UK Parliament / Open data

The Data Protection and Digital Information (No. 2) Bill 2022-23

Commons Briefing paper by John Woodhouse, Adam Clark, Lorraine Conway, Catherine Fairbairn, Neil Johnston and Tom Powell. It was first published on Thursday, 9 March 2023. It was last updated on Tuesday, 28 March 2023.

The Data Protection and Digital Information (No. 2) Bill [Bill 265 2022-23] was introduced in the House of Commons on 8 March 2023. It is scheduled to have its second reading on 17 April 2023.

Much of the Bill is the same as the Data Protection and Digital Information Bill [Bill 143 2022-23] which was introduced in the Commons on 18 July 2022. The original Bill was scheduled to have its second reading on 5 September 2022. A Library Briefing on the Bill (PDF) (31 August 2022) was published for the debate. However, in a Business Statement on 5 September 2022, the Government said that, following the election of Elizabeth Truss as Conservative Party leader, second reading would not take place. This was to allow Ministers to consider the Bill further. The Bill was withdrawn on 8 March 2023.

What would the Data Protection and Digital Information (No.2) Bill do?

In a Written Ministerial Statement of 8 March 2023, Michelle Donelan, Secretary of State for Science, Innovation and Technology, said the new Bill followed a detailed co-design process with industry, business, privacy and consumer groups. The Bill would seize the post-Brexit opportunity to “create a new UK data rights regime tailor-made for our needs”. It would reduce burdens on businesses and researchers and would boost the economy by £4.7 billion over the next decade. The Secretary of State explained that changes had been made to the original Bill that would:

  • reduce compliance costs in the sector and reduce the amount of paperwork that organisations need to complete to demonstrate compliance.
  • reduce burdens by enabling businesses to continue to use their existing cross-border transfer mechanisms if they are already compliant.
  • give organisations greater confidence about the circumstances in which they can progress personal data without consent.
  • increase public and business confidence in AI technologies. 

The Bill would:

  • establish a framework for the provision of digital verification services to enable digital identities to be used with the same confidence as paper documents.
  • increase fines for nuisance calls and texts under the Privacy and Electronic Communications Regulations (PECR).
  • update the PECR to cut down on ‘user consent’ pop-ups and banners.
  • allow for the sharing of customer data, through smart data schemes, to provide services such as personalised market comparisons and account management.
  • reform the way births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.
  • facilitate the flow and use of personal data for law enforcement and national security purposes.
  • create a clearer legal basis for political parties and elected representatives to process personal data for the purposes of democratic engagement.

The governance structure and powers of the Information Commissioner's Office (ICO, the data protection regulator) would also be reformed and transferred to a new body, the Information Commission. 

Where would the Bill take effect?

Data protection is a reserved matter. The Bill’s changes to the Data Protection Act 2018 and the UK General Data Protection Regulation would extend to the whole of the UK, apart from one provision relating to the Information Commission’s seal, which does not extend to Scotland.

Other provisions in the Bill would require legislative consent motions from the devolved administrations – eg in relation to smart data. Annex A to the Explanatory Notes (PDF) gives detailed information on the Bill’s territorial extent and application.

Reaction to the Bill

John Edwards, the Information Commissioner, has welcomed the re-introduction of the Bill and “its ambition to enable organisations to grow and innovate whilst maintaining high standards of data protection rights”.

However, the Open Rights Group, an organisation campaigning on surveillance, privacy, and free speech, has claimed that the Bill would, among other things, weaken data subjects’ rights, water down accountability requirements, and reduce the independence of the ICO.

Big Brother Watch, a civil liberties campaign group, claims the Bill would “tear up” privacy rights protecting the public from automated-decision making in high-risk areas.

TechUK, the trade association for technology, believes the Bill “would help boost innovation while upholding privacy rights and EU adequacy”.

The Investing and Savings Alliance, a not-for-profit membership organisation, has welcomed the Bill’s provisions on smart data schemes.

Some commentators have noted that the Bill might put at risk the European Union’s June 2021 adequacy decisions on the UK. These allow personal data to flow freely between the EU/EEA and the UK.

More on the Bill

The Government has published the following material on the Bill:

Type
Research briefing
Reference
CBP-9746 
Series
Briefing papers on bills
Related items
The Data Protection and Digital Information Bill 2022-23
Tuesday, 14 March 2023
Research briefings
Data Protection and Digital Information (No. 2) Bill 2022-23
Wednesday, 8 March 2023
Bills
House of Commons
Topics
Consumers
Data protection
Political parties
Research and innovation
Subjects
Disclosure of information
Databases
Bureaucracy
Data processing
Privacy
Registration of births, deaths, marriages and civil partnerships
Electronic government
Information Commissioner's Office
Legislation
Data Protection and Digital Information Bill 2022-23 to 2023-24
Privacy and Electronic Communications (EC Directive) Regulations 2003
Published by
Home Affairs Section
House of Commons Library
Link
View this Research briefing on researchbriefings.parliament.uk
Back to top