In the realm of data protection legislation, following the recent ICO Data Protection Practitioners’ Conference 2023, it is clear that the fate of the UK’s long awaited Data Protection & Digital Information Bill (DPDI) is shrouded in uncertainty.
Current Status and Delays
As of now, the DPDI faces a challenging path towards becoming law. In his session at the conference, James Snook, the director of policy at the Department for Science, Innovation & Technology indicated that the bill might not receive Royal Assent until mid-2024, with no scheduled debates in Parliament until November 15. The bill is currently at the report stage, which means it requires further deliberations in both the Commons and the Lords.
The Looming General Election Factor
Adding complexity to the DPDI’s journey is the looming possibility of a General Election, which the government has until December next year to call. Speculation abounds regarding Prime Minister Rishi Sunak’s intentions, with potential early elections in May or a wait until November to assess party performance in opinion polls. If an election is called before the DPDI is passed, the bill might not see the light of day until 2025. However, the concept of ‘washing up’ could still allow for a deal on the bill even in the event of an election. In ‘washing up,’ the Government and Opposition agree on bills to be swiftly passed without full Parliamentary scrutiny before dissolution.
Contrast with Earlier Expectations
The DPDI’s prolonged journey stands in stark contrast to earlier expectations. The government initially revealed its data reform plans in August 2021 but only introduced the bill to the House of Commons in the summer of 2022, putting it on hold until March 2023 after a co-design process with business leaders and data experts (ourselves included). Interestingly, an analysis has shown minimal differences between the original bill and the second version, with disparities of no more than approximately 1%. So surely, there’s not all that much to debate?
Divergent Opinions and Criticisms
Despite this, critics of the DPDI remain vocal, with groups like the Open Rights Group asserting that the reforms favour large corporations and undermine consumers’ rights to access their information. Some argue that the reforms do not go far enough. In contrast, the DMA has given its full support to the reforms, following extensive consultation with the industry – including us. Our intention to engage was to ensure that the importance of data hygiene and data processing security both remain a key focus of data protection legislation moving forward.
How Does DPDI Differ from GDPR?
With this in mind how does DPDI differ from GDPR? (Note point 2!)
Scope and Applicability:
- GDPR has global extraterritorial reach.
- DPDI is a national legislation, applicable to a specific country or region, likely the UK.
Data Hygiene Emphasis:
- DPDI emphasises data hygiene, requiring organisations to ensure data accuracy and relevance.
- GDPR mandates data accuracy but doesn’t explicitly focus on data hygiene.
Focus on Digital Information:
- GDPR covers all forms of personal data processing.
- DPDI focuses specifically on digital information, acknowledging the unique challenges of the digital realm.
Provisions for Emerging Technologies:
- DPDI adapts to emerging technologies like AI, blockchain, and IoT.
- GDPR was introduced before these technologies gained prominence.
Legislative Process:
- GDPR is a regulation directly applicable across EU member states.
- DPDI is a national bill that must pass through the UK’s legislative process.
Enforcement and Penalties:
- GDPR includes substantial fines for non-compliance, up to €20 million or 4% of global annual turnover.
- DPDI may have its enforcement mechanisms and penalties, potentially differing from GDPR.
Timing and Evolution:
- GDPR has been in effect since May 2018.
- DPDI is a more recent development, allowing for potential changes in response to evolving data protection needs.
What does this all mean?
Irrespective of DPDI’s fate, what is becoming increasingly clear is that data protection legislation of today shapes the integrity of our tomorrow. In this journey, the conclusion is not just a matter of law; it’s a matter of integrity, one that defines our commitment to marketing built on trust, transparency, and respect for data.