| Author | Niamh Libonatti-Roche |
| Date | 1st December 2023 |
Executive Summary
On November 29th, 2023, Government sat to discuss the 240 proposed amendments to the Data Protection and Digital Information Bill. The sheer number of amendments have led the bill to be described as having “more baubles on it than the proverbial Christmas tree”. While many of the amendments were merely minor language changes or nuances to technical detail. Some had the potential to:
§ Alter Data subjects’ rights.
§ Undermine data adequacy with the EU.
§ Grant extensive new powers to Ministers,
§ Introduce completely new topics that have had little governmental consideration.
This document summarises the main government amendments, with the greatest impact, following the Report Stage of the Bill and the supporting parliamentary debate and places them in the context for businesses.
DPDI Summary
Data Subject Access Requests
§ Clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request.
o This amendment follows on from the existing article that looked to replace the “manifestly unfounded or excessive” threshold for refusing data subject rights requests to a lower “vexatious or excessive” threshold.
o o The minister responsible for this amendment clarified that data controllers will still need to make a “best possible effort” to respond to requests but, where a request is genuinely “vexatious or excessive” or represents a waste of time and resources for businesses, data controllers can limit the effort they expend to respond.
o This approach better reflects the stance taken in U.K. case law.
ICO reforms
ICO can now serve notices to organizations via email, without needing to obtain prior consent. This brings the investigative powers of the ICO in line with other existing U.K. regulators.
UK-US Data Access Agreement
The introduction and approval of a new legal bases so that UK-based telecommunications companies processing personal data for the purposes of complying with orders issued under the UK-US Data Access Agreement.
Reduction of Benefit Fraud through Data Sharing
Obligations placed on financial service providers, to support U.K. government efforts to reduce benefits fraud specifically the introduction of general and regular checks to be carried out on bank accounts held by benefit.
Rules on Social Media Data Preservation
Social media companies to retain relevant personal data related to a child that died through suicide to assist with investigations undertaken later.
Biometric data for national security purposes
§ Law enforcement bodies can now retain biometric data indefinitely where:
o It is obtained from an overseas law enforcement authority and the authority obtains material that identifies the person to whom the material relates,
o as soon as reasonably practicable the material is pseudonymised and then held in a pseudonymised form.
§ Retention of biometric data from INTERPOL is now enabled until the National Central Bureau informs the authority that the request or notification has been cancelled or withdrawn. Law enforcement bodies can retain de-pseudonymised biometric data for 3 years after it is decoded.
§ Expansion of the definition of biometric data for identification to include biometric data for the purpose of classification to expand protections offered by the GDPR to wider data type.
Adequacy
§ One of the most hotly debated amendments was the proposal that the secretary of state should be able to veto codes of practice issued by the U.K. Information Commissioner’s Office. This led to concerns being raised by several stakeholder – in the UK and EU- over whether this would affect the ICO’s independence and thus the ability for the UK to retain adequacy.
§ In the report stage, this proposal was altered to allow the ICO more independence. Instead, the secretary of state will now be able to issue nonbinding recommendations to and with the Information Commissioner’s Office in relation to codes of practice.
Your Response
Businesses would do well to stay up to date with the bills progress because, despite the scale of amendments proposed and the size of the bill, it is tabled to come into effect in Spring 2024.
Key takeaways following the report stage are that:
- Continued UK Adequacy and continued EU-UK data transfers are now better assured as the ICO retains its independence.
- Data Subjects Access Requests – vexatious requests can be ignored. But companies should remain vigilant with DSARs, as refusal of legitimate requests will end in warnings and penalties.
- Social Media Companies will need to implement data preservation mechanisms.
- Those handling biometric data will need to apply rules surrounding it to a greater scope of information due to a change of definition in the amendments to the DPDI.
AIPRIVSEC
For more information on the how AIPRIVSEC can help you achieve a sufficient level of privacy protection in light of new legal developments or for access to our whitepapers.
Get in touch by clicking here.
DISCLAIMER
This document is intended to be read for reference only.
It is not intended as legal advice and should not be acted on as if it is.
Leave a Reply