WIREDGOV

Concerns have been raised about some of the DPDI Bill’s provisions, some of which stem from misunderstandings of the Bill’s approach and its legislative intent. techUK addresses these misconceptions.

Since its adoption, the UK’s General Data Protection Regulation (GDPR) has had limitations, this has largely been due to a rigid, one-size-fits-all approach that poses significant compliance challenges for many organisations, particularly smaller firms, as well as a lack of clarity in the regime which has led to an overly cautious approach to data use. The DPDI Bill is an important evolution of the UK's data protection framework, seeking to modernise the GDPR while upholding the strong privacy standards that underpin it. 

The DPDI Bill achieves this through its focus on both consumers and innovation. It modifies the UK GDPR in ways that support the use of data to solve some of the UK’s most pressing challenges by making it clearer, more flexible, and user friendly, whilst upholding high data protection standards.  

For example, it will give companies more certainty to process data to prevent crime, respond to emergencies and to safeguard children or vulnerable adults. It also establishes the Digital ID Trust Framework, which will promote the use of digital identities, strengthening user privacy. 

The Bill has also undergone significant changes in Parliament to address concerns raised. For more information on this, refer to the techUK briefing on common misconceptions surrounding the Bill (available here). 

However, we note some continued issues being raised which we want to highlight below: 

Misconception 1: the Bill will limit regulatory independence 

When the Bill was introduced, concerns were raised about its provision granting the Secretary of State power to approve the Information Commissioner’s Office (ICO) codes of practice, which would have negatively affected regulatory independence. 

In response, the UK government has amended the Bill to remove this provision. The Secretary of State can now only provide non-binding recommendations on the ICO’s codes. While the ICO will be required to consider these recommendations, the final decision on the codes remains with the Commissioner. 

These amendments represent a significant step towards ensuring a more independent and transparent regulatory process, fostering greater confidence among industry stakeholders and safeguarding the integrity and effectiveness of the regulatory framework. 

Misconception 2: biometric data oversight framework is being weakened 

Concerns have been raised about the removal of the Biometrics and Surveillance Camera Commissioner, including over the impact this may have on the oversight of the sharing of DNA and fingerprint data, which the said Commissioner currently oversees. 

Robust protection of biometric data is crucial. The DPDI Bill streamlines and strengthens, oversight of biometric data. It does not remove the functions of the Biometrics and Surveillance Camera Commissioner but rather integrates their responsibilities into a broader oversight framework. 

Currently, the Biometrics and Surveillance Camera Commissioner is responsible for overseeing police use of biometrics, and overt surveillance cameras. Additionally, the Information Commissioner provides independent oversight of the use of biometrics and surveillance cameras by all bodies, including police. This creates a significant overlap between the two regimes, which the DPDI Bill addresses. 

• Functions of the Biometrics Commissioner: the DPDI Bill transfers the responsibilities of the Biometrics Commissioner to the Investigatory Powers Commissioner. The consolidation creates a single body with deep knowledge in biometrics, enabling a more effective and holistic oversight of emerging technologies like facial recognition, and a greater understanding of how these technologies intersect and impact privacy. This is expected to lead to more robust and nuanced oversight frameworks. It also reduces duplication and simplifies the oversight process. 
• Surveillance Camera Commissioner: the Bill abolishes the role of the Surveillance Camera Commissioner and repeals the need for a Surveillance Camera Code, as this is already overseen by the Information Commissioner, thus eliminating the duplication of oversight. Additionally, the ICO already publishes guidance on the use of data captured by surveillance systems regardless of the data controller (meaning it includes police and local authorities). By consolidating oversight with the Information Commissioner, the Bill simplifies compliance for police, local authorities, and the public. There is now a single, comprehensive framework for data privacy in relation to overt surveillance technologies. 
• Police retention and use of DNA and fingerprints: the Biometrics Commissioner is currently responsible for reviewing police retention and use of DNA and fingerprints. The Bill does not abolish this role but transfers its function to the National DNA Database Strategy Board. 
• Police use of live facial recognition: while the DPDI Bill streamlines the oversight framework for biometric data, it does not directly address police use of Live Facial Recognition (LFR) Technology. LFR remains subject to existing legal frameworks, consisting of common law statutes and guidance, and its use will continue to need to be applied in line with existing data protection legislation. 

Misconception 3: automated decision making will negatively impact the rights of data subjects 

The DPDI Bill clarifies that data subjects will continue to be able to contest automated decision making (ADM) and instances of profiling, but only when it could lead to a decision with significant or legal effect. This will establish a difference between low-risk ADM’s which are now integrated in our everyday lives, such as service personalisation, from high-risk ADMs that seriously impact an individual’s life, such as mortgage reviews or technologies that aid with hiring and employment. 

ADM is becoming increasingly integrated into consumers' daily digital interactions, providing organisations with valuable tools to enhance user experiences. The majority of ADM are for low-risk basic functions, from tailoring personalised content to supporting faster logins to performing light and non-consequential checks, for example estimating whether someone would be successful in a credit application. ADM, when combined with other parts of the Bill, such as the legitimate interest provisions can also be an effective tool in helping scan, prevent and mitigate fraud. Therefore, we welcome the transformative potential of ADM. 

Misconception 4: the Bill will weaken data protection and human rights 

Consumers' trust in the UK’s data protection is paramount to maintaining confidence in digital products and services and upholding the UK’s global reputation for robust data protection standards. 

The UK GDPR grants individuals specific rights over their personal data. These rights encompass access to their data, understanding of its usage, rectification, erasure, or restriction of data, objection to processing, data portability, and protection from automated decision-making based solely on personal data. 

The DPDI Bill ensures the preservation of these rights by: 

• Maintaining individuals’ right to request a copy of their personal data; 
• Empowering individuals with enhanced data portability rights through Smart Data schemes that enable seamless transfer of personal data across different platforms and services; 
• Protecting individuals' rights by ensuring they have the right to request human review or challenge any decision made through automated decision-making processes that has a significant effect on them; 
• Maintaining the right to be forgotten, allowing individuals to request for their personal data to be erased. 

Moreover, the Bill introduces important changes to the accountability framework, governing how organisations are held to account for how they process data. Currently, organisations must comply with detailed requirements regardless of the risk associated with their data processing activities, which disproportionately burdens SMEs and organisations undertaking low-risk processing. 

The proposed changes introduce a more adaptable approach to data protection and management. This approach allows organisations to tailor their compliance efforts to their specific circumstances, fostering robust and risk-driven approach embedded within their operations. 

This approach will place a strong emphasis on the fundamental principles of accountability including leadership and oversight; risk assessment; transparency; staff training and awareness; and monitoring, evaluation, and improvement. 

For example, even though businesses will no longer be mandated to have dedicated data protection officers, they will be required to designate a Senior Responsible Individual who will be responsible for embedding a data protection-conscious culture within the organisation.  

Given that all employees must be actively engaged in data protection to some extent for it to be effective, we view this as a positive step. Similarly, even though businesses will no longer be required to carry out Data Protection Impact Assessments (DPIAs), they will still be required to identify, manage, and mitigate data risks. The steps organisations need to take to comply with these new requirements will be set out in guidance by the ICO, updating existing guidance already in use.  

We expect that the overall effect of these changes will mean a more risk-based approach to data governance with organisations who do not process large quantities or sensitive personal data likely seeing a reduced level of compliance burden suitable to their needs. 

Having discussed the proposed changes to the accountability framework extensively with our members the vast majority do not expect these changes to affect their approach to data governance. Given the data intensive nature of many technology companies they expect to be held to the strongest standards and will have to build a globally facing compliance approach that meets the needs of multiple jurisdictions. 

Therefore, the main beneficiaries of the reforms to the accountability framework are expected to be outside the tech sector. 

Misconception 5: the Bill will result in the loss of the EU adequacy decision 

The reforms enacted in the DPDI Bill in our view do not substantially change data protection rights in the UK and British data protection standards should remain essentially equivalent to the EU's. We therefore expect the UK will retain its adequacy status. 

The UK government has also stated that maintaining UK-EU adequacy remains a top priority, which is evidenced by its active engagement with the EU, and the recent changes to the legislation, which are intended to ensure adequacy remains intact. 

This includes the decision to remove the proposed power for the Secretary of State to approve the ICO’s codes of practice. 

Furthermore, in March 2024, the UK government has tabled a set of amendments that seek to address adequacy risks by preventing future laws from easily overriding the existing strong data protection standards. 

Within this context, it is important to note that adequacy is a flexible designation granted to the UK and 14 other non-EU countries, each operating under its distinct legislative framework. We expect that despite the proposed amendments to UK GDPR, the UK's data protection standards will remain more closely aligned to the EU's than any other nation currently holding an adequacy decision.