Data Protection and Digital Information Bill: but what does it mean?

Earlier this month MPs debated the UK’s post-Brexit replacement for the EU’s GDPR data regime: the Data Protection and Digital Information Bill.

The MPs had many queries around the bill, but what does it mean for businesses and should we be concerned?

The Bill, even in its new version (v0.2), still represents a major shift in policy for the UK, by making the rights of individuals secondary to the commercial interests of businesses both large and small, national and international. The Bill is intended to remove what the Government calls the “burden” of data protection.

This might well be welcomed by many readers but no one should underestimate the significance of this shift. It is seismic.

The Government has an avowed intention of making the UK the “best” (for which read “easiest”) place for innovative tech companies to do business. They would have us believe that regulation gets in the way of innovation. They prefer to give business a free rein. Unfortunately this puts the the longstanding principle that personal data is our data (yours and mine) on ice.

It is timely to remember that regulation is not the enemy of innovation. Good regulation, that is law created on the back of informed, open and honest debate about society’s needs, is the friend of all of us, business people included. Businesses cannot expect to operate in a vacuum. Trust needs to be built (earned). The idea of “consent” ( so important to data protection) only works if that consent is fully informed and freely given. 

So the policy shift instantly creates risk for those businesses that respect privacy and want to have an honest relationship with their customers.

That threat will also be of interest (not to say concern) to our neighbours in the EU.

The UK currently benefits from an Adequacy Decision from the EU which means that because the current UK data protection regime is similar to the EU’s we can transfer that data without friction.

The UK government’s policy shift puts that arrangement in danger.

The EU, like many others, may well think that the re-focussing onto what suits businesses is a step too far. Data protection law is, after all, about our fundamental rights as individuals. Our right to be private. 

If the Adequacy Decision goes, then UK businesses will very quickly find that they have to revisit all their data transfer arrangements. That will add to their costs and will create more legal and operational uncertainty too.

There are some potentially useful “clarifications” of UK GDPR, and a proposal to encourage the use of digital identities. This might prove useful in some contexts such as buying and selling our houses. But these benefits are rapidly lost in the fog created by the new legislation which, as well as changing the settled law also adds complexity for those trying to understand what it means. The law will continue to be spread across several different pieces of legislation instead of consolidating it into one, comprehensive Act. Compliance risk is therefore even harder to mitigate.

The fog is made worse by the fact that the Government intends to give itself the power to make more regulations that can bring about further extensive changes to the law on the topics of “customer data” and “business data” (two new, undefined, untested concepts) once the Bill is passed. We are not told in any detail what the policy intentions are, nor are we provided with drafts of those regulations that could be scrutinised by Parliament now. So no one in business knows how to plan ahead. 

Innovative solutions to the real challenges faced by the UK are to be encouraged. Good regulation is not the enemy of innovative solutions or profitable business. But we need to be clear about who is paying the price for “easy business”. In the context of the exploitation of personal data the answer is going to be “you and me”. Our rights are on the back-burner.

Even if we accepted the sacrifice, unfortunately, this Bill does not deliver legal or operational certainty that businesses need. It creates a fog of uncertainty and increased compliance risk. It shows none of the signs of having been designed around real ‘pro-society’ needs.

If you have any queries regarding the law around data protection get in touch with Tim Heywood. Find out more about his practice here.