The UK’s New Data Protection Bill – Where Are We?
The Data Protection and Digital Information (No 2) Bill is currently making its way through Parliament. GDPR Local founder Adam Brogden looks at what that process involves.
There’s a lot to like about the new UK Data Protection Bill (to give it its informal name). The reduced complexity. The business-friendly changes to handling vexatious claims. The new and better-defined Responsible Person role (taking over the role previously held by the Article 27 representative). GDPR Local’s take on the new legislation is that we are encouraged by the direction of travel.
It’s not an easy read, because much of it amends or cross references existing legislation (the UK GDPR and the Data Protection Act 2018). If you really feel like reading the entire thing you’ll find it here, but you’ll need the other legislation on adjacent screens to have it make sense. Happily, you can find a summary of the proposed GDPR changes in our post here.
In order for the Bill to make good on its promise, however, it needs to become an Act, and as we’ve already seen with this Bill’s predecessor, that’s sometimes easier said than done.
The UK’s Data Protection Bill – the story so far
You could be forgiven for having a sense of déjà vu about the UK’s data protection legislation. The previous Data Protection and Digital Information Bill hit the rocks when its supposed second reading, originally scheduled for 5 September 2022, was postponed. The Bill was withdrawn entirely shortly afterwards, during the short, tumultuous premiership of Liz Truss.
A new prime minister saw the proposed legislation resurrected, with its first reading (which is little more than the formal reading of a bill’s title) on 8 March.
How a bill progresses through Parliament
What happens next is as follows:
Second reading: 17 April is the date for the Bill’s second reading. At the second reading Michelle Donelan, as the Bill’s supporting minister, will make the case for the GDPR changes in the House of Commons. Opposition parties will have a chance to respond and members of the House may discuss its contents. Although no changes will be made to the Bill at this point, members may raise in the House any changes they intend to propose.
Committee stage: This is a line-by-line review of the proposed legislation which, given the need to cross reference with other UK data law, should make for a challenging exercise. The intention here is to ensure the Bill will work as intended. It’s also possible that changes may help smooth the Bill’s passage through Parliament (that is, increase the chances that MPs will vote for it), although any change will only be accepted if it is “sufficiently close” to the subject matter – you can’t introduce left-field changes which send the Bill in new directions.
Report stage: A discussion in the Chamber of the House where only changes that have made it into the Bill are discussed.
Third reading and on: A further discussion of the Bill in the House. No amendments are possible. After this stage, the Bill will be sent to the UK’s second legislative chamber, the House of Lords, where it will go through the same stages as in the Commons. Where the House of Lords suggest amendments, the Bill will be passed back to the Commons for consideration and the amendments may be approved, rejected or have alternatives suggested. The back and forth will continue until the Bill has passed through both Houses.
Royal Assent: A formality, but an important one that officially ‘upgrades’ a bill to an act and signals the start of the (usually two-month) period before the act comes into effect.
You can find more on the legislative process in England on gov.uk.
Will the UK Data Protection Bill become law and how long will it take?
Bills fail all the time and for numerous reasons. They fail because of political change. They fail because parliamentary time is extremely limited and there often isn’t time within a sitting Parliament for a bill to complete its ping pong journey through both Houses. They fail because amendments can sometimes see the bill become bogged down and momentum lost in finding a way through the complexities.
The flip side of this is that some bills can pass through Parliament extremely quickly. Emergency legislation can clear both Houses in a few days, although that certainly won’t be the situation here.
Our hope (expectation is perhaps too strong a word) is that the Bill will clear Parliament, although placing a timescale on its enactment isn’t easy for all the reasons noted above.
We can take encouragement from the fact that the Bill is, politically at least, connected with the UK’s post-Brexit identity. For an embattled government eager to show the British public tangible evidence of positive change, this Bill will certainly have political will behind it.
That means organisations within the UK – and those who trade with the UK – will need to keep a watchful eye on proceedings and, if the GDPR changes do become law, they’ll need a clear understanding of…
In the coming weeks, we’ll be exploring the opportunities, benefits and impacts of the Bill in greater detail. In the meantime, GDPR remains in force as usual. If you need help with any data protection issues, access all our GDPR consultancy services here.