Thursday, 1 June 2023

Data Protection and Digital Information (No 2) Bill 2022-2023


In The Proposed Data Reform Bill I discussed the government's proposals for a new data protection statute. On 18 July 2022 - 23 days after I wrote that article - Nadine Dorries MP, the Secretary of State for Digital, Culture, Media & Sport, introduced the Data Protection and Digital Information Bill into the House of Commons.  That bill never got beyond its first reading because Ms Dorries was replaced by Michelle Donelan MP when Elizabeth Truss MP became Prime Minister.

At the Conservative Party conference Ms Donelan promised what sounded like far more reaching legislation (see Graham Turner UK Gov Pauses Data Reform Bill | What you Need to Know 4 Oct 2022 Digit News). On 8 March 2023, Ms Donelan withdrew the previous bill and introduced a new Data Protection and Digital Information (No. 2) Bill into the House of Commons.  That Bill has now completed its passage through the Commons and is about to proceed to the House of Lords.

The new Bill consists of 114 clauses divided into 6 Parts with 13 Schedules. 

Part 1 (clauses 1 to 34) and the first 9 Schedules amend the Data Protection Act 2018 and those provisions of the General Data Protection Regulation that are incorporated into the laws of England and Wales, Scotland and Northern Ireland by s.3 of the European Union (Withdrawal) Act 2019 ("UK GDPR") and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 419).

Part 2 (clauses 46 to 60) regulates "digital verification services."   These are defined by clause 46 (2) as "verification services provided to any extent by means of the Internet."  "Verification services" are defined in the same subsection as 

"services that are provided at the request of an individual and consist in—

(a) ascertaining or verifying a fact about the individual from 5 information provided otherwise than by the individual, and

(b) confirming to another person that the fact about the individual has been ascertained or verified from information so provided."

An article by Charlotte Bowyer on Onfido Ltd.s website adds that:

"Digital identity verification is how businesses confirm that a customer is who they say they are, online. They do this by assessing personal information and personal data related to an individual."

The technique is used by central and local governments, financial services institutions and other businesses to verify identity, age, qualifications and other personal attributes. 

Part 3 (clauses 61 to 77) permits the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.   "Business data" is defined by clause 61 (2) as 

"(a) information about goods, services and digital content supplied or provided by the trader, 
(b) information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about where they are supplied, the terms on which they are supplied or provided, prices or performance), 
(c) information relating to feedback from customers about the goods, services or digital content, and 
(d) information relating to the provision of business data to a person in accordance with data regulations."
"Customer data" means 
"information relating to a customer of a trader, including— 
(a) information relating to transactions between a customer and the trader, and 
(b) information relating to the provision of customer data to a person in accordance with data regulations; 'data holder', in relation to customer data or business data of a trader,"

Clauses 79 to 86 of Part 4 and Sched 10 amend The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426). The Regulations implement arts 2, 4, 5 (3), 6 to 13, 15 and 16 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Clauses 87 to 91 amend Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market. Reg 910/2014 (also known as eIDAS) regulates electronic identification and trust services, such as verifying the identity of individuals and businesses and authenticating electronic documents.

Clauses 94 to 98 and Sched 11 amend The Births and Deaths Registration Act 1953 to facilitate the electronic storage of the relevant data.  Clause 99 and Sched 12 provide for information standards for health and adult social care d and information technology.

Clauses 100 to 103 and Sched 13 establish an Information Commission to enforce the Act.

Anyone wishing to discuss this article may call me on 020 7404 5252 during office hours or send me a message through my contact page.