King’s Speech: UK data protection reforms to be resurrected

A new Digital Information and Smart Data (DISD) Bill was one of 40 legislative initiatives announced in the speech. In a background briefing paper published alongside the speech, the government said the Bill “will enable new innovative uses of data to be safely developed and deployed and will improve people’s lives by making public services work better by reforming data sharing and standards; help scientists and researchers make more life enhancing discoveries by improving our data laws; and ensure your data is well protected by giving the regulator (the ICO) new, stronger powers and a more modern structure”.

Data protection law expert Malcolm Dowden of Pinsent Masons said that while information about what exactly the new Bill will contain is light, the government’s briefing paper implies it will feature elements from the earlier Data Protection and Digital Information (DPDI) Bill, which did not make it through the parliamentary ‘wash up’ session that took place prior to parliament breaking up for general election campaigning in late May.

Under the DPDI Bill, the then Conservative-led government had proposed to loosen some restrictions on the processing of personal data for scientific research purposes. In providing details about the DISD Bill it plans, the new Labour government said the Bill will enable scientists “to ask for broad consent for areas of scientific research, and allow legitimate researchers doing scientific research in commercial settings to make equal use of our data regime”.

Separate proposals to “support the creation and adoption of secure and trusted digital identity products and services from certified providers to help with things like moving house, pre-employment checks, and buying age restricted goods and services”, and establish ‘smart data’ schemes – to enable “secure sharing of a customer’s data upon their request, with authorised third-party providers” – are also to be provided for in the DISD Bill, again reflecting proposals that had been outlined in the earlier DPDI Bill.

Structural changes to the UK’s data protection authority, the Information Commissioner’s Office (ICO), which were also proposed in the DPDI Bill, also look set to be revived through the DISD Bill, according to the government’s briefing paper.

“Under the provisions in the earlier DPDI Bill, the information commissioner would cease to be a ‘corporation sole’, meaning that the regulatory model would shift from being one where the powers and duties of the ICO rested with the information commissioner themselves, currently John Edwards, to a new model where the ICO would have a statutory board, headed by a chair and chief executive,” Dowden said.

“When the new Bill is introduced, it will be interesting to see whether the more controversial elements of the previous provisions are replicated – specifically, the ability of the Secretary of State to appoint members to the statutory board and determine the number of members the board may have and to set the ICO’s priorities and enforcement objectives. Those provisions gave rise to concerns about the EU-UK adequacy decision, which relies on factors including the ICO’s status as an independent regulator,” he said.

Dowden said that, with the EU-UK adequacy decision in mind – a decision that facilitates the free flow of personal data between the UK and EU in support of everyday business operations – businesses will also be wondering whether other controversial proposals that were contained in the DPDI Bill are resurrected in the new DISD Bill. He said there is no indication from the government’s briefing paper that they will.

Dowden said: “The key areas of difference between the previous Bill and the new Bill might well lie in elements that were advanced by the previous government as ‘Brexit benefits’, which implied divergence from EU data protection laws and more relaxed rules for business – for example, on issues such as protecting individuals from solely automated decision making, including through the deployment of AI systems. The extent of any divergence between the Labour government’s Bill and EU data protection laws will be closely scrutinised, particularly as the EU-UK adequacy decision is due for review in June 2025.”

Industry body techUK published an open letter during the general election campaign urging whichever party formed the next UK government to “modernise the UK’s data protection framework”. In a statement issued in response to the King’s Speech, techUK welcomed the fact that the new DISD Bill “is likely to bring back some of the benefits from the former government’s plans, minus several of the contentious areas of the previous legislation”.