15 Dec 2023

The Data Protection and Digital Information (No. 2) Bill: unlocking the potential of data-driven growth while maintaining high privacy standards

As the Data Protection and Digital Information Bill completes its passage of Parliament techUK sets out the key benefits of the Bill as well as areas for improvement

The Data Protection and Digital Information (DPDI) Bill is an important evolution of the UK's data protection framework.

The Bill strikes a delicate balance between reform and upholding high data protection standards. It is designed to make the UK's data protection regime clearer and easier to comply with for low-risk scenarios, to support data driven research and innovation and provide clarity to organisations on how they can process data for clear public interest reasons such as for crime prevention, safeguarding and to support the Government and public services respond to serious incidents.

These reforms will clarify and enhance the flexibility of the UK’s data protection system, benefitting researchers, innovators, and smaller companies as well as citizens and public authorities.

It will also empower citizens through the establishment of the Digital ID Trust Framework, which will spur the use of digital identities, enhancing security, simplifying authentication processes, and providing convenient and efficient access to various online services. The Bill also upholds a high standard of data protection rights that are among the strongest in the world.

The reforms are also expected to grant the UK the flexibility needed to adapt to a rapidly changing global trade environment.

The opportunity to better use data to solve the UK’s challenges

The DPDI Bill will amend the UK’s General Data Protection Regulation (GDPR) in ways that support the use of data to solve some of the UK’s most pressing challenges from providing clearer bases for using data in research and development to giving companies more certainty to process data to prevent crime, respond to emergencies and to safeguard children or vulnerable adults.

Clarifying the Data Protection Framework Scientific Research and Legitimate interests

The Bill clarifies existing provisions already contained in the GDPR to make it more explicit that research provisions for processing data cover privately funded projects in the public interest. It also includes an illustrative and non-exhaustive list of the types of scientific research these provisions intend to cover. This includes technological development, fundamental or applied research and scientific advances to support public health.

techUK welcomes these provisions for bringing clarity and expects they will foster innovation and the development of cutting-edge technologies in fields like artificial intelligence, healthcare, and environmental science.

The provisions should also operate alongside the UK’s new expanded R&D tax credit that since April 2023 covers data license and cloud computing costs. The combination of these two policy changes will provide clearer regulation and greater incentives for data driven research with the greatest benefit for innovation intensive SMEs.

The Government will also introduce a limited, exhaustive list of legitimate interests no longer requiring a lengthy legal assessment (balancing test) allowing for data to be processed in clear public intrest scenarios. This includes crime and fraud prevention, the safeguarding of children and in the event of public emergencies.

We anticipate that the reforms on scientific research and legitimate interests will give the UK a competitive advantage and unlock substantial opportunities for societal benefit, encompassing areas such as fraud prevention, enhanced competition, safeguarding the vulnerable and broader public interest, and crisis management.

Some examples of where these provisions would provide beneift:

Tackling financial exclusion: LexisNexis® Risk Solutions, part of RELX Group combined 2.6 million records with powerful statistical linking technology to provide a detailed, regional overview of financial exclusion and its underlying causes across the UK adult population.
Investigating emerging societal needs: BT’s Global Research and Innovation Programme brought together BT’s research ecosystem and was leveraged during the pandemic to explore growing concerns such as the future of work, impact on SMEs and in-person industries such as food, retail, and leisure.
Supporting medical research: Vodafone UK’s DreamLab is an award-winning crowdsourcing app, developed by Vodafone Foundation, that uses the processing power of mobile phones to accelerate scientific research. For cancer research, DreamLab has identified over 110 anti-cancer molecules and potential reproposed drugs, while for COVID-19 research, the app has employed AI to analyse virus-host interactions data, identifying potential antiviral treatments.

However, concerns persist regarding the application of Automated Decision Making (ADM) to the recognised list of legitimate interests in the situations when the decision carries significant or high-risk implications. To alleviate these concerns, the Government should provide clearer guidance on how ADM fits within the recognized list of legitimate interests for high-risk scenarios. This will reassure data subjects that their interests are being carefully considered and that avenues for redress are readily available.

At the moment the Bill also does not provide additional clarity on the how organisations should process personal data for bias mitigation purposes. Given the importance of ensuring that AI and algorithmic systems are not biased and coming regulation via the Government’s AI whitepaper to ensure this we believe the Government should look to provide further clarification in the law around how data can be processed to train systems for bias mitigation purposes.

Streamlining international data transfers for data-driven innovation

The Bill adopts a more proportionate and risk-based approach to international data transfers, fostering a more flexible environment while upholding robust data protection standards, thus aligning with the UK's ambition for global leadership in data-driven innovation and economic growth.

These changes are welcome and much-needed as the global landscape for international data flows becomes more fragmented, enabling the UK to respond effectively to a rapidly changing world.

Further details on this approach can be found in the first report of the independent International Data Transfers Expert Council.

Nurturing a Thriving Digital Identity Ecosystem for Inclusive Growth

The digital identity measures in the Bill will enable the Secretary of State to exercise governance functions in relation to the digital verification services register. This is a crucial step towards a thriving, safe and trustworthy digital identity ecosystem, which will enable real and inclusive economic growth by fostering increased financial inclusion, and the provision of public services by unlocking access to banking, government benefits, education, and many other critical services.

Crucially, this will also reduce fraud, and promote secure digitization of a range of public and private services.

Upholding high standards of data protection

Consumers' trust in the UK’s data protection is paramount to maintaining confidence in digital products and services and upholding the UK’s global reputation for robust data protection standards.

The UK’s GDPR grants individuals comprehensive rights over their personal data, including the right to access personal data held about them, the right to be informed about how and why their data is used, the right to have their data rectified, erased, or restricted, the right to object to data processing, the right to data portability, and the right not to be subject to automated decision-making based solely on personal data.

The DPDI Bill supports these rights, including:

Maintaining individuals’ right to request a copy of their personal data;
Empowering individuals with enhanced data portability rights through Smart Data schemes that enable seamless transfer of personal data across different platforms and services;
Protecting individuals' rights by ensuring they have the right to request human review or challenge any decision made through automated decision-making processes that has a significant affect on them.

However some concern has been raised about the proposed legitimate interest list included within the Bill as well as changes to the accountability framework. Questions have been raised about the potential impacts these will have on data subject rights. techUK sets out our perspective below.

Legitimate interests:

The DPDI Bill will establish a list of "recognised" legitimate interests, exempting a small recognised list of of non-commercial interests like national security and child protection from the usual balancing test, thus allowing organisations to respond to often time sensitive situations.

The Bill will also provide illustrative examples of legitimate interests for commercial purposes, ensuring organisations have greater confidence that a balancing test is appropriate for these scenarios – such as direct marketing and intra group transfers.

These changes will improve the UK’s data protection regime in a variety of ways, including enhancing fraud prevention, improving product safety, and supporting the implementation of the Online Safety Act and the government's fraud strategy.

The recognised list is limited and organizations still will have to perform a balancing test for the vast majority of circumstances where they seek to use the legitimate interest processing ground – similar to as under the law today.

Accountability framework:

The Bill will also make important changes to the accountability framework, i.e. how organisations are held to account for how they process data.

The current framework requires organisations to comply with a set of detailed requirements, generally regardless of the risk associated with their data processing activities. This places a disproportionate burden on SMEs and organisations that undertake low-risk processing.

The proposed changes aim to introduce a more risk-based and adaptable approach to data protection and management, enabling organisations to tailor their compliance efforts to their specific circumstances and foster a robust and risk-driven approach embedded within their operations.

This approach will place a stronger emphasis on the fundamental principles of accountability, including leadership and oversight, risk assessment, policies and procedures, transparency, staff training and awareness, and monitoring, evaluation, and improvement.

For example, even though businesses will no longer be mandated to have dedicated data protection officers, they will be required to designate a Senior Responsible Individual who will be responsible for embedding a data protection-conscious culture within the organisation.

Given that all employees must be actively engaged in data protection to some extent for it to be effective, we view this as a positive step. Similarly, even though businesses will no longer be required to carry out Data Protection Impact Assessments (DPIAs), they will still be required to identify, manage, and mitigate data risks. The steps organisations need to take to comply with these new requirements will be set out in guidance by the ICO, updating existing guidance already in use.

We expect that the overall effect of these changes will mean a more risk-based approach to data governance with organisations who do not process large quantities or sensitive personal data likely seeing a reduced level of compliance burden suitable to their needs.

Having discussed the proposed changes to the accountability framework extensively with our members the vast majority do not expect these changes to affect their approach to data governance. Given the data intensive nature of many technology companies they expect to be held to the strongest standards and will have to build a globally facing compliance approach that meets the needs of multiple jurisdictions.

Therefore the main beneficaries of the reforms to the accountability framework are expected to be outside the tech sector.

Data adequacy:

The reforms enacted in the DPDI Bill in our view do not substantially change data protection rights in the UK and British data protection standards should remain essentially equivalent to the EU's. We therefore expect the UK will retain its adequacy status.

Data adequacy is a flexible designation accommodating 14 other non-EU countries with diverse legal frameworks. These include countries such as the UK, Argentina, Israel, New Zealand, Uruguay.

The UK has an enhanced adequacy status covering both personal data transfers and data exchanges for law enforcement.

Areas for improvement:

The DPDI Bill represents well-considered and balanced modifications to the UK GDPR that will foster enhanced data-driven innovation in the UK. As it enters the House of Lords, we need to ensure that it seizes the full opportunities for reform.

We encourage peers to look at clarifying how the ADM will apply to the legitimate interest list, and to provide additional clarity on how to use personal data to prevent bias in AI and algorithmic systems

There are also other areas we would welcome further changes in. For example, while we support the government's efforts to address nuisance calls and streamline data frameworks in health and social care there are some major practical considerations that must be taken into account.

As the Bill moves progresses through the House of Lords, techUK will continue to work closely with the government, peers, and the ICO to ensure we seize the full benefit of reform while maintaining high standards of data protection.