Newsflash: Data Protection and Digital Information Bill – The Return!

Having had a little break, the DPDI Bill was re-introduced into Parliament on 8 March 2023. Technically, the previous DPDI Bill (DPDI 1) was withdrawn on the same day, and the fresh new Bill is called the Data Protection and Digital Information (No. 2) Bill (DPDI 2). Though DPDI 2 retains much of the content of DPDI 1.

I thought I’d do a comparison between DPDI 1 and DPDI 2, using the topics from my newsflash on 18 July 2022 (when DPDI 1 was introduced into Parliament).


Lawful basis for processing (Article 6 UK GDPR) In addition to the existing six lawful bases, there will be a new one (Article 6(1)(ea)):

‘processing is necessary for the purposes of a recognised legitimate interest’.

A new Annex 1 to the UK GDPR contains a list of such recognised legitimate interests including:

  • where a controller receives a request to disclose data to a public body which needs it to carry out a public task; or
  • where the processing is necessary for safeguarding a vulnerable individual.
The new lawful basis remains in DPDI 2, with the list of recognised legitimate interests in Annex 1.

In addition, there is a new list of examples of the types of processing that maybe necessary for the purpose of a legitimate interest under the existing lawful basis 6(1)(f):

  • processing that is necessary for the purposes of direct marketing;
  • intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes; and
  • processing that is necessary for the purposes of ensuring the security of network and information systems.

These are not revolutionary, particularly as they reflect Recitals 46, 47 and 49 of the UK GDPR. Though maybe it will reduce the arguments some people like to have over seeking consents to direct marketing, often confusing lawful basis under the UK GDPR with the requirements of the Privacy and Electronic Communications Regulations (PECR). DPDI 2 also amends the PECR marketing rules – see my comment on this below.

Compatible purposes of processing (Article 5(1)(b)) A new Annex 2 to the UK GDPR will list purposes of data processing which are considered ‘compatible’ with the purposes of collection of personal data.

These include:

  • where a controller receives a request to disclose data to a public body which needs it to carry out a public task;
  • where the processing is necessary for safeguarding a vulnerable individual; and
  • Where the processing is necessary to comply with a legal obligation.
The provisions relating to compatible purposes in DPDI 2 appear substantially the same as in DPDI 1.
Vexatious requests from data subjects (new Article 12A UK GDPR) The ‘manifestly unfounded or excessive’ exemption to requests from data subjects (previously Article 12(5) is to be replaced with an exemption for ‘vexatious or excessive’ requests. Examples of vexatious requests include those: intended to cause distress; not made in good faith, or which are an abuse of process.

The provisions changing ‘manifestly unfounded or excessive’ requests to ‘vexatious or excessive’ requests in DPDI 2 appear substantially the same as in DPDI 1.
Clarifying subject access requests (Article 15 UK GDPR) A new Article 12B allows controllers to clarify a SAR ‘where the controller reasonably requires further information to identify the information or processing activities to which a request…relates’.

This expands the current ‘large quantities of data’ rule (in Recital 63), as holding a large amount of data is now just an example of when clarification may be sought.

These new provisions in DPDI 2 on clarifying a request appear substantially the same as in DPDI 1.
Automated decision-making (Article 22 UK GDPR) There will be fewer restrictions on solely automated decision-making, though safeguards must still be in place.

The main restrictions will be on solely automated decisions based on special category data, or which rely on the new lawful basis of a ‘recognised legitimate interest’ (as raised in the first row above). Though safeguards must be in place for all solely automated decisions involving personal data.

The provisions only apply where the decision is a ‘significant decision’, producing a legal effect or ‘similarly significant effect’ for the individual. Regulations may specify specific situations which have (or do not have) a similarly significant effect.

DPDI 2 contains similar changes to the rules on automated decision-making to DPDI 1.

There is additional clarification over profiling – in considering whether there is meaningful human involvement in a decision, a person must consider the extent to which a decision is reached by means of profiling (in other words automated processing to evaluate individuals).

In addition. Regulations may be made to describe cases where there is (or isn’t) meaningful human involvement.

Some fun relabelling: DPIAs, DPOs, ROPAs, ICO
  • Data protection impact assessments to be replaced with ‘assessments of high risk processing’;
  • you won’t need a data protection officer, but you may need a ‘senior responsible individual’ (for public bodies or where carrying out high risk processing);
  • ‘records of processing activities’ will become ‘records of processing of personal data’.

There is some substance to these name changes too, aimed at reducing the burdens on organisations in complying with these requirements.

  • The Office of the Information Commissioner will also transform into the ‘Information Commission’ (a new body corporate), and the Information Commissioner’s role will transition to ‘chair of the Information Commission’.
The provisions on assessments of high risk processing, senior responsible individuals and the new Information Commission within DPDI 2 appear substantially the same as in DPDI 1.

There is a significant change to the rules relating to records of processing of personal data. Whilst the rules in DPDI 1 would have applied to all controllers and processors, under DPDI 2, the rules only apply where a controller or processor carry out processing which is likely to result in a high risk to individuals.

In other words, such records will only be needed in the same situations as assessments of high risk processing are required.

This is a significant change to the current Article 30 UK GDPR rules. However, organisations may wish to continue to maintain similar records in order to keep track of their activities, and to demonstrate compliance for the purposes of accountability.

International Data Transfers (Chapter V UK GDPR) Schedules 5 to 7 to the Bill contain lots of stuff on international data transfers (IDT). The aim is to enable the UK government to take a risk-based approach to assessing adequacy of other countries, and to allow data exporters to act pragmatically and proportionally when using alternative transfer mechanisms (though the key transfer mechanisms appear to remain the same as under current law).

The IDT provisions within DPDI 2 appear substantially the same as in DPDI 1.

Though Schedule 7 (transitional provisions) contains some additional provisions relating to the continuation of ‘pre-commencement’ transfer mechanisms.

Cookies rules under PECR There will be new circumstances in which consent to the use of cookies is not required. The Explanatory Notes to the Bill explain that these are purposes which ‘are considered to present a low risk to people’s privacy’. The provisions on cookies within DPDI 2 appear substantially similar to those in DPDI 1.

Some comments on other changes not covered in my previous newsflash:

  • Use of personal data for statistical, scientific or historical research purposes (Article 89): There has been a lot of commentary on DPDI provisions relating to use of data for research and statistical purposes. This purpose of processing is an exception to many rules under the UK GDPR. They should not be overused, particularly as they limit the application of data subject rights. DPDI 2 clarifies the meanings of “scientific research”, “historical research” and “statistical purposes”. A key clarification in DPDI 2 (which was not in DPDI 1) is that something can be scientific research whether carried out as a commercial or non-commercial activity. DPDI 2 also introduces new safeguards for processing of data for research purposes, which replace the existing safeguards under Article 89 UK GDPR.
  • UK-based representative (Article 27 UK GDPR): Under the current UK GDPR, controllers and processors may be subject to UK requirements if they are not established in the UK, but are targeting UK data subjects (to sell them goods or services, or to monitor their behaviour. Under Article 27, such organisations are required to appoint a representative within the UK. The DPDI 2 Bill removes this requirement for a representative. The Explanatory Notes to DPDI 2 provide that other parts of the UK GDPR already contain requirements for communication with the ICO and data subjects. The removal of the requirement for a representative will allow organisations to decide for themselves the best way to comply with communication requirements. This may still include the appointment of a UK-based representative.
  • Direct marketing rules under PECR: Under current law, an organisation can use ‘soft opt-in’ rules as an alternative to seeking consent to sending direct marketing communications by email or SMS. These rules apply to the marketing of the organisation’s own goods or services, where contact details have been obtained in the course of previous sales (or negotiations to sell) goods or services to the recipient (and provided certain other conditions are satisfied). These rules therefore exclude organisations which do not sell goods or services, such as charities, political organisations and other non-commercial organisations. DPDI 2 expands the scope of the ‘soft opt-in’ rules such that non-commercial organisations can use them to send marketing emails or SMSs relating to their non-commercial objectives.

DPDI 2 is available here.

Olivia Whitcroft, principal of OBEP, 14 March 2023

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details