The UK has been quite busy lately drafting new legislations to regulate the online world—not without controversy, though.
While the Online Safety Bill is making VPN services and encrypted messaging apps angry in its attempt to "make the UK the safest place in the world to be online," another proposed law seeks to reform the current UK GDPR on data protection matters.
The first draft of the Data Protection and Digital Information Bill (DPDI) was published in May last year, but it was put on hold just a few months after. Now, two governments later, a revised version has been introduced in the House of Commons on March 8th.
Talking about the bill during a panel at the annual IAPP conference in London a day after, Secretary of State for the Department for Science, Innovation and Technology Michelle Donelan said: "There is absolutely no reason why we shouldn't bring down the burdens on businesses where it comes to no cost to consumers."
However, many commentators have pointed out how users will be negatively affected by a reform to the current GDPR as it "will seriously weaken data protection rights in the UK." Here's everything you need to know about the DPDI.
What is the Data Protection and Digital Information Bill (DPDI)?
The Data Protection and Digital Information Bill (DPDI) represents the government's post-Brexit attempt to reform the current GDPR by implementing a more flexible data regime; able to encourage and facilitate tech innovation.
The government estimates that the new law could save the UK economy more than £4 billion over the next 10 years by cutting down "pointless paperwork for businesses and reduce annoying cookie pops-up" without compromising citizens privacy.
"We want people to comply with our new data protection bill because they see and understand the benefits for them and their businesses, not because they're afraid of enforcement action or bored of pop-ups," said Donelan during her speech at the IAPP conference.
She also argued that it would be a mistake to view this Bill as weaker than the GDPR when it comes to protecting consumers.
Allegedly co-designed with business leaders and data experts to ensure the best outcomes for both sides, the second draft is currently on its first stage of the reviewing process. However, not much seems to have changed from its first version.
DPDI vs GDPR: what will change?
As mentioned, the DPDI's general aim is creating a simpler and clearer business-friendly framework to handle users' data—a "common-sense-led" version of the GDPR, as some have referred to.
This means that, while maintaining many similarities with the current data protection law, it regulates new targeted provisions and clarifications around certain areas. The most notable changes include:
- Expansion of the definition of anonymous data: This will refer to all pieces of data that aren't likely to identify a person when being processed;
- Personal data processing without consent: It expands the right to use data without consent for scientific and/or statistical purpose. The second version also clarifies that public health research is defined as scientific research only if they are in the public interest;
- Removal of legitimate interest balancing tests: There will be no need to assess for legitimate interest under certain circumstances such as national security, defense, emergencies, preventing crime, safeguarding and democratic engagement. The UK government will be entitled to add to this list in the future;
- Consent pop-ups: It extends the range of exemptions to the consent requirement for cookies and other web trackers. These include web analytics, enabling some specific functions on websites, installing necessary security updates on devices, and collecting users' geolocation in an emergency;
- Less paperwork: It requires to keep records of data processing only to organizations representing high-risk for data subjects. The first version was exempting businesses with fewer than 250 employees;
- Clarifications around automated-decisions: It substitutes Article 22 of the GDPR by allowing data processing based solely on automated decision-making under some special circumstances. Organizations are obliged to disclose this to users;
- Expand direct marketing: Also some non-commercial organizations can send electronic marketing communications without prior consent under certain circumstances. However, the Information Commissioner's Officer (ICO) could give out higher fines, as much as 4% of global annual turnover, for businesses that engage in unsolicited marketing communications;
- New presidia to exercise data subject rights: It replaces the "manifestly unfounded or excessive" threshold for refusing data subject rights requests with a "vexatious or excessive" threshold. Among other things, controllers could refuse requests intended to cause distress, not made in good faith, or which are an abuse of process;
- Data transfers: While promising to maintain the Post-Brexit adequacy agreement with the EU, the Secretary of State may approve or restrict transfers of personal data to a third country or international organizations.
The good...
From a business perspective, it isn't so hard to envision the benefits that such changes will bring. GDPR was, in fact, believed to be too difficult to implement with about 80% of publishers reported to unknowingly breaching the law.
According to Antonis Patrikios, partner and co-head of London-based Dentons’ Global Privacy and Cybersecurity law specialist group, the introduction of the new DPDI proposal is a "welcomed next step" in line with the government's aim of focusing on a harm-based regulatory approach.
"Clarifications around legitimate interests, scientific research and automated decision making are bound to make it easier for companies to explore the potential of new technologies and AI without worrying about the risk of technical non-compliance with rules that lack clarity," he told TechRadar.
From a user's perspective, the proposal is said to also be advantageous in coping with the issues of the so-called "pop-up fatigue." The term describes the act of consumers clicking away their rights of privacy in order to escape repetitive and annoying cookies.
"But users will probably see little practical differences. Cookie consents will still be needed for many advertising-related cookies (and many businesses may adopt a single EU-level approach). This is at least until browser based controls are more developed," said Patrikios, adding that the changes around legitimate interests extension are also unlikely to have any practical impact on individuals.
...and the bad
Not everyone is on board with the DPDI's proposed changes, though - especially when it comes to people's rights.
🚨 We’ve sent an open letter to @michelledonelan calling on the government to scrap the Data Protection and Data Information (DPDI) Bill.Signed by 26 civil society groups, we warn that the Bill will seriously weaken data protection rights.Find out more https://t.co/EzwY5qwa7SMarch 7, 2023
The letter signed by 26 privacy advocate groups - including Open Rights Group, Privacy International, Liberty, Big Brother Watch and Index on Censorship - warns the proposed changes will create "a greatly weakened data protection structure."
"The DPDI Bill is a power grab by the government that will undermine data rights in the UK. The bill weakens data subjects rights and corporate accountability mechanisms, politicizes the ICO, and expands the Secretary of State’s powers in numerous, undemocratic ways," said Abigail Burke, Policy Manager at Open Rights Group, in an official statement.
They highlight four main areas of concerns:
- Reduced data subjects rights and corporate accountability: Campaigners are worried that the Bill lowers the threshold for organizations to refuse a Subject Access Request and removes individuals’ right to not to be subjected to solely automated decision making.
- Extended data processing: They are particularly worried that the Secretary of State could make changes to increase data exemptions to consent, and the ways that data is used in time without meaningful parliamentary oversight.
- ICO will be more dependent on the government: As the government can issue instructions and interfere with ICO's regulatory function, this will reduce the independence of the regulator which currently plays a key role in oversight of the government’s use of data.
- Data transfers: They are concerned that the Secretary of State might approve international data transfers to countries with insufficient data protection standards.
Together with a wave of new controversial legislations trying to regulate the right to protest and speech online, civil societies also believe that the DPDI has the potential to further "jeopardize sensitive information about UK residents, and create new opportunities for discrimination against vulnerable groups."
For some, the new GDPR-reformer not only fails to mitigate the thorny issues of its previous version, but it even makes things worse for individuals' data rights.
"The new regime is undoubtedly very popular among business leaders, since it waters down their responsibilities and accountability requirements," tweeted the non-for-profit media outlet The Citizens in a long thread detailing the issues with the new proposed law.
We believe the latest Data Protection and Digital Information Bill, UK’s post-Brexit replacement for Europe’s GDPR data regime, introduced yesterday by @michelledonelan, is worse than the previous one and puts data rights at severe risk. Here’s why🧵#DPDIBillMarch 9, 2023
Another commentator also tweeted out how "a waste of Parliamentary time" is considering such a Bill when another proposed legislation, the Bill of Rights, is set to bring fundamental changes on the UK’s data protection regime.
"The UK Bill of Rights fundamentally changes the interpretation of the word necessary which is integral to the application of any lawful basis," wrote Dr Chris Pounder, Director of Data and Information Law training firm Amberhawk Training, in a blog post.
"The human rights challenges arising from the No.2 Bill as explained in the Memorandum are a mere pinprick compared with the privacy wasteland promised by the UK Bill of Rights."
While on a more neutral position towards the DPDI, also for data lawyer and co-founder of The Privacy Compliance Hub Nigel Jones reforming the GDPR isn't probably needed.
"My view is that the UK GDPR doesn't need changing and to change it fundamentally would be a mistake. However, even the EU is looking at how the GDPR could be improved, so change isn't something to be feared."
What's next for users' privacy?
As we have seen, while the UK government wants to make life easier for businesses, many fear that this would happen at the expense of citizens.
Put simply, the DPDI will create less burdens for businesses looking to process our data. But more data and less rights to opt out from it isn't surely what users need to enjoy better privacy online.
According to GDPR reform's responsible James Snook, policymakers have had to adapt to the fact that data is now a major strategic asset in today's society and economy.
"That makes data protection policies even more important, because you can't realize all those benefits if you don't have public trust," he said during another panel at the IAPP conference.
In an ideal world, we want to think that protecting citizens rights should be a duty of any governments no matter the benefits gained from it.
As Burke from Open Rights Group said: "People’s rights – not government control or the profits of corporations – should be the basis of any new legislation."