Data Protection and Digital Information Bill challenges

UK ministers are currently considering a new Data Protection and Digital Information Bill. The bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations, providing them with greater flexibility on how to comply with certain aspects of the data protection legislation and improving the clarity of the framework. Introduced in July 2022, it has been paused while the Government reconsiders aspects of it.

At Life Science Law we work with organisations to help unravel some of the tricky areas surrounding data privacy to help ensure they keep within the realms of GDPR. We support the initiative of simplifying data privacy and the idea of making it more accessible, yet in practice there are some fundamental issues with what is being proposed, not least the challenges the bill poses for organisations wishing to act from beyond the realms of the UK.

Ensuring the right safeguards are in place

One of the key challenges with the bill as introduced is ensuring the right safeguards are in place so that data is protected. The bill aims to lower safeguards governing data collection and processing in order to reduce the “burden” on business, by, for example, abolishing the statutory requirement for organisations that process data to have an independent data protection officer. 

Instead, organisations will designate a senior employee to oversee an organisation’s compliance with data protection rules. The bill also suggests introducing a new, “flexible” accountability regime that allows businesses to decide on how far they will be compliant, based on the scale of, and the perceived risks of, their operations. 

International transfer of personal data 

Another key challenge is for those businesses wishing to operate outside the UK. Under the new proposals, organisations would be able to take a risk based approach to assessing the impact of transferring personal data internationally using standard contractual clauses. This change could present a real risk to the free flow of personal data between the UK and the EU. 

Such a risk based approach may differ from the approaches in the EU, where some data protection authorities have said that the GDPR’s provisions on transfers of personal data to third countries do not allow for this approach. 

The very nature of the new bill is to simplify the UK’s data protection framework, yet in reality for businesses operating outside the UK it will cause more complexity and more confusion.

More clarity on consents 

Finally, the bill needs to provide more clarity on consents. Currently consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Under the bill, if a person gives permission for their data to be used for a specific research project, this consent can be extended (without further permission) to other projects, even if these were unknown at the original time of consent. The idea of the bill is to reduce consent fatigue, yet although it addresses consent, my fear is that it actually makes things even more complicated.

It will be interesting to see whether and how the bill progresses. The Law Society (of England & Wales) has aired its reservations surrounding its approach for being too business and innovation focused, which may be detrimental to individual rights and protection. The data rights activist body, Open Rights Group has also commented on the bill’s restriction of data subjects’ rights within the EU GDPR. Without some urgent changes to the points mentioned above, I perceive some challenging times ahead.