On the 17 April 2023, the House of Commons held the second reading of the Data Protection and Digital Information Bill.
The Bill, in superseding EU GDPR legislation, aims to amend existing UK data protection laws towards a common-sense approach by “harness[ing] post-Brexit freedoms to create an independent data framework”.
The UK Parliament website has called for written evidence from anyone with "relevant expertise and experience or a special interest” in the Bill. The Bill has reached the Public Committee Stage, where external information and expert public opinion will be considered in detail along with a line-by-line scrutiny of the Bill. This is crucial to ensure the aims of the Bill are met.
What is interesting is the number of cross-party politicians who have conveyed mixed messages of support and concern regarding the Bill. We thought it might be helpful to briefly summarise the key issues that politicians raised.
- Educating people
Data protection law, as it exists needs more detailed delineation of the principles, obligations, and rights it presents. However, there is little change with the Bill, with some politicians calling for better education of the general public regarding the law, especially in regard to how their data is used.
- Compliance cost reduction versus training cost increase
Whilst some praise the ambition of the Bill to lower compliance costs, others are concerned the Bill will increase the training costs for organisations, particularly for those that may have to consider multi-jurisdictional processing of personal data.
- Will the UK maintain adequacy status?
The issue of transferring data is a hot topic for many organisations with multi-jurisdictional processing requirements who already feel the burden of requiring multiple transfer mechanisms to share data. Therefore, the possibility of the UK losing its adequacy status with the EU will be a significant concern for some organisations. At the time of writing, there are no guarantees provided by the UK government on this point. However, ministers have sought to provide reassurance by highlighting the government’s ongoing engagement with the European Commission, which is aware of the proposed legislative change.
- Multi-jurisdictional data protection compliance
Organisations that target consumers outside the UK should consider what other data protection laws they must comply with. For example, organisations that process the personal data of consumers who are not UK residents cannot rely solely on the Bill as a legislative framework sits outside this jurisdiction. As such, there is concern that the Bill adds another layer of data protection compliance for organisations operating in jurisdictions beyond the UK.
- Futureproofing
The UK government has expressed its optimism about the UK's technology future, recently publishing a white paper on the future of artificial intelligence. However, some feel the Bill does not consider the technological revolution that is taking place. As a result, there are calls for a more detailed law focusing on data more broadly, regarding the use and developments of technology in the UK.
The above points are not new, but the fact they have arisen in the second reading highlights the importance of these concerns. If you are an interested party and wish to provide written evidence, the UK Parliament website provides guidance on how to submit written evidence for consideration.
The first sitting of the Public Bill Committee is scheduled for 10 May, and the committee is expected to report by 13 June. Whilst there is no fixed date to reply to the committee, they are expected to conclude their considerations by 13 June 2023, which means no further written evidence can be considered after this date. The UK Parliament website encourages written evidence to be provided as soon as possible. If you would like to have your say then please do so via this link.
Data protection compliance is a constantly moving target. With all the recent legislative changes and more to come, now is the time to review and refresh your organisation’s data privacy compliance processes and policies. If you are interested in discussing any of the above, please get in touch with our data privacy team.
Written by
Related News, Insights & Events
Tech & IP Conference 2025: Evolution or Revolution?
07/05/2025 - Everyman Cinema, St James Quarter, Edinburgh
Our annual Tech & IP Conference will explore how businesses can take advantage of change to evolve, build resilience, and leverage competitive advantage through powerful technologies and innovation.
Risk Resilience in 2025
26/03/2025
Join our expert team to consider the top issues that we believe should be on your risk register in 2025.
Cyber Crime in the Trust Economy: Navigating an evolving threat landscape
Read our latest Trust Economy paper here.
