The second reading of the Data Protection and Digital Information (No. 2) Bill

The second reading of the Data Protection and Digital Information (No. 2) Bill

On Monday, the Data Protection and Digital Information (No. 2) Bill (the "Bill") had its second reading in the House of Commons. This gave our first opportunity to hear what MPs have to say about the Bill.

Julia Lopez, Minister for Data and Digital Infrastructure, opened the session by outlining the objectives of the Bill, a statement which broadly echoed the government's press release. Lopez argued that with the introduction of the Bill, the government is "beginning an evolution away from an inflexible, one-size-fits-all regime to one that is risk-based and focused on innovation, flexibility, and the needs of our citizens, scientists, public services and companies".

A recording of the session can be found here and the key themes and topics discussed are summarised below.

  • The importance of retaining adequacy with the EU. Multiple ministers raised concerns that streamlining data protection legislation could lead to the loss of the EU's adequacy decisions for the UK. When concluding the session, Paul Scully (Minister for Tech and the Digital Economy) confirmed that the government is working closely with the EU Commission to prevent this. Scully flagged that the Bill need not mirror the GDPR in order for the EU to deem the UK's rules adequate. Scully referenced other adequate jurisdictions (such as New Zealand) as evidence of how differing regimes can be considered to offer "essentially equivalent" protections to data subjects, whilst taking a very different approach to protecting personal data. The Bill was therefore presented as focusing on balancing maintaining adequacy while stripping back bureaucracy. However, the practical implications of the Bill on the UK's adequacy status remains at the forefront of ministers' concerns.
  • The struggle to balance the interests of big tech and consumers. Supporters of the Bill championed its co-design with tech businesses and experts. However, critics used this as evidence that the Bill favours the interests of big tech over the rights and freedoms of data subjects. In particular, various critics argued that giving businesses more scope to reject or charge fees for data subject access requests strips away important consumer data protection rights. There were also concerns raised about the failure of the Bill to introduce increased obligations on big tech around data portability, which has been a key driver for new legislation in the EU (by way of the Digital Markets Act and Digital Service Act).
  • The failure to address key technological developments. Critics of the Bill suggested the government are missing an opportunity by not using the Bill to tackle issues relating to AI, algorithmic bias, and biometric data. The GDPR itself is considered technologically agnostic but as other jurisdictions around the world are using data lead legislation to address the risks posed by AI, ministers appeared concerned that the Bill fails to tackle some of the most challenging issues in the current data protection landscape.
  • Concerns over the powers of the Secretary of State. Critics argued that the Bill introduces wide powers for the Secretary of State to introduce new rules and exercise judgment, significantly in relation to automatic decision making. This in turn reserves discretionary power for future governments but no similar provisions are awarded to Parliament. Supporters of the Bill argued that this reservation of power is necessary to enable the Bill to remain flexible and change in line with evolving technologies.
  • The overwhelming desire for simple, clear rules. Almost everyone agreed that there is a definite need for streamlined rules that are easier to follow. However, one critic expressed their frustration that, after significant upheaval, businesses have adjusted to the GDPR regime and now may have to retrain staff and face additional compliance costs. However, Lopez confirmed that small businesses that are complying with the GDPR will continue to be compliant under the Bill without the need for further compliance projects.

The Bill will now move to the Committee stage. Almost all contributors to Monday's debate commented that they looked forward to further improvements being made to the Bill in the next stage. Stay tuned to see whether there are any substantial edits to the Bill as it progresses.

For more information, you can read our Insight on the changes to the Bill introduced here.