Data Protection and Digital Information (No. 2) Bill has its second reading

On Monday 17 April we saw the second reading of the Data Protection and Digital Information (No. 2) Bill. The Bill amends the UK’s data protection and online privacy laws, aiming to reduce compliance burdens for businesses and improve legal clarity.

The government aims to achieve this while maintaining strong data protection standards and maintaining the UK’s ‘adequacy decision’ from the EU, which were two topics covered in the second reading debate by MPs.

We support the aims of the Bill, particularly the government’s commitment to maintain ‘adequacy’, which underpins the movement of personal data between the UK and the EU. Some of the important things the Bill does include:

  • clarifying the legal basis for detecting and preventing crime, which is important given our members’ central role in protecting against fraud, money laundering and other unlawful activities
  • clarifying the rules for ‘automated decision-making’, while maintaining strong safeguards, and
  • better protecting firms subjected to speculative use of data subject access requests by claims management companies.

In addition to amending UK data protection law, the Bill also creates two promising statutory frameworks:

  • enabling digital identity services to be developed, and
  • enabling the government to create Smart Data schemes, empowering consumers to move their data from one firm to another and setting the scene for other sectors to catch up with Open Banking.

There are a few areas that will need careful scrutiny during the parliamentary process to ensure we strike the right balance. These include:

  • Any areas where the Bill might inadvertently put UK adequacy at risk, as identified by several MPs during the debate. In particular, maintaining the independence of the Information Commissioner’s Office (ICO) is key. The Bill contains positive reforms to ICO structure and governance, but Parliament will likely want to look closely at the increased government powers to steer the ICO and sometimes override it.
  • Provisions intended to help businesses by allowing them to disclose data to public authorities asserting a need ‘in the public interest’, rather than needing to analyse their own ‘legal basis’. Safeguards would help prevent unintended consequences, such as unfair data access by public bodies.
  • Changes to the Privacy and Electronic Communications Regulations aim to reduce paperwork around the use of cookies with low privacy impact. These will need a careful review to make sure they work effectively in practice. There is also an opportunity to clarify longstanding ambiguities, notably around whether firms operating as a group can use the ‘soft opt-in’ marketing rule, and whether customer communications sent to meet a regulatory obligation are considered ‘marketing’.
  • Ensuring that new Smart Data regimes are proportionate and include the right safeguards, for example by requiring government to do a Regulatory Impact Assessment before promulgating statutory instruments, and Post-Implementation Reviews within five years of implementation.

There will also be a significant ‘to do’ list once the Bill becomes law in order to settle it in place, including:

  • Guidance on automated decisions – safeguards like transparency are important, but the detail matters. It can make sense to tell customers their loan application has been rejected by an automated system, so they can request a review. But we wouldn’t want to tip off criminals that are detected by automated systems. This connects in with the government’s wider AI whitepaper.
  • Smart Data – with Open Banking, financial services are already in the lead so other sectors should be caught up. We support expanding consumer control over their data when there are clear merits to doing so. However, we need careful implementation with a full cost-benefit analysis of each potential scheme, effective consumer protections, and an equitable funding model. Any extensions to Open Banking need to make sense commercially.

The Bill now moves on to its Committee Stage in the House of Commons.