The Data Protection and Digital Information Bill is to be debated in the House of Lords on 19 December 2023. Those concerned with the protection of personal information have raised a number of concerns about certain aspects of the bill, especially in relation to the protection of personal information.
Some of these are summarised in this post. For a more detailed analysis I have prepared an Opinion for the organisation Defend Digital Me https://defenddigitalme.org/ which has been published and sent to all the participants in the Lords debate. The Opinion can be accessed here, together with further comment and views on the Bill from DDM.
The data protection expert Chris Pounder has also commented on the Opinion here.
Some of the main points of concern can be listed as follows:-
(a) The proposed change to the definition of ‘personal data’ in the Bill has the potential to mean that some data currently defined as ‘personal’ will in future be excluded from protections in the DPA 2018 and UK GDPR.
(b) In particular there is potential for the definition of ‘personal data’ to change depending on who is processing data, and the Bill removes the need for a data controller to have an ongoing duty to consider whether retained data has become ‘personal data’.
(c) A list of ‘legitimate interests’ (mostly concerning law and order, safeguarding and national security) has been elevated to a position where the fundamental rights of data subjects (including children) can effectively be ignored where the processing of personal data is concerned.
(d) The Secretary of State can add to this list without the need for primary legislation, bypassing important Parliamentary controls.
(e) Business friendly interests, such as direct marketing, are now listed, without provisos, as interests which may be seen as ‘legitimate’ giving succour to commercial organisations, but no added protection to the personal data of individuals.
(f) Loosening of requirements on purpose limitation will assist commercial and non-commercial organisations involved in research and re-using personal data obtained from third parties, but will do nothing to increase protection for individual data subjects.
(g) The powers of the Information Commissioner are diluted in a way which provides less protection to data subjects, but much more power to the government to restrict and interfere with the role of the Commissioner.
Protection of personal data is a fundamental individual right, which increasingly needs to be safeguarded in a world where the processing of mass and bulk data by organisations and public bodies is becoming the norm. The proposals in this Bill do not seem designed to enhance this individual right as might be expected, but appear to be designed to downgrade the safeguards on the use of personal data for big business and government. These data protection reforms will make personal data more available for commercial benefit, while putting personal privacy at risk.