. “The revised Data Protection and Digital Information Bill poses serious threats to Brits’ privacy,” says Susannah Copson, legal and policy offer at Big Brother Watch. “The Government are determined to tear up crucial privacy and data protection rights that protect the public from intrusive online surveillance and automated-decision making in high-risk areas.
“This bonfire of safeguards will allow all sorts of actors to harvest and exploit our data more than ever before. It is completely unacceptable to sacrifice the British public’s privacy and data protection rights on the false promise of convenience.”
Concerns over ‘scientific’ use of data
As part of the latest draft of the Data Protection and Digital Information Bill, DSIT has redefined “scientific research” in relation to processing data, which the department says will make clearer for scientists how they can process data for research purposes.
The definition update clarifies that commercial organisations can also benefit from the same freedoms as academics in the name of scientific research, which means there will be fewer controls on how this information is used. However, public health research can only be classed as conducting work in the interest of the public.
Sam Smith, who leads on policy at medConfidential, an organisation that scrutinises health service data use, told Tech Monitor that this means a far larger pool of organisations may try and pass off their operations as “scientific” to avoid scrutiny: “I’m sure Cambridge Analytica would say their approach was ‘scientific’,” he notes.