The Data Protection and Digital Information Bill seeks to reform the United Kingdom’s laws surrounding data privacy, currently set out in the United Kingdom General Data Protection Regulation. On 24 November, the UK Government introduced a number of new amendments to the Bill. Described by the UK Government as ‘common-sense’, these amendments make important changes to how the bill protects and impacts the privacy of data subjects.
The History of the Bill
The Data Protection and Digital Information Bill (the Bill) has been hard fought by the current UK Government. First introduced in July 2022, the Bill was abandoned in September 2022 under the Truss Government before being replaced in March 2023 by the Data Protection and Digital Information Bill (No. 2). On 29 November 2023, the House of Commons voted to progress the Bill through the report stage of consideration and onto its third reading. This affirmed the 124 pages of amendments that had been added to the Bill in the preceding week.
The amendments added to the Bill centre around improving data security, bolstering national security, and preventing fraud.1 However, questions are being raised as to whether these amendments focus too strongly on protecting and enabling the interests of the Government as opposed to the interests of those whose personal information is being accessed.
New Amendments
Prevention of Benefit Fraud
A significant reform proposed by the new amendments requires banks and financial organisations to allow the UK Department for Work and Pensions to monitor the accounts of beneficiaries.2 The current law allows the Department to check individual beneficiary accounts only when there is already a reasonable suspicion of fraud.
The reform proposes to drastically loosen this requirement by allowing regular checks to be undertaken on any beneficiary account without needing reasonable cause. This change will allow the Government to actively monitor beneficiaries’ savings and whether they are in breach of benefit requirements. The UK Government suggests that this will save the taxpayer up to GBP£600 million over the next 5 years, however, the Department for Work and Pensions has noted that “the power is not limited to a specific type of data”.3 This reform could open the door to beneficiaries having other sensitive information accessed without reasonable cause.
When benefit fraud is suspected in New Zealand, the Ministry of Social Development (the MSD) must, in most cases, request information directly from the beneficiary before contacting a third party.4 The Ministry can only reach out to third parties directly if there are reasonable grounds to suspect that contacting the beneficiary would prejudice the maintenance of the law. In 2019, the Privacy Commissioner found that the MSD had systemically failed to properly notify beneficiaries before reaching out to third parties, and had made overly broad and disproportionate requests for information.5
Even this level of intrusion, which was a cause for significant concern and criticism from the Privacy Commissioner,6 is not commensurate with the extensions supported by the new UK reforms.
Subject Access Requests
The current law requires that data controllers only refuse subject access requests (inquiries by data subjects into how their personal data is being stored and used) when the requests are “manifestly unfounded or excessive”. Previous iterations of the Bill had drawn criticism by lowering the standard to refuse inquiries that are “vexatious or excessive”.7 A new amendment to the Bill has now lowered the standard even further, clarifying that data controllers are only required to carry out searches that are “reasonable and proportionate”.8 This empowers data controllers to reject inquiries that it deems of “low importance or of low relevance to the data subject”.9 This change makes it easier for inquiries to be rejected and more difficult for data subjects to have transparency around the use of their data.
Compared to the New Zealand approach to rejecting subject access requests, this reform appears to offer UK data subjects markedly less access to their personal information. New Zealand data subjects have a right to apply for access to their personal information to any organisation that is holding it.10 Organisations can only refuse requests if providing the data risks prejudicing the security or defence of New Zealand, is likely to pose a serious threat to the life, health or safety of any individual, relates to trade secrets, or cannot be found despite reasonable efforts.11
Data Preservation Requirements
New amendments to the Bill will require social media companies to preserve the personal data of a child who is suspected to have committed suicide. 12 Currently, this private information can be deleted by social media platforms through routine maintenance. The reform intends to preserve the data to ensure it can be used in coroners’ investigations.
Senior coroners will be required to inform the Office of Communications that they are conducting an investigation in connection with the death of a specified child by suspected suicide. Social media sites must then be given notice of this inquiry in order to ensure the retention of the child’s information. The amendments also create related offences to capture instances where someone with notice deletes or alters the relevant information with the intention of preventing it from being available for the investigation.13
In New Zealand, every death that is suspected to result from suicide is reported to the coroner. However, there is currently no law requiring the retention of social media data in these cases. As awareness grows surrounding the effect that social media has on youth mental health,14 it is possible that New Zealand will see similar laws implemented to ensure coroners have access to social media data as part of their inquiries.
Biometric Data Retention
The new amendments to the Bill allow the retention of biometric data by the UK Counter Terrorism Police. Under the proposed new reforms, biometric data of individuals who pose a potential terrorist threat can be retained for as long as an INTERPOL notice is in force.15 Furthermore, the biometric data of individuals with foreign convictions can be retained by the UK Government indefinitely.
In New Zealand, agencies holding biometric data must not hold it for any longer than is necessary for the purposes for which it can lawfully be used. However, exceptions are permitted where agencies apply to the Privacy Commissioner and the Commissioner finds it is in the public interest to allow the information to be retained.16 The Police, specifically, must destroy visual images and biometrics of a person as soon as a decision is made to not commence criminal prosecution proceedings against them, or as soon as criminal prosecution proceedings are completed and the outcome does not authorise continued storage.17
New rules surrounding the protection and regulation of biometric information in New Zealand are set to be released in draft form in 2024.18 The Commissioner has indicated that these will focus on developing a proportionality assessment, increasing openness and transparency with data subjects, and placing restrictions on collection and use of biometric data. This preliminary direction indicates that our new rules will promote increased data subject control. Combined with national considerations of biometrics as taonga, the regulation of biometric data may become an area of increased difference between New Zealand and the UK’s privacy laws in the future.
Information Commissioner’s Office
The new amendments include changes that directly respond to criticisms of previous versions of the Bill. The latest amendments have established that the Secretary of State will not be able to veto codes of practice issued by the Information Commissioners Office and will instead only be empowered to issue non-binding recommendations.19 The Bill had previously required that the Commissioner consider the Secretary of State’s recommendations and that it provide reasons if deciding not to follow them. This had threatened the Commission’s independence and the UK’s adequacy status in the eyes of the EU.
Comment
The new amendments join a host of other reforms set to significantly change the UK data and privacy landscape. Described as making the most of the Brexit break,20 the Bill reflects that the UK’s privacy protection is moving in a divergent direction away from the EU’s standards. Interestingly, the Bill appears to be going against the tide of UK and international commentators calling for stricter data protection and more personal control over data.21 Instead, the reforms reflect an intention to make data more easily accessible to the UK Government and corporations, with the goal of fuelling “more practical ways to access data”.22
If the EU decides to revoke the UK’s adequacy standard as a result of these changes, this has the potential to threaten the ease of data transfer between the UK and the EU, as well as other countries with strict international data transfer restrictions. New Zealand’s Privacy Act requires that foreign countries receiving data transfers provide comparable safeguards to those provided by our Privacy Act. It is likely that any changes to the EU’s determination of the UK’s adequacy status will greatly influence New Zealand’s ability and willingness to transfer data to the UK.
The prevention of benefit fraud and terrorism, among the many other respectable motivations of the Bill, are important. However, those interested in privacy reform should watch closely to determine whether the balance struck by the bill is able to achieve its desired goals without unduly infringing on the privacy expectations of data subjects.
If you have any questions about the matters raised in this article, please get in touch with the contacts listed or your usual Bell Gully adviser.
[1] Changes to Data Protection Laws to Unlock Post-Brexit Opportunity (www.gov.uk).[2] Changes to Data Protection Laws to Unlock Post-Brexit Opportunity (www.gov.uk).[3] Bank Spying Clause Added to Data Protection and Digital Information Bill. (www.retailbankerinternational.com).[4] Social Security Act 2018, sch 6, cls 2–9.[5] MSD fraud investigations “intrusive, excessive and inconsistent with legal requirements” - Privacy Commissioner (www.privacy.org.nz).[6] MSD fraud investigations “intrusive, excessive and inconsistent with legal requirements” - Privacy Commissioner (www.privacy.org.nz).[7] UK Data Bill Favours Big Business and ‘Shady’ Tech Firms Rights Group Claims (www.theguardian.com/).[8] Data Protection and Digital Information Bill (Amendment Paper) at 3.[9] Hansard: Data Protection and Digital Information Bill. [10] Principle 6 - Acess to personal information (www.privacy.org.nz).[11] See Privacy Act 2020 sections 49–53 for the comprehensive list of reasons to refuse subject requests.[12] Data Protection and Digital Information Bill (Amendment Paper) at 28–32.[13] Data Protection and Digital Information Bill (Amendment Paper) at 28–32.[14] Teens, social media and mental health: ‘New Zealand has been incredibly slow to respond’ (www.nzherald.co.nz) .[15] Data Protection and Digital Information Bill (Amendment Paper) at 37.[16] Privacy Act 2020, s 30.[17] Policing Act 2008, s 34.[18] Privacy Commissioner to consult on new rules for biometrics (www.privacy.org.nz).[19] Data Protection and Digital Information Bill (Amendment Paper) at 5–6.[20] House of Commons Library: The Data Protection and Digital Information Bill: progress of the Bill.[21] Letter from Georgina O’Toole and Adam Hale to Michelle Donelan (27 October 2022); and UK Data Bill Favours Big Business and ‘Shady’ Tech Firms Rights Group Claims (www.theguardian.com/).[22] Changes to Data Protection Laws to Unlock Post-Brexit Opportunity (www.gov.uk).