RIP DPDI: Data Protection Reforms Fall At The Final Hurdle

After a long and troubled gestation, the much awaited Data Protection and Digital Information Bill (DPDI) fell at the final parliamentary hurdle - failing to reach the statue book before the dissolution of parliament prior to the General Election. The Bill had been touted by the previous government as a significant reform of the UK data protection regime and the first opportunity for substantial divergence from the EU data protection model since Brexit while hopefully maintaining the UK’s much-prized “adequacy” status with the EU.

Changes proposed under the bill included:

• Reduced requirements to keep and maintain Article 30 records of processing.
• Replacing the requirement to appoint a Data Protection Officer (DPO) with a requirement to designate a member of senior management to act as a ‘senior responsible individual’ (SRI).
• Reforming the rules on Data Protection Impact Assessments (DPIAs) which would have been rebranded as an “assessment of high risk processing,” requiring a summary rather than a systematic description of the purposes of processing and measures to mitigate risk, and removing some of the requirements to consult with the regulator and data subjects.
• Creating a new category of recognized “legitimate interests”.
• Reform to the rules on cookies in the Privacy And Electronic Communications Regulations (PECR) to cut down on ‘user consent’ pop-ups and banners.
• Extending the electronic marketing soft opt-in under PECR to charities.
• Reforming the structure and powers of the existing regulator, the Information Commissioner’s Office, under a new body – the Information Commission.

While many of the proposed measures enjoyed wide-spread support concerns had been raised in some quarters that the bill would have weakened the protections afforded to UK personal data, potentially jeopardizing the UK’s adequacy status and the frictionless UK-EU data flows reliant on that status. The final failure of the Bill was attributed by some to controversial late amendments proposed by the Department of Work and Pensions (DWP) which would have allowed for increased data sharing between the DWP and private companies in the banking sector to combat fraud or mistaken payment of benefits.

Under a newly-installed government looking to re-set UK-EU relations, it is unclear what political appetite exists for returning to the Bill or prioritizing reforms that would constitute a further divergence from existing EU data protection rules and might pose a consequent risk to the UK’s current “adequate” status.

While there will no doubt be a need in due course for the new government to revisit some of the reforms in the doomed DPDI and to update its response to the challenges presented by the fast moving advances of AI, for the moment UK data protection law continues to be underpinned by three central legislative pillars.

• The UK GDPR
• The Data Protection Act 2018
• The Privacy And Electronic Communications (PECR).

Please contact James Quartermaine, Legal Director, for more information.