Post-Brexit reforms to UK data protection laws on course to pass by the summer

Data protection law expert Kathryn Wynn of Pinsent Masons highlighted the forthcoming change after a date of 10 June 2024 was fixed for the report stage for the Bill in the House of Lords.

The DPDI Bill was introduced into the UK parliament in March 2023. Its purpose is to, post-Brexit, create a new UK data rights regime that is less burdensome on businesses and researchers in order to encourage innovation by affecting changes to existing UK data protection laws, which are predominantly set out in the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

The Bill has already completed its passage through the House of Commons, been read twice in the Lords and cleared the Lords committee stage. The next stage, the report stage, is where all members of the Lords will have a chance to propose amendments to the Bill and discuss and vote on those amendments.

The report stage immediately precedes the third reading stage of the Bill which is the last chance of for peers to ensure the Bill is workable. After third reading, the Bill will be sent back to the House of Commons for consideration of Lords amendments as both Houses of Parliament must agree on the Bill’s exact wording. This can start a process called ‘ping pong’ whereby the Bill goes back and forth between the Commons and the Lords, until the final text is ratified. Once that happens, the Bill will go for Royal Assent.

As currently drafted, the Bill would alter how ‘personal data’ – to which data protection law applies – is defined in the UK; enable organisations to refuse to act on “vexatious or excessive” data subject access requests; loosen restrictions around the processing of personal data for research purposes and in respect of automated decision-making; remove some record-keeping duties organisations face; and remove the requirement that controllers or processors not established in the UK have to appoint a UK representative.

Some organisations – public bodies, and businesses carrying out ‘high risk’ personal data processing – would have to designate a “senior responsible individual” (SRI) as part of the senior management team to undertake tasks under the legislation, replacing what is currently the role of the data protection officer (DPO). The SRI will have oversight and accountability for 'high risk' processing. SRIs are permitted to delegate the tasks, for example where necessary to avoid conflict of interests. However, those who the tasks are delegated to must have appropriate professional qualifications and knowledge of data protection legislation and be in a position to act independently.

The wide-scope requirement on organisations to undertake data protection impact assessments (DPIA) is also to be replaced by a more targeted assessment requirement applicable to ‘high risk’ processing and the requirement to consult the Information Commissioner’s Office (ICO) where the DPIA flags a high risk that the controller cannot mitigate is now optional.

UK data protection law is currently closely aligned with EU data protection laws. As a result, the UK has been designated by the European Commission as providing for ‘adequate’ data protection – a designation that enables the free flow of personal data from the EU to the UK.

While the contents of the DPDI Bill do not represent a wholesale shift in approach, the potential impact of the planned changes to UK data protection law on the UK’s ‘adequacy’ status is the subject of scrutiny on both sides of the English Channel.

In the UK, the European Affairs Committee currently has an open inquiry into data adequacy in which it is, among other things, assessing “the possible implications of any divergence in the respective data protection regimes of the UK and EU”. The committee has already heard witness testimony from UK information commissioner John Edwards, among others, and it is accepting evidence to inform the remainder of its inquiry up until Friday 31 May 2024.

Wynn said: “The European Affairs Committee’s report at the end of its inquiry will be non-binding and will not impact the passage of the DPDI Bill. There is therefore a possibility that the Bill will pass without the adequacy position being resolved.”

“The UK-EU adequacy decision is due for renewal in June 2025. The European Commission is planning to initiate its adequacy assessment early next year. One of the areas the European Commission will be looking at is the impact of the DPDI Bill reforms,” she said.