Data Protection and Digital Information (No. 2) Bill
A Bill to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about access to customer data and business data; to make provision about privacy and electronic communications; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the disclosure of information to improve public service delivery; to make provision for the implementation of agreements on sharing information for law enforcement purposes; to make provision about the keeping and maintenance of registers of births and deaths; to make provision about information standards for health and social care; to establish the Information Commission; to make provision about oversight of biometric data; and for connected purposes.
- Originating House: Commons
- Current House: Commons
- Current Stage: Report stage
- Sponsors: Michelle Donelan (Department for Science, Innovation and Technology)
- Link: https://bills.parliament.uk/bills/3430
The analysis below is based on the latest amended version of the bill found on 23rd July 2023. You can find the exact PDF document here: https://publications.parliament.uk/pa/bills/cbill/58-03/0314/220314.pdf
Below we have highlighted changes found in the most recent amended version of the bill that was found on the analysis-date of 23rd July 2023, so it may not reflect latest changes. Those highest up have been flagged as impactful or worthy of public scutiny or attention. These are the likely to be the highest signal parts of the bill; members of the public might benefit from seeing these.
Important: This document is not guaranteed to reflect the content of the bill, and may be entirely inaccurate in its summaries. This is an experimental analysis.
You are urged to read the bill itself on the official parliament bills website: https://bills.parliament.uk/bills/3430
- đź”´ Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: amendment
eIDAS Regulation
The bill proposes to amend the eIDAS Regulation to allow the Secretary of State to remove recognition of EU standards and conformity assessment bodies, revoke certain articles, and remove references to trust service providers established in the EU and to European standards or equivalent EU law.
Exemplar quote from bill: ... description of trust services provider (and trust service) if it is a conformity assessment body in relation to that description of provider (and service) for the purposes of the equivalent EU law.” ...89 Removal of recognition of EU standards etc (1) The Secretary of State may by regulations— 35 114 Data Protection and Digital Information (No. 2) Bill Part 4—Other provision about digital information (a) amend Article 24A of the eIDAS Regulation (recognition of EU standards etc for qualified trust services) so as to remove circumstances in which something is to be treated as qualified under that Regulation 5 for the purposes of a provision or measure specified in paragraph 1 of that Article; (b) revoke that Article; (c) revoke Article 24B of the eIDAS Regulation (recognition of EU conformity assessment bodies); (d) 10 revoke Article 51 of the eIDAS Regulation (transitional measures for electronic signatures); (e) amend a provision listed in subsection (3) so as to remove a reference to a trust service provider established in the EU; (f) amend a provision listed in subsection (4) so as to remove a reference to European standards or provisions of equivalent EU law.... (2) The power under subsection (1)(a) includes power to amend or remove an 15 assumption in Article 24A(2) of the eIDAS Regulation. (3) The provisions mentioned in subsection (1)(e) are— (a) Article ...
- ‼️ Justice System
(Variously affected)
- đź”´ Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: abolition
The office of Information Commissioner
The bill abolishes the office of the Information Commissioner.
Exemplar quote from bill: ...elating to the person who holds the 15 office of Information Commissioner immediately before the day on which Schedule 13 comes into force. 101 Abolition of the office of Information Commissioner (1) ...The office of Information Commissioner is abolished.... (2) Accordingly, the 2018 Act is amended as follows. 20 (3) In section 3 (terms relating to the processing of personal data) omit subsection (8). (4) Omit section 114 (the Information Commissioner) a...
- ‼️ Political Power
(Variously affected)
- ‼️ Justice System
(Variously affected)
- đź”´ Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: abolition
The office of Commissioner for the Retention and Use of Biometric Material
The bill abolishes the office of Commissioner for the Retention and Use of Biometric Material.
Exemplar quote from bill: ...ion, references to rights and liabilities include rights and liabilities relating to a contract of employment. Oversight of biometric data 104 Oversight of retention and use of biometric material (1) ...The office of Commissioner for the Retention and Use of Biometric Material is abolished....d. (2) Part 1 of the Protection of Freedoms Act 2012 (regulation of biometric data) is amended in accordance with subsections (3) to (6). (3) 10 For the heading before section 20 substitute “Functions...
- ‼️ Political Power
(Variously affected)
- ‼️ Justice System
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- đź”´ Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: deletion
Office of Surveillance Camera Commissioner
The bill proposes to abolish the office of the Surveillance Camera Commissioner.
Exemplar quote from bill: ...er that paragraph insert— “(ia) the Investigatory Powers Commissioner (as defined in section 263(1) of the Investigatory Powers Act 2016),”. 105 Removal of provision for regulation of CCTV etc 20 (1) ...The office of Surveillance Camera Commissioner is abolished.... (2) In the Protection of Freedoms Act 2012, omit Chapter 1 of Part 2 (regulation of CCTV and other surveillance technology). (3) In consequence of that repeal— (a) in Part 3 of Schedule 1 to the Hous...
- ‼️ Justice System
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- đź”´ Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: deletion
Article 89
The bill proposes the deletion of Article 89, which pertains to safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Exemplar quote from bill: ... paragraphs 2 to 4 of that Article. 3. Regulations under this Article are subject to the affirmative resolution 20 procedure.” (3) In the heading of Chapter 9, after “relating to” insert “other”. (4) ...Omit Article 89 (safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes)....s). (5) The 2018 Act is amended in accordance with subsections (6) and (7). (6) Omit section 19 (processing for archiving, research and statistical purposes: safeguards) and the italic heading before ...
- ‼️ Digital Privacy
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- đź”´ Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 148C
The bill introduces a new offence for making false statements in response to an interview notice.
Exemplar quote from bill: ... His Majesty’s Chief Inspector of Education, Children’s 35 Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000. 148C False statements made in response to interview notices ...It is an offence for an individual, in response to an interview notice— (a) to make a statement which the individual knows to be false in a material respect, or (b) recklessly to make a statement which is false in a material 40 respect.”... (3) In section 149 (enforcement notices), in subsection (9)(b)— (a) after “an assessment notice” insert “, an interview notice”, and Data Protection and Digital Information (No. 2) Bill 63 Part 1—Dat...
- ‼️ Justice System
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: deletion
UK GDPR
The bill proposes to delete Articles 37 to 39 of the UK GDPR, which relate to the designation, position, and tasks of the data protection officer.
Exemplar quote from bill: ...nsible individual, except where such instructions would involve a conflict of interests. 26 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection Section 1B Processor etc”. (3) ...Omit Articles 37 to 39 (designation, position and tasks of data protection officer) and the section heading before Article 37.... (4) The 2018 Act is amended in accordance with subsections (5) and (6). 5 (5) After section 58 insert— “Senior responsible individual 58A Designation of senior responsible individual (1) 10 This sect...
- ‼️ Corporate Governance
This change would remove the requirement for organizations to have a designated data protection officer, which could significantly impact their governance structures and processes.
- ‼️ Data Protection
This change could potentially weaken data protection if the role of the data protection officer is not adequately replaced by the new senior responsible individual.
- đźź Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Part 2—Digital verification services
The bill proposes a new provision allowing public authorities to disclose personal information to registered persons for the purpose of providing digital verification services.
Exemplar quote from bill: ...a person is registered in the DVS register, and (b) an individual makes a request to the person for the provision of digital verification services in respect of which the person is registered. (2) 35 ...A public authority may disclose to the person information relating to the individual for the purpose of enabling the person to provide the digital verification services for the individual.... (3) A disclosure of information under this section does not breach— (a) any obligation of confidence owed by the public authority making the disclosure, or 80 Data Protection and Digital Information ...
- ‼️ Human Rights
(Variously affected)
- ‼️ Digital Privacy
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Section 61
The Secretary of State and the Treasury are given powers to make provisions regarding access to customer data and business data.
Exemplar quote from bill: ...10 with the day on which section 47 comes into force. (3) The reports must be published not more than 12 months apart. PART 3 CUSTOMER DATA AND BUSINESS DATA 61 Customer data and business data 15 (1) ...This Part confers powers on the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.... (2) In this Part— “business data”, in relation to a trader, means— (a) information about goods, services and digital content supplied 20 or provided by the trader, (b) information relating to the sup...
- ‼️ Privacy
This change could potentially impact privacy, depending on the provisions made by the Secretary of State and the Treasury.
- ‼️ Economic Impact
This change could potentially impact businesses, depending on the provisions made by the Secretary of State and the Treasury.
- đźź Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Section 62
The Secretary of State or the Treasury can make regulations requiring a data holder to provide customer data to the customer or an authorised person, at the request of the customer or the authorised person.
Exemplar quote from bill: ...s data includes a reference to a person obtaining access to such data or the ability to provide other persons with access to such data. 62 Power to make provision in connection with customer data (1) ...The Secretary of State or the Treasury may by regulations make provision requiring a data holder to provide customer data— (a) to the customer, at the customer’s request, or (b) to a person who is authorised by the customer to receive the data (an “authorised person”), at the customer’s request or at the authorised person’s request....st. (2) 35 The Secretary of State or the Treasury may by regulations make provision enabling or requiring a data holder— (a) to produce, collect or retain, or arrange for the production, collection or...
- ‼️ Privacy
This change could potentially impact privacy, depending on the regulations made by the Secretary of State or the Treasury.
- ‼️ Economic Impact
This change could potentially impact businesses, depending on the regulations made by the Secretary of State or the Treasury.
- đźź Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Regulation 6(1)
The bill proposes to give the Secretary of State the power to amend regulations by adding, omitting, or varying exceptions to the prohibition in regulation 6(1). The Secretary of State can also make consequential, incidental, or supplementary provisions amending these regulations.
Exemplar quote from bill: ...des a mobile application and 10 any other platform by means of which an information society service is provided.” (3) After regulation 6 insert— “6A Power to provide exceptions to regulation 6(1) (1) ...The Secretary of State may by regulations made by statutory instrument— (a) amend these regulations— 15 (i) by adding an exception to the prohibition in regulation 6(1), or (ii) by omitting or varying an exception to that prohibition, and (b) make consequential, incidental or supplementary provision 20 amending these regulations.... (2) Regulations under paragraph (1) may make different provision for different purposes. (3) 25 Before making regulations under paragraph (1), the Secretary of State must consult— (a) the Information...
- ‼️ Political Power
This change gives significant power to the Secretary of State to amend regulations, potentially impacting how data protection laws are enforced.
- đźź Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Regulation 6B
The bill proposes to give the Secretary of State the power to regulate the supply, provision, or availability of certain types of information technology. This regulation would only apply if the technology meets certain requirements.
Exemplar quote from bill: ...e instrument has been laid before, and approved by a resolution of, each House of Parliament. 6B Information technology to enable consent to be given, or an objection to be made, automatically (1) 35 ...The Secretary of State may by regulations made by statutory instrument provide that a person of a specified description may supply, provide or otherwise make available information technology of a specified description only if the technology meets specified requirements.... (2) The power conferred by paragraph (1) is to be exercised only for the 40 purpose of securing that information technology supplied, provided or otherwise made available enables users of the technol...
- ‼️ Political Power
This change gives the Secretary of State significant power to regulate the supply and provision of certain types of information technology, potentially impacting the tech industry and user privacy.
- ‼️ Tech Company Regulation
This change could have significant impacts on tech companies, as it gives the Secretary of State the power to regulate the supply and provision of certain types of information technology.
- đźź Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: amendment
Chapter 5 of the UK GDPR
The bill proposes to amend Chapter 5 of the UK GDPR, which deals with transfers of personal data to third countries or international organisations. It suggests omitting Article 44 and 45 and inserting new Articles 44A and 45A, which provide new general principles for transfers and regulations for approved transfers, respectively.
Exemplar quote from bill: ...UK GDPR: journalistic, academic, artistic and literary purposes), omit sub-paragraph (ii). SCHEDULE 5 Section 21 TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES ETC: GENERAL PROCESSING 5 Introduction 1 ...Chapter 5 of the UK GDPR (transfers of personal data to third countries or international organisations) is amended as follows.... General principles for transfers 2 Omit Article 44 (transfers of personal data to third countries etc: general 10 principles for transfers). (1) (2) After that Article insert— “Article 44A General pr...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- ‼️ National Security
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
UK GDPR Article 6
The bill proposes amendments to Article 6 of the UK GDPR to include processing necessary for the purposes of a recognised legitimate interest as a lawful basis for processing. It also provides for the Secretary of State to amend the conditions for processing based on a recognised legitimate interest by regulations, taking into account the interests and fundamental rights and freedoms of data subjects and the need to provide children with special protection with regard to their personal data.
Exemplar quote from bill: ...rts 3 and”, and (c) for “section” substitute “sections 33, 40A and”. Data protection principles 5 Lawfulness of processing (1) The UK GDPR is amended in accordance with subsections (2) to (5). 10 (2) ...In Article 6(1) (lawful processing)— (a) in point (e)— (i) after “task” insert “of the controller”, and (ii) after “or” insert “a task carried out”, (b) after that point insert— “(ea) processing is necessary for the purposes of a recognised legitimate interest;”, and (c) in the words after point (f), for “Point (f)” substitute “Points (ea) and (f)”....)”. (3) In Article 6(3) (basis for processing etc), in the second subparagraph— 20 (a) after “task” insert “of the controller”, and (b) after “interest or” insert “a task carried out”. (4) In Article ...
- ‼️ Human Rights
The proposed changes could potentially impact human rights by expanding the lawful bases for data processing to include processing necessary for the purposes of a recognised legitimate interest. This could potentially lead to more data processing activities, which could impact the rights of individuals.
- ‼️ Digital Privacy
The amendments could potentially impact digital privacy by expanding the lawful bases for data processing. However, the requirement for the Secretary of State to consider the interests and fundamental rights and freedoms of data subjects when making regulations could potentially enhance the protection of digital privacy.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Processing of personal data for a new purpose
The bill proposes that personal data can be processed for a new purpose if it is compatible with the original purpose under certain conditions. These conditions include the data subject's consent, the processing is for scientific, historical, or statistical purposes, the processing ensures compliance with Article 5(1), the processing meets a condition in Annex 2, or the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by law.
Exemplar quote from bill: ...offences (see Article 10); (d) the possible consequences of the intended processing for data subjects; (e) the existence of appropriate safeguards (for example, encryption 20 or pseudonymisation). 3. ...Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where— (a) the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate, (b) the processing is carried out in accordance with Article 84B— (i) for the purposes of scientific research or historical research, (ii) for the purposes of archiving in the public interest, or (iii) for statistical purposes, 30 (c) the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so, (d) the processing meets a condition in Annex 2, or (e) the processing is necessary to safeguard an objective listed in 35 Article 23(1)(c) to (j) and is authorised by an enactment or rule of law....aw. 8 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection 4. Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for...
- ‼️ Digital Privacy
This change could potentially impact digital privacy as it allows for the processing of personal data for new purposes under certain conditions. This could lead to increased data collection and usage, potentially impacting individuals' privacy rights.
- ‼️ Human Rights
This change could potentially impact human rights, particularly the right to privacy, as it allows for the processing of personal data for new purposes under certain conditions.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Amendment of Annex 2 by the Secretary of State
The bill proposes that the Secretary of State may amend Annex 2 by adding, varying, or omitting provisions. This gives the Secretary of State the power to make changes to the conditions under which personal data can be processed for a new purpose.
Exemplar quote from bill: ...riginal purpose if— (a) it falls within paragraph 3(a) or (c), or (b) it falls within paragraph 3(d) or (e) and the controller cannot 5 reasonably be expected to obtain the data subject’s consent. 5. ...The Secretary of State may by regulations amend Annex 2 by— (a) adding or varying provisions, or (b) omitting provisions added by regulations made under this paragraph....ph. 6. The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an obje...
- ‼️ Digital Privacy
This change could potentially impact digital privacy as it gives the Secretary of State the power to amend the conditions under which personal data can be processed for a new purpose. This could lead to changes in data protection regulations, potentially impacting individuals' privacy rights.
- ‼️ Political Power
This change could potentially impact political power as it gives the Secretary of State the power to amend the conditions under which personal data can be processed for a new purpose. This could lead to changes in data protection regulations, potentially impacting the balance of power between the government and individuals.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Vexatious or excessive requests by data subjects
The bill proposes that if a request from a data subject is deemed vexatious or excessive, the controller may charge a reasonable fee for dealing with the request or refuse to act on the request. In any proceedings where there is an issue as to whether a request is vexatious or excessive, it is for the controller to show that it is.
Exemplar quote from bill: ...e end insert “(or refusal is allowed under Article 12A)”, and (b) in paragraph 5, omit from “Where requests” to the end. (3) After that Article insert— “Article 12A 10 Vexatious or excessive requests ...1. Paragraph 2 applies where a request from a data subject under any of Articles 15 to 22 or 34 is vexatious or excessive. 2. The controller may— (a) charge a reasonable fee for dealing with the request (see section 15 12 of the 2018 Act), or (b) refuse to act on the request. 3. In any proceedings where there is an issue as to whether a request is vexatious or excessive, it is for the controller to show that it is.... 4. Whether a request is vexatious or excessive must be determined having 20 regard to the circumstances of the request, including (so far as relevant)— (a) the nature of the request, (b) the relation...
- ‼️ Digital Privacy
This change could potentially impact digital privacy as it allows controllers to charge a fee or refuse to act on requests from data subjects that are deemed vexatious or excessive. This could potentially limit individuals' ability to access or control their personal data.
- ‼️ Human Rights
This change could potentially impact human rights, particularly the right to privacy, as it allows controllers to charge a fee or refuse to act on requests from data subjects that are deemed vexatious or excessive. This could potentially limit individuals' ability to access or control their personal data.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
UK GDPR Article 12 (transparent information, communication and modalities for the exercise of rights of the data subject)
The bill proposes to amend Article 12 of the UK GDPR, changing the time limit for responding to data subject requests from "within one month of receipt of the request" to "before the end of the applicable time period". It also allows for a delay in dealing with the request until the identity of the requester is confirmed.
Exemplar quote from bill: ...nformation (No. 2) Bill 9 Part 1—Data protection Data subjects' rights 7 Vexatious or excessive requests by data subjects (1) The UK GDPR is amended in accordance with subsections (2) and (3). (2) 5 ...In Article 12 (transparent information, communication and modalities for the exercise of rights of the data subject)— (a) in paragraph 3, for “within one month of receipt of the request” substitute “before the end of the applicable time period (see Article 12B)”, (b) in paragraph 4, for “without delay and at the latest within one month of receipt of the request” substitute “without undue delay, and in any event before the end of the applicable time period (see Article 12B),”, and (c) in paragraph 6— (i) after “may” insert “— (a)”, and (ii) at the end insert “, and (b) delay dealing with the request until the identity is confirmed.”...gs where there is an issue as to whether a request is vexatious or excessive, it is for the controller to show that it is. 4. Whether a request is vexatious or excessive must be determined having 20 r...
- ‼️ Human Rights
This change could potentially impact the rights of individuals to access their personal data in a timely manner, depending on the length of the "applicable time period". The ability to delay responses until identity is confirmed could also impact the speed of data access.
- ‼️ Digital Privacy
This change directly impacts digital privacy, as it pertains to individuals' rights to access their personal data.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
UK GDPR Article 12B
The bill proposes to insert a new Article 12B into the UK GDPR, which defines the "applicable time period" for responding to data subject requests. This period is one month from the latest of several possible times, and can be extended by two months if necessary due to the complexity or number of requests.
Exemplar quote from bill: ...e time period (see Article 12B),”, and (c) in paragraph 6— (i) after “may” insert “— (a)”, and 5 (ii) at the end insert “, and (b) delay dealing with the request until the identity is confirmed.” (3) ...After Article 12A (inserted by section 7 of this Act) insert— “Article 12B Meaning of “applicable time period” 1. In Article 12, “the applicable time period” means the period of one month beginning with the relevant time, subject to paragraph 3. 2. “The relevant time” means the latest of the following— (a) when the controller receives the request in question; (b) when the controller receives the information (if any) requested in connection with a request under Article 12(6); (c) when the fee (if any) charged in connection with the request under Article 12A is paid. 3. The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of— (a) the complexity of requests made by the data subject, or (b) the number of such requests....requests. 4. A notice under paragraph 3 must— 25 (a) be given before the end of the period of one month beginning with the relevant time, and (b) state the reasons for the delay. 5. 30 Where the contr...
- ‼️ Human Rights
This change could potentially impact the rights of individuals to access their personal data in a timely manner, depending on the length of the "applicable time period".
- ‼️ Digital Privacy
This change directly impacts digital privacy, as it pertains to individuals' rights to access their personal data.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 45A
The insertion of section 45A provides an exemption from sections 44 and 45 for legal professional privilege and confidentiality of communications.
Exemplar quote from bill: ...) For the italic heading before section 44 substitute— “Data subject’s rights to information”. (4) In the heading of section 44, omit “Information:”. 30 (5) Omit the italic heading before section 45. ...(6) After that section insert— “45A Exemption from sections 44 and 45: legal professional privilege (1) 35 Sections 44(2) and 45(1) do not require the controller to give the data subject— (a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or 16 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection (b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.... (2) A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of— (a) the decision to rely on the exemption, 5 (b) the reason for the decisio...
- ‼️ Justice System
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 51 (exercise of rights through the Commissioner)
The amendment to section 51 adds a new provision that allows the controller to rely on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege).
Exemplar quote from bill: ...) The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).” ...(7) In section 51 (exercise of rights through the Commissioner)— (a) in subsection (1), after paragraph (b) (but before the “or” at the end 25 of that paragraph) insert— “(ba) relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege),”..., (b) in subsection (2), after paragraph (a) insert— “(aa) where subsection (1)(ba) applies, request the 30 Commissioner to check that the controller was entitled to rely on the exemption;”, (c) in su...
- ‼️ Justice System
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Regulatory powers of the Secretary of State
The bill proposes to grant the Secretary of State the power to regulate the extent of human involvement in automated decision-making.
Exemplar quote from bill: ... person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling. 50D Further provision about automated decision-making (1) 25 ...The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.... (2) The Secretary of State may by regulations provide that, for the 30 purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse ...
- ‼️ Political Power
The proposed change grants significant regulatory powers to the Secretary of State, potentially affecting the balance of power between the government and individuals or businesses.
- ‼️ Digital Privacy
The proposed change could impact digital privacy, depending on how the Secretary of State chooses to regulate human involvement in automated decision-making.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: deletion
Requirement for representatives for controllers outside the UK
The bill proposes to remove the requirement for representatives of controllers or processors not established in the United Kingdom.
Exemplar quote from bill: ...d organisational measures” substitute “appropriate measures, including technical and organisational measures,”. 13 Removal of requirement for representatives for controllers etc outside the UK (1) 25 ...Omit Article 27 of the UK GDPR (representatives of controllers or processors not established in the United Kingdom).... (2) In consequence of that revocation, in the UK GDPR— (a) in Article 4 omit point (17) (definition of “representative”), (b) in Article 13(1)(a) (information to be provided where personal data is 30...
- ‼️ Digital Privacy
The proposed change could potentially weaken the protections for UK data subjects when their data is processed by controllers or processors outside the UK, as there would no longer be a requirement for a representative in the UK.
- ‼️ Economic Impact
The proposed change could potentially make it easier for foreign businesses to operate in the UK, as they would no longer need to appoint a representative in the UK.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 26(2)(f)
The bill proposes an amendment to Section 26(2)(f), adding a new provision that exempts the right to lodge a complaint with the Commissioner from the national security and defence exemption.
Exemplar quote from bill: ...itute “Article 84A of the UK GDPR (research, archives and statistics)”. National Security 24 National security exemption 25 (1) The 2018 Act is amended in accordance with subsections (2) to (10). (2) ...In section 26(2)(f) (national security and defence exemption), before sub-paragraph (i) insert—“(zi) Article 77 (right to lodge a complaint with the Commissioner);”....);”. (3) In section 44 (controller’s general duties to provide information to data subject)— (a) in subsection (4), omit paragraph (d) (grounds for restricting information provided: national security)...
- ‼️ National Security
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 4 of the 2018 Act (intelligence services processing)
The bill proposes to extend the application of Part 4 of the 2018 Act to include processing of personal data by a qualifying competent authority, provided that the processing is the subject of a designation notice that is currently in force.
Exemplar quote from bill: ...competent authorities 25 (1) Part 4 of the 2018 Act (intelligence services processing) is amended as follows. (2) In section 82 (processing to which Part 4 applies)— (a) before subsection (1) insert— ...“(A1) This Part— (a) applies to processing of personal data by an intelligence 30 service, and (b) applies to processing of personal data by a qualifying competent authority where the processing is the subject 35 of a designation notice that is for the time being in force (see sections 82A to 82E).”..., (b) in subsection (1)— (i) after “applies” insert “only”, (ii) in paragraph (a), for “the processing by an intelligence service” substitute “processing”, and 42 Data Protection and Digital Informati...
- ‼️ National Security
This change could potentially increase the scope of intelligence services' data processing capabilities, which could have implications for national security.
- ‼️ Human Rights
The extension of data processing to competent authorities could potentially impact individuals' privacy rights, depending on the nature and extent of the processing.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 4 of the 2018 Act (intelligence services processing)
The bill proposes to allow the Secretary of State to designate processing of personal data by a qualifying competent authority for the purposes of safeguarding national security.
Exemplar quote from bill: ...ations made by the Secretary of State.”, and (d) after subsection (3) insert— 10 “(4) Regulations under this section are subject to the affirmative resolution procedure.” (3) After section 82 insert— ...“82A Designation of processing by a qualifying competent authority (1) For the purposes of this Part, the Secretary of State may give a notice 15 designating processing of personal data by a qualifying competent authority (a “designation notice”) where— (a) an application for designation of the processing is made in accordance with this section, and (b) the Secretary of State considers that designation of the 20 processing is required for the purposes of safeguarding national security.... (2) The Secretary of State may only designate processing by a qualifying 25 competent authority that is carried out by the authority as a joint controller with at least one intelligence service. (3) ...
- ‼️ National Security
This change could potentially enhance national security by allowing the Secretary of State to designate certain data processing activities for this purpose.
- ‼️ Human Rights
The designation of data processing activities by competent authorities could potentially impact individuals' privacy rights, depending on the nature and extent of the processing.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 120E
The bill introduces a new provision that allows the Secretary of State to designate a statement of strategic priorities for data protection, provided certain requirements are met.
Exemplar quote from bill: ...ities (1) The 2018 Act is amended as follows. 15 (2) After section 120D (inserted by section 27 of this Act) insert— “Strategic priorities 120E Designation of statement of strategic priorities (1) 20 ...The Secretary of State may designate a statement as the statement of strategic priorities for the purposes of this Part if the requirements set out in section 120H are satisfied.... (2) The statement of strategic priorities is a statement prepared by the Secretary of State that sets out the strategic priorities of His Majesty’s government relating to data protection. (3) The Sec...
- ‼️ Political Power
This change could potentially increase the power of the Secretary of State in shaping the strategic direction of data protection.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 120F
The bill introduces a new duty for the Commissioner to consider the statement of strategic priorities when carrying out functions under the data protection legislation.
Exemplar quote from bill: ...n this Part, “the statement of strategic priorities” means the statement for the time being designated under subsection (1). 120F Duties of the Commissioner in relation to strategic priorities 30 (1) ...The Commissioner must have regard to the statement of strategic priorities when carrying out functions under the data protection legislation.... (2) 35 But the duty in subsection (1) does not apply when the Commissioner is carrying out functions in relation to a particular person, case or investigation. Data Protection and Digital Information...
- ‼️ Political Power
This change could potentially influence the Commissioner's actions and decisions in enforcing data protection legislation.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 135 of the 2018 Act
The bill proposes to amend Section 135 of the 2018 Act, changing the term "manifestly unfounded" to "vexatious" in the context of requests made to the Commissioner. It also proposes to omit subsections (2) and (4) of the same section.
Exemplar quote from bill: ...or “subsections (2) and (5)” substitute “subsection 10 (5)”. 32 Vexatious or excessive requests made to the Commissioner (1) The 2018 Act is amended in accordance with subsections (2) and (3). (2) 15 ...In section 135 (manifestly unfounded or excessive requests made to the Commissioner)— (a) in the heading, for “Manifestly unfounded” substitute “Vexatious”, (b) in subsection (1)— (i) for “manifestly unfounded” substitute “vexatious”, and (ii) after “excessive” insert “(see section 204A)”, (c) omit subsection (2), 20 (d) in subsection (3), for “manifestly unfounded” substitute “vexatious”, (e) omit subsection (4), and (f) after that subsection insert— “(5) 25 Article 57(3) of the UK GDPR (performance of Information Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.”... (3) In section 136(1) (guidance about fees), omit paragraph (b) (and the “or” before it). (4) 30 In Article 57 of the UK GDPR (Information Commissioner’s tasks), omit paragraph 4. 33 Analysis of perf...
- ‼️ Justice System
This change could potentially affect how requests made to the Commissioner are evaluated and handled, possibly leading to a stricter interpretation of what constitutes a "vexatious" request.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Sections 142, 143, 145, 148, 160 of the 2018 Act and Schedule 17
The bill proposes to amend several sections of the 2018 Act (142, 143, 145, 148, 160) and Schedule 17, inserting the term "or documents" after "information" in various subsections. This expands the scope of these sections to include not just information, but also documents.
Exemplar quote from bill: ...ch the Commissioner’s performance can be measured most effectively. Documents and notices”. Enforcement 5 34 Power of the Commissioner to require documents (1) The 2018 Act is amended as follows. (2) ...In section 142 (information notices)— (a) in subsection (1)— (i) in paragraph (a), after “information” insert “or documents”, 10 and (ii) in paragraph (b), after “information” insert “or documents”, (b) in subsection (2)(b), after “information” insert “or documents”, (c) in subsection (3)— (i) in paragraph (a), after “information”, in both places it occurs, 15 insert “or documents”, (ii) in paragraph (b), after “information” insert “or documents”, (iii) in paragraph (c), after “information” insert “or documents”, and (iv) in paragraph (d), after “information” insert “or documents”, 20 (d) in subsection (5), after “information”, in the second place it occurs, insert “or documents”, (e) in subsection (6), after “information”, in the second place it occurs, insert “or documents”, and (f) in subsection (7)— 25 (i) in paragraph (a), for “is” substitute “or documents are”, and (ii) in the words after paragraph (b), after “information” insert “or documents”.... (3) In section 143 (information notices: restrictions)— (a) in subsection (1)(b)(ii), for “is” substitute “or documents are”, 30 (b) in subsection (2), after “information”, in the second place it occ...
- ‼️ Justice System
This change could potentially broaden the scope of information requests and notices, affecting how data protection laws are enforced.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 146A
The bill introduces a new provision that makes the controller or processor responsible for the payment of an approved person's remuneration and expenses when they are required to prepare a report following an assessment notice from the Commissioner.
Exemplar quote from bill: ...eparation of the report; (b) the contents of the report; (c) the form in which the report is to be provided; 35 (d) the date by which the report is to be completed.” (c) after subsection (11) insert— ...“(11A) Where the Commissioner gives an assessment notice that requires the controller or processor to make arrangements for an approved person to prepare a report, the controller or processor is liable for the payment of the approved person’s remuneration and expenses under the arrangements.”...payment of the approved person’s remuneration and expenses under the arrangements.” (d) in subsection (12), before the definition of “domestic premises” insert— 5 ““approved person”, in relation to a ...
- ‼️ Economic Impact
This change could potentially increase the financial burden on controllers or processors, as they are now liable for the costs associated with preparing a report in response to an assessment notice.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 146A
The bill introduces a new requirement for the controller or processor to nominate a person to prepare a report within a specified period following an assessment notice.
Exemplar quote from bill: ...ces: approval of person to prepare report etc (1) 10 This section applies where an assessment notice requires a controller or processor to make arrangements for an approved person to prepare a report....“(2) The controller or processor must, within such period as is specified in the assessment notice, nominate to the Commissioner a person to prepare the report.”...(3) If the Commissioner is satisfied that the nominated person is a suitable 15 person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominat...
- ‼️ Bureaucratic Processes
This change introduces a new procedural requirement for controllers or processors, potentially increasing their administrative responsibilities.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 160
The bill introduces new guidance about regulatory action in relation to interview notices. This includes factors to consider when giving an interview notice, circumstances for varying the place or time of an interview, and how to proceed if an individual does not comply with an interview notice.
Exemplar quote from bill: ...on (1)(b), after “assessment notice” insert “, an interview notice”. (5) 5 In section 157 (maximum amount of penalty), in subsection (4), after “assessment notice” insert “, an interview notice”. (6) ...In section 160 (guidance about regulatory action)— (a) in subsection (1), after paragraph (b) insert— “(ba) interview notices,”, and (b) after subsection (5) insert— “(5A) In relation to interview notices, the guidance must include— 10 (a) provision specifying factors to be considered in determining whether to give an interview notice to an individual; (b) 15 provision about the circumstances in which the Commissioner would consider it appropriate to give an interview notice to an individual in reliance on section 148A(8) (urgent cases); (c) provision about the circumstances in which the 20 Commissioner would consider it appropriate to vary the place or time specified in an interview notice at the request of the individual to whom the notice is given; (d) provision about the nature of interviews carried out in accordance with an interview notice; (e) 25 provision about how the Commissioner will determine how to proceed if an individual does not comply with an interview notice.”... (7) In section 162 (rights of appeal), in subsection (1), after paragraph (b) insert— “(ba) an interview notice;”. (8) In section 164 (applications in respect of urgent notices)— (a) in subsection (1...
- ‼️ Justice System
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 165
The bill proposes to amend section 165 by omitting subsection (1), adding "the UK GDPR or" after "infringement of" in subsection (2), and adding a new subsection (5A) that allows the Commissioner to refuse to act on a complaint in reliance on section 165A.
Exemplar quote from bill: ...d. (5) Regulations under this section are subject to the negative resolution 30 procedure.” 40 Power of the Commissioner to refuse to act on certain complaints (1) The 2018 Act is amended as follows. ...(2) In section 165 (complaints by data subject to the Commissioner)— (a) omit subsection (1), 35 (b) in subsection (2), after “infringement of” insert “the UK GDPR or”, and (c) after subsection (5) insert— “(5A) Subsection (4) does not apply if the Commissioner refuses to act on the complaint in reliance on section 165A.”...f the Commissioner refuses to act on the complaint in reliance on section 165A.” (3) After section 165 insert— “165A Power of Commissioner to refuse to act on certain complaints 5 (1) The Commissioner...
- ‼️ Human Rights
This change could potentially limit the rights of data subjects by allowing the Commissioner to refuse to act on their complaints under certain conditions.
- ‼️ Justice System
This change could potentially reduce the workload of the Commissioner by allowing them to refuse to act on certain complaints.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
UK GDPR, Chapter 9A
The bill proposes the insertion of a new Chapter 9A into the UK GDPR. This chapter provides for regulations made by the Secretary of State under the UK GDPR.
Exemplar quote from bill: ...and data subject’s rights)”. Data Protection and Digital Information (No. 2) Bill 73 Part 1—Data protection Miscellaneous 44 Regulations under the UK GDPR (1) In the UK GDPR, after Chapter 9 insert— ...“CHAPTER 9A Regulations 5 Article 91A Regulations made by Secretary of State 1. This Article makes provision about regulations made by the Secretary of State under this Regulation (“UK GDPR regulations”).... 2. Before making UK GDPR regulations, the Secretary of State must 10 consult— (a) the Commissioner, and (b) such other persons as the Secretary of State considers appropriate. 3. 15 Paragraph 2 does ...
- ‼️ Political Power
This change could potentially increase the power of the Secretary of State by allowing them to make regulations under the UK GDPR.
- ‼️ Digital Privacy
The ability for the Secretary of State to make regulations under the UK GDPR could have implications for digital privacy, depending on the nature of the regulations made.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 59
The Secretary of State is given the power to delegate their functions under this part of the bill to a person prescribed by regulations.
Exemplar quote from bill: ...s the same meaning as in section 48; “data protection legislation” has the same meaning as in the 2018 Act (see section 3(9) of that Act). 59 Arrangements for third party to exercise functions 35 (1) ...The Secretary of State may make arrangements for a person prescribed by regulations under this section to exercise functions of the Secretary of State under this Part (and where arrangements are made, references in this Part to the Secretary of State are to be read accordingly).... (2) Arrangements under this section may— 40 84 Data Protection and Digital Information (No. 2) Bill Part 2—Digital verification services (a) provide for the Secretary of State to make payments to th...
- ‼️ Political Power
This change could potentially shift some power from the Secretary of State to another person or entity, depending on who is prescribed by the regulations.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill allows for regulations under this part to amend or repeal primary legislation in relation to the handling of complaints, the resolution of disputes, appeals, and provisions described in subsection (1)(h).
Exemplar quote from bill: ...; (g) confer functions on a person, including functions involving the exercise of a discretion; (h) make incidental, supplementary, consequential, transitory, transitional 15 or saving provision. (2) ...Regulations under this Part making the following types of provision may amend or repeal primary legislation— (a) provision about the handling of complaints; (b) provision about the resolution of disputes; (c) provision about appeals; (d) provision described in subsection (1)(h)....h). (3) The following regulations under this Part are subject to the affirmative resolution procedure— (a) the first regulations under each of section 62(1), (2) and (3) making 25 provision about a pa...
- ‼️ Justice System
The ability to amend or repeal primary legislation could have significant implications for the justice system, particularly in relation to the handling of complaints, the resolution of disputes, and appeals.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: deletion
Part 3—Customer data and business data
The bill proposes to omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013, which relate to the supply of customer data.
Exemplar quote from bill: ...ion, “relevant person” means— (a) in the case of regulations made by the Treasury, the Treasury, and (b) otherwise, the Secretary of State. 76 Repeal of provisions relating to supply of customer data ...Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 (supply of customer data)....a). 77 Interpretation of this Part In this Part— 30 “application programme interface” has the meaning given by section 74(3) of the Communications Act 2003; “approved person” has the meaning given by ...
- ‼️ Digital Privacy
The omission of these sections could have significant implications for digital privacy, depending on what provisions they contained regarding the supply of customer data.
- ‼️ Tech Company Regulation
The omission of these sections could affect tech companies by potentially removing certain regulations related to the supply of customer data.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Regulation 22 of the PEC Regulations (use of electronic mail for direct marketing purposes)
The bill proposes an insertion to the PEC Regulations that allows for the sending of electronic mail for direct marketing purposes under certain conditions. These conditions include the marketing being for a charitable, political, or non-commercial objective, the contact details of the recipient being obtained during their expression of interest or support for the objective, and the recipient being given a simple means of refusing the use of their contact details for such marketing.
Exemplar quote from bill: ...r” there were substituted “the person”; (iii) for “the data protection legislation” there were substituted 30 “the requirements of the PEC Regulations”; (b) after subsection (1) there were inserted— “...(3A) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where— (a) the direct marketing is solely for the purpose of furthering a charitable, political or other non-commercial objective of that person; (b) that person obtained the contact details of the recipient of the electronic mail in the course of the recipient expressing an interest in or offering or providing support for the furtherance of that objective or a similar objective; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication....processor” there were substituted “person to whom the notice is given”; (f) in subsection (8)— (i) in paragraph (a), for “controller or processor” there were substituted “person to whom the notice is ...
- ‼️ Human Rights
This change could potentially impact individuals' rights to privacy, as it allows for their contact details to be used for direct marketing purposes under certain conditions. However, it also includes safeguards such as the requirement for the recipient to be given a simple means of refusing the use of their contact details for such marketing.
- ‼️ Political Power
This change could potentially impact the ways in which political entities are able to engage in direct marketing, as it allows for the use of electronic mail for this purpose when it is for a political objective.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 83
The bill proposes an insertion that allows the Secretary of State to provide an exception from a direct marketing provision for communications activity carried out for the purposes of democratic engagement, as long as it is not directed to individuals under the age of 14.
Exemplar quote from bill: ...ially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.” 83 Direct marketing for the purposes of democratic engagement ...(1) The Secretary of State may by regulations provide an exception from a direct marketing provision for a case where communications activity— (a) is carried out for the purposes of democratic engagement, and (b) is not directed to individuals under the age of 14....4. (2) 10 For the purposes of subsection (1)(a), communications activity is carried out for the purposes of democratic engagement if— (a) the activity is carried out— (i) by, or at the instigation of,...
- ‼️ Human Rights
This change could potentially impact individuals' rights to privacy, as it allows for an exception from a direct marketing provision for communications activity carried out for the purposes of democratic engagement. However, it also includes a safeguard in that it cannot be directed to individuals under the age of 14.
- ‼️ Political Power
This change could potentially impact the ways in which political entities are able to engage in direct marketing, as it allows for an exception from a direct marketing provision for communications activity carried out for the purposes of democratic engagement.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: deletion
Regulation 31A and 31B
The bill proposes to delete regulation 31A and 31B, which deal with third party information notices and appeals against them.
Exemplar quote from bill: ...oses of enforcing these Regulations. (2) 10 In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under those provisions, as applied by that Schedule.” ...(6) Omit regulation 31A (third party information notices). (7) Omit regulation 31B (appeals against third party information notices).... (8) For Schedule 1 substitute the Schedule set out in Schedule 10. (9) In paragraph 58(1) of Schedule 20 to the 2018 Act (transitional provision 15 relating to the PEC Regulations) for “regulations 2...
- ‼️ Justice System
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: deletion
Section 21
The bill proposes to delete Section 21, which pertains to reports by the Commissioner.
Exemplar quote from bill: ...report under section 234 of the 35 Investigatory Powers Act 2016 must include information about the carrying out of the Commissioner’s functions under this section and the section 63D functions.” (5) ...Omit section 21 (reports by Commissioner).... 126 Data Protection and Digital Information (No. 2) Bill Part 5—Regulation and oversight (6) In section 22 (guidance on making national security determinations)— (a) in subsection (4)— (i) for “the ...
- ‼️ Justice System
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 5—Regulation and oversight
The bill introduces a definition for "biometric data", which is described as personal data that results from specific technical processing related to the physical, physiological, or behavioural characteristics of an individual. This data allows or confirms the unique identification of that individual.
Exemplar quote from bill: ...ument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. (13) In this section— ...“biometric data” means personal data resulting from specific 5 technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data;... “personal data” has the same meaning as in the Data Protection 10 Act 2018 (see section 3(2) of that Act).” PART 6 FINAL PROVISIONS 107 Power to make consequential amendments (1) The Secretary of Sta...
- ‼️ Human Rights
The definition of biometric data could have significant implications for privacy and data protection rights, as it includes sensitive information such as facial images.
- ‼️ Digital Privacy
This definition is crucial for setting the scope of data protection and privacy laws, particularly in relation to emerging technologies such as facial recognition.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 6—Final provisions
The bill grants the Secretary of State the power to make regulations that are consequential on any provision made by this Act.
Exemplar quote from bill: ...on of that individual, such as facial images or dactyloscopic data; “personal data” has the same meaning as in the Data Protection 10 Act 2018 (see section 3(2) of that Act).” PART 6 FINAL PROVISIONS ...107 Power to make consequential amendments (1) The Secretary of State may by regulations make provision that is consequential 15 on any provision made by this Act.... (2) Regulations under this section— (a) may make different provision for different purposes; (b) may include transitional, transitory or saving provision; (c) may amend, repeal or revoke any provisio...
- ‼️ Political Power
This provision grants significant power to the Secretary of State, allowing them to make consequential amendments to regulations based on the provisions of this Act.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Processing of data for democratic engagement
The bill introduces provisions for the processing of personal data for the purposes of democratic engagement. This includes processing carried out by elected representatives, candidates for election, permitted participants in a referendum, and accredited campaigners in relation to a recall petition. The processing must be necessary for the discharge of the representative's functions or for democratic engagement activities.
Exemplar quote from bill: ...t, harm or risk. Democratic engagement 9. This condition is met where- (a) the processing is carried out for the purposes of democratic engagement, and (b) the data subject is aged 14 or over. 25 10. ...For the purposes of paragraph 9, processing is carried out for the purposes of democratic engagement if— (a) the processing— (i) is carried out by an elected representative or a person acting with the authority of such a representative, and (ii) is necessary for the purposes of discharging the elected representative’s functions or for the purposes of the elected representative’s democratic engagement activities......, (b) the processing— (i) is carried out by a person or organisation included in a register 35 maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and 134 Data Pr...
- ‼️ Political Power
The change could potentially increase the power of elected representatives and other political actors by allowing them to process personal data for the purposes of democratic engagement. This could enhance their ability to engage with constituents and campaign effectively.
- ‼️ Human Rights
The change could potentially impact the right to privacy, depending on how the data is processed and used. However, the bill specifies that the processing must be necessary for democratic engagement activities, which could mitigate potential privacy concerns.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Purpose limitation: Processing to be treated as compatible with original purpose
The bill introduces a new annex to the UK GDPR, which provides for certain types of processing to be treated as compatible with the original purpose of data collection. This includes processing necessary for public security, responding to emergencies, detecting or preventing crime, protecting vital interests of data subjects, and safeguarding vulnerable individuals.
Exemplar quote from bill: ...y after the day on which those Wardmotes are held.” Data Protection and Digital Information (No. 2) Bill 137 Schedule 1—Lawfulness of processing: recognised legitimate interests SCHEDULE 2 Section 6 ...PURPOSE LIMITATION: PROCESSING TO BE TREATED AS COMPATIBLE WITH ORIGINAL PURPOSE In the UK GDPR, after Annex 1 (inserted by Schedule 1 to this Act) insert— “ANNEX 2 PURPOSE LIMITATION: PROCESSING TO BE TREATED AS COMPATIBLE WITH ORIGINAL PURPOSE......Disclosure for purposes of processing described in Article 6(1)(e) 1. This condition is met where— (a) the processing— 10 (i) is necessary for the purposes of making a disclosure of personal data to a...
- ‼️ Human Rights
The change could potentially impact the right to privacy, as it allows for certain types of processing to be treated as compatible with the original purpose of data collection. However, the bill specifies that the processing must be necessary for certain purposes, such as public security or safeguarding vulnerable individuals, which could mitigate potential privacy concerns.
- ‼️ National Security
The change could potentially enhance national security by allowing for processing necessary for public security and responding to emergencies.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Article 45A
The Secretary of State is given the power to amend or revoke regulations under Article 45A if the data protection test is no longer met in relation to approved transfers.
Exemplar quote from bill: ...going basis, monitor 20 developments in third countries and international organisations that could affect decisions to make regulations under Article 45A or to amend or revoke such regulations. 2. 25 ...Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under Article 45A, the Secretary of State must, to the extent necessary, amend or revoke the regulations.... 3. 30 Where regulations under Article 45A are amended or revoked in accordance with paragraph 2, the Secretary of State must enter into consultations with the third country or international organisat...
- ‼️ Political Power
This change gives the Secretary of State significant power to amend or revoke regulations related to data transfers, potentially impacting the operations of businesses and organizations that rely on such transfers.
- ‼️ Digital Privacy
The amendment could potentially improve data privacy if it leads to stricter regulations when the data protection test is not met. However, it could also lead to less privacy if regulations are loosened.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Article 46
The bill amends Article 46 to specify the conditions under which a transfer of personal data to a third country or international organization is subject to appropriate safeguards. These conditions include the provision of safeguards in connection with the transfer and the consideration by the controller or processor that the data protection test is met.
Exemplar quote from bill: ... the basis of appropriate safeguards) is amended as follows. (1) (2) In the heading, for “on the basis of” substitute “subject to”. (3) Omit subsection (1). 10 (4) After that subsection insert— “(1A) ...A transfer of personal data to a third country or an international organisation by a controller or processor is made subject to appropriate safeguards only— (a) in a case in which— (i) safeguards are provided in connection with the transfer as described in paragraph 2 or 3 or regulations made under Article 47A(4), and (ii) the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or (b) in a case in which— (i) safeguards are provided in accordance with paragraph 2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and (ii) each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).... and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see subsection (5)). (5) For...
- ‼️ Digital Privacy
This amendment could potentially improve data privacy by specifying the conditions under which data transfers are subject to appropriate safeguards.
- ‼️ Political Power
The amendment gives significant power to controllers, processors, and public bodies to determine whether the data protection test is met.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Article 47A
The bill introduces Article 47A, which allows the Secretary of State to specify standard data protection clauses by regulations. These clauses should be capable of securing that the data protection test set out in Article 46 is met.
Exemplar quote from bill: ... Bill 149 Schedule 5—Transfers of personal data to third countries etc: general processing 8 After Article 47 insert— “Article 47A Transfers subject to appropriate safeguards: further provision 1. 5 ...The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations.... 2. 10 The Secretary of State must keep under review the standard data protection clauses specified in regulations under paragraph 1 that are for the time being in force. 3. Regulations under paragrap...
- ‼️ Political Power
This change gives the Secretary of State significant power to specify standard data protection clauses, potentially impacting the operations of businesses and organizations that rely on data transfers.
- ‼️ Digital Privacy
The insertion could potentially improve data privacy by allowing for the specification of standard data protection clauses.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Article 49A
The bill proposes the insertion of Article 49A, which gives the Secretary of State the power to restrict the transfer of a category of personal data to a third country or international organisation for reasons of public interest.
Exemplar quote from bill: ...f State considers it desirable for the regulations to come into force without delay.” Public interest restrictions 30 10 After Article 49 insert— “Article 49A Restriction in the public interest 1. 35 ...The Secretary of State may by regulations restrict the transfer of a category of personal data to a third country or international organisation where— (a) the transfer is not approved by regulations under Article 45A for the time being in force, and (b) the Secretary of State considers the restriction to be necessary for important reasons of public interest....ies etc: general processing (b) the Secretary of State considers the restriction to be necessary for important reasons of public interest. 2. Regulations under this Article— (a) 5 are subject to the ...
- ‼️ National Security
This change could potentially enhance national security by preventing the transfer of sensitive personal data to foreign entities.
- ‼️ Human Rights
This change could potentially impact human rights, particularly the right to privacy, depending on how the Secretary of State exercises this power.
- ‼️ Digital Privacy
This change directly impacts digital privacy by providing a mechanism to restrict the transfer of personal data.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 73 (general principles for transfers)
The bill proposes amendments to Section 73, changing the conditions under which personal data may be transferred for law enforcement purposes. The transfer must now be carried out in accordance with other provisions of this Part, and in a relevant restricted transfer case, the overseas authoriser must have authorised the transfer.
Exemplar quote from bill: ... impact”. 40 Data Protection and Digital Information (No. 2) Bill 33 Part 1—Data protection (4) Section 65 of the 2018 Act (prior consultation) is amended in accordance with subsections (5) and (6). ...(2) In subsection (1)— (a) for “may not” substitute “may”, (b) for “unless” substitute “for a law enforcement purpose only if”, (c) omit paragraph (b) (and the “and” before it), and (d) after that paragraph insert— “(c) the transfer is carried out in accordance with the other provisions of this Part, and (d) in a relevant restricted transfer case, the overseas authoriser has authorised the transfer or subsection (5) applies.”..., and (c) in paragraph (b), omit “other”. 19 Law enforcement processing and codes of conduct (1) The 2018 Act is amended as follows. (2) In section 55(1) (overview and scope of provisions about contro...
- ‼️ National Security
This change could potentially enhance national security by ensuring that personal data transfers for law enforcement purposes are carried out under stricter conditions.
- ‼️ Human Rights
This change could potentially impact human rights, particularly the right to privacy, depending on how these conditions are applied.
- ‼️ Digital Privacy
This change directly impacts digital privacy by tightening the conditions under which personal data may be transferred for law enforcement purposes.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 74AA
The bill proposes the insertion of Section 74AA, which gives the Secretary of State the power to approve transfers of personal data to a third country or international organisation by regulations.
Exemplar quote from bill: ...) Omit subsection (7). Transfers approved by regulations 4 (1) Omit section 74A (transfers based on adequacy regulations). (2) After that section insert— “74AA Transfers approved by regulations 5 (1) ...For the purposes of section 73, the Secretary of State may by regulations approve transfers of personal data to— (a) a third country, or (b) an international organisation.... (2) The Secretary of State may only make regulations under this section 10 approving transfers to a third country or international organisation if the Secretary of State considers that the data prote...
- ‼️ National Security
This change could potentially enhance national security by providing a mechanism for the Secretary of State to control the transfer of personal data to foreign entities.
- ‼️ Human Rights
This change could potentially impact human rights, particularly the right to privacy, depending on how the Secretary of State exercises this power.
- ‼️ Digital Privacy
This change directly impacts digital privacy by providing a mechanism for the Secretary of State to control the transfer of personal data.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 74B (transfers based on adequacy regulations: review etc)
The bill proposes amendments to Section 74B, changing its title to "Transfers approved by regulations: monitoring" and omitting subsections (1) and (2). It also proposes changes to subsections (3) and (4) to refer to section 74AA instead of 74A, indicating a shift in the approval process for data transfers.
Exemplar quote from bill: ...n the third country or international organisation.” Transfers approved by regulations: monitoring 10 5 Section 74B (transfers based on adequacy regulations: review etc) is amended as follows. (1) (2) ...For the heading substitute “Transfers approved by regulations: monitoring”.... (3) Omit subsections (1) and (2). (4) In subsection (3), for “under section 74A” substitute “giving approval under 15 section 74AA”. (5) In subsection (4), for the words from the beginning to “otherw...
- ‼️ Digital Privacy
The proposed changes could potentially affect the process and standards for transferring personal data to third countries or international organisations, impacting digital privacy.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 75 (transfers on the basis of appropriate safeguards)
The bill proposes amendments to Section 75, changing its title to "Transfers subject to appropriate safeguards" and omitting subsection (1). It also proposes a new subsection (1A) that outlines conditions under which a transfer of personal data to a third country or an international organisation is made subject to appropriate safeguards.
Exemplar quote from bill: ...nd (c) omit paragraph (a) (together with the final “and”). 5 Transfers subject to appropriate safeguards 6 Section 75 (transfers on the basis of appropriate safeguards) is amended as follows. (1) (2) ...In the heading, for “on the basis of” substitute “subject to”.... (3) Omit subsection (1). 10 (4) After that subsection insert— “(1A) A transfer of personal data to a third country or an international organisation is made subject to appropriate safeguards only if— ...
- ‼️ Digital Privacy
The proposed changes could potentially affect the safeguards for transferring personal data to third countries or international organisations, impacting digital privacy.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 76 (transfers on the basis of special circumstances)
The bill proposes amendments to Section 76, changing its title to "Transfers based on special circumstances" and inserting a new subsection (A1) that outlines conditions under which a transfer of personal data to a third country or an international organisation is based on special circumstances.
Exemplar quote from bill: ...or the data subject are to that protection taken as a whole.” Transfers based on special circumstances 10 7 Section 76 (transfers on the basis of special circumstances) is amended as follows. (1) (2) ...In the heading, for “on the basis of” substitute “based on”.... (3) Before subsection (1) insert— “(A1) A transfer of personal data to a third country or international 15 organisation is based on special circumstances where— (a) it is made in the absence of appro...
- ‼️ Digital Privacy
The proposed changes could potentially affect the conditions under which personal data can be transferred to third countries or international organisations under special circumstances, impacting digital privacy.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 78 (subsequent transfers)
The bill proposes amendments to Section 78, inserting new provisions in subsection (1) and a new subsection (1A) that outline conditions under which a subsequent transfer of personal data can be made without authorisation from the UK authoriser.
Exemplar quote from bill: ... or the Commissioner, (e) how long ago any previous complaint was made, and 5 (f) whether the complaint overlaps with other complaints made by the complainant to the subject or the Commissioner.” (3) ...In subsection (1)—(a) after “transfer” insert “—(a)”, and (b) at the end insert “(the “UK authoriser”), or (b) (subject to subsection (4)) that—(i) the data is not to be so transferred without such authorisation except where subsection (1A) applies, and (ii) where a transfer is made without such authorisation, the UK authoriser must be informed without delay.”... Act (see section 3(9) of that Act);”. (3) After point (15) insert— “(15A) 20 “direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to p...
- ‼️ Digital Privacy
The proposed changes could potentially affect the conditions under which subsequent transfers of personal data can be made, impacting digital privacy.
- ‼️ National Security
The proposed changes could potentially affect the conditions under which personal data can be transferred in the event of an immediate and serious threat to public or national security.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Schedule 7—Transfers of personal data to third countries etc: consequential and transitional provision
The bill proposes to treat regulations made under section 17A of the 2018 Act as if they were made under Article 45A of the UK GDPR. This change seems to be a part of a larger shift in the regulatory framework for data transfers.
Exemplar quote from bill: ...ers of personal data to third countries etc: consequential and transitional provision Part 1—Consequential provision PART 2 TRANSITIONAL PROVISION The UK GDPR: transfers approved by regulations 23 5 ...Regulations made under section 17A of the 2018 Act (transfers based on adequacy regulations) and in force immediately before the relevant day are to be treated, on and after that day, as if made under Article 45A of the UK GDPR (inserted by Schedule 5 to this Act)....ct). (2) In this paragraph, “the relevant day” means the day on which paragraph 4 of Schedule 5 to this Act comes into force. The UK GDPR: transfers subject to appropriate safeguards 10 24 For the pur...
- ‼️ Digital Privacy
This change could potentially affect the privacy of individuals' data during transfers to third countries. The impact would depend on the specifics of Article 45A of the UK GDPR.
- ‼️ Tech Company Regulation
Tech companies that transfer data to third countries would need to comply with the new regulatory framework, which could affect their operations.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Schedule 7—Transfers of personal data to third countries etc: consequential and transitional provision
The bill proposes new conditions for transfers of personal data to third countries or international organisations. These conditions include the transfer being made under arrangements entered into before a certain day, safeguards being provided in accordance with certain articles of the UK GDPR or the 2018 Act, and the transfer satisfying certain conditions if it had been made immediately before a certain day.
Exemplar quote from bill: ...5 to this Act). (2) In this paragraph, “the relevant day” means the day on which paragraph 4 of Schedule 5 to this Act comes into force. The UK GDPR: transfers subject to appropriate safeguards 10 24 ...For the purposes of Article 44A(1)(a) and (2)(b) of the UK GDPR (general principles for transfers of personal data), a transfer of personal data to a third country or an international organisation made on or after the relevant day is made subject to appropriate safeguards where— (a) the transfer is made under arrangements entered into before the relevant day, (b) safeguards are provided in accordance with paragraph 2 or 3 of Article 46 of the UK GDPR or paragraph 9 of Schedule 21 to the 2018 Act, and (c) if the transfer had been made immediately before the relevant day, it would have satisfied— (i) the condition in Article 46(1) of the UK GDPR relating to data subjects’ rights and legal remedies, and (ii) the requirements of the last sentence of Article 44 of the UK GDPR (level of protection must not be undermined).... undermined). (2) Sub-paragraph (1) has effect in addition to Article 46(1A) of the UK GDPR. (3) In this paragraph— “international organisation” has the same meaning as in the 2018 Act (see section 20...
- ‼️ Digital Privacy
This change could potentially affect the privacy of individuals' data during transfers to third countries. The impact would depend on the specifics of the new conditions.
- ‼️ Tech Company Regulation
Tech companies that transfer data to third countries would need to comply with the new conditions, which could affect their operations.
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
paragraph 14(1)(b) (preventing fraud)
The bill proposes to insert a new sub-paragraph (iia) in paragraph 14(1)(b) that allows for the processing of personal data in preparation for disclosure as described in sub-paragraphs (i) or (ii).
Exemplar quote from bill: ... insert “, investigation”. (4) In paragraph 13(1)(a) (journalism etc in connection with unlawful acts and dishonesty etc), after “consists of” insert “, or is carried out in preparation for,”. (5) 10 ...In paragraph 14(1)(b) (preventing fraud), after sub-paragraph (ii) (but before the “or” at the end of that sub-paragraph) insert— “(iia) the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii),”.... (6) 15 In paragraph 24(1)(a) (disclosure to elected representatives), after “consists of” insert “, or is carried out in preparation for,”. 23 (1) Schedule 2 (exemptions etc from the UK GDPR) is amen...
- ‼️ Digital Privacy
(Variously affected)
- ‼️ Data Protection
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
paragraph 24(1)(a) (disclosure to elected representatives)
The bill proposes to insert a new phrase in paragraph 24(1)(a) that allows for the processing of personal data in preparation for disclosure to elected representatives.
Exemplar quote from bill: ...h (ii) (but before the “or” at the end of that sub-paragraph) insert— “(iia) the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii),”. (6) 15 ...In paragraph 24(1)(a) (disclosure to elected representatives), after “consists of” insert “, or is carried out in preparation for,”.... 23 (1) Schedule 2 (exemptions etc from the UK GDPR) is amended as follows. (2) In paragraph 2(1)(a) (crime), after “prevention” insert “, investigation”. (3) In paragraph 3(2)(b)(ii) (crime: risk ass...
- ‼️ Digital Privacy
(Variously affected)
- ‼️ Data Protection
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Schedule 2 (exemptions etc from the UK GDPR)
The bill proposes to insert the term "investigation" after "prevention" in paragraph 2(1)(a) of Schedule 2, expanding the scope of exemptions from the UK GDPR.
Exemplar quote from bill: ...disclosure described in sub-paragraph (i) or (ii),”. (6) 15 In paragraph 24(1)(a) (disclosure to elected representatives), after “consists of” insert “, or is carried out in preparation for,”. 23 (1) ...Schedule 2 (exemptions etc from the UK GDPR) is amended as follows. (2) In paragraph 2(1)(a) (crime), after “prevention” insert “, investigation”.... (3) In paragraph 3(2)(b)(ii) (crime: risk assessment systems), after “prevention” insert “, investigation”. 24 In paragraph 8(1)(b) of Schedule 8 (conditions for sensitive processing 20 under Part 3:...
- ‼️ Digital Privacy
(Variously affected)
- ‼️ Data Protection
(Variously affected)
- đźź Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: amendment
Regulation 2 of the PEC Regulations
The bill proposes to amend the definition of "call" in Regulation 2 of the PEC Regulations to include attempts to establish a connection.
Exemplar quote from bill: ... (1) Regulation 2 of the PEC Regulations is amended as follows. 40 (2) In paragraph (1)— Data Protection and Digital Information (No. 2) Bill 105 Part 4—Other provision about digital information (a) ...in the definition of “call”, at the end insert “, and a reference to making a call includes a reference to attempting to establish such a connection”..., and (b) in the definition of “communication”— (i) for “exchanged or conveyed between” substitute “transmitted 5 to”, and (ii) for “conveyed”, in the second place it occurs, substitute “transmitted”....
- ‼️ Digital Privacy
This change could potentially impact digital privacy, as it expands the definition of a "call" to include attempts to establish a connection, potentially broadening the scope of data collection and monitoring.
- đźź Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: amendment
The Births and Deaths Registration Act 1953
The amendment changes the Births and Deaths Registration Act 1953 to allow the Registrar General to determine the form in which registers of live-births, still-births, and deaths are kept.
Exemplar quote from bill: ...3(2) of that Act); “processing” has the same meaning as in the 2018 Act (see section 3(4) 5 of that Act). Registers of births and deaths 94 Form in which registers of births and deaths are to be kept ...(1) The Births and Deaths Registration Act 1953 is amended as follows. (2) For section 25 (provision of registers, etc, by Registrar General) substitute— 10 “25 Form in which registers are to be kept, etc (1) Registers of live-births, still-births and deaths must be kept in such form as the Registrar General may reasonably require.... (2) 15 The Registrar General may, in particular, require any such register to be kept in a form that secures that any information entered in the register by a registrar— (a) in the case of a register...
- ‼️ Public Health
This amendment could potentially impact public health by changing the way birth and death records are kept and accessed.
- đźź Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: amendment
Article 12 of the UK GDPR
The bill proposes amendments to Article 12 of the UK GDPR, changing the reference from "under Articles 15 to 22" to "made under or by virtue of Articles 15 to 22D".
Exemplar quote from bill: ...e UK GDPR 1 The UK GDPR is amended as follows. 2 Article 12 (transparent information, communication and modalities for the 5 exercise of the rights of the data subject) is amended as follows. (1) (2) ...In paragraph 1, for “under Articles 15 to 22” substitute “made under or by virtue of Articles 15 to 22D”.... (3) In paragraph 2, for “22”, in both places, substitute “22D”. (4) In paragraph 3, for “under Articles 15 to 22” substitute “made under or by 10 virtue of Articles 15 to 22D”. (5) In paragraph 5, fo...
- ‼️ Digital Privacy
This change could potentially affect the transparency of information, communication, and modalities for the exercise of the rights of the data subject.
- 🟢🟢 Flagged as ?positive?
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Section 120A Principal objective
The bill introduces a new provision that sets the principal objective of the Commissioner in carrying out functions under the data protection legislation. The Commissioner is to secure an appropriate level of protection for personal data and promote public trust and confidence in the processing of personal data.
Exemplar quote from bill: ...018 Act is amended as follows. (2) Omit section 2(2) (duty of Commissioner when carrying out functions). 20 (3) After section 120 insert— “Duties in carrying out functions 120A Principal objective 25 ...It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation— (a) to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and (b) to promote public trust and confidence in the processing of personal data....ta. Data Protection and Digital Information (No. 2) Bill 47 Part 1—Data protection 120B Duties in relation to functions under the data protection legislation In carrying out functions under the data ...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- ‼️ Public Health
(Variously affected)
- 🟢🟢 Flagged as ?positive?
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: establishment
The Information Commission
The bill establishes a new body corporate called the Information Commission.
Exemplar quote from bill: ...ded as follows. Data Protection and Digital Information (No. 2) Bill 123 Part 5—Regulation and oversight (2) After section 114 insert— “The Information Commission 114A The Information Commission (1) ...A body corporate called the Information Commission is established.... (2) Schedule 12A makes further provision about the Commission.” 5 (3) In section 3 (terms relating to the processing of personal data), after subsection (8) insert— “(8A) “The Commission” means the I...
- ‼️ Political Power
(Variously affected)
- ‼️ Justice System
(Variously affected)
- 🟢🟢 Flagged as ?positive?
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Schedule 12A
The bill proposes the insertion of a new Schedule 12A, which establishes the Information Commission. The Commission is not to be regarded as a servant or agent of the Crown, nor as enjoying any status, immunity or privilege of the Crown. The Commission's property is not to be regarded as property of the Crown, or as property held on behalf of the Crown. The number of members of the Commission is to be determined by the Secretary of State.
Exemplar quote from bill: ...on with a view 20 to ensuring that the accreditation criteria are met.” SCHEDULE 13 Section 100 THE INFORMATION COMMISSION Schedule 12A to the 2018 Act 1 In the 2018 Act, after Schedule 12 insert— 25 ...“SCHEDULE 12A Section 114A THE INFORMATION COMMISSION Status 1 (1) The Commission is not to be regarded— (a) as a servant or agent of the Crown, or 30 (b) as enjoying any status, immunity or privilege of the Crown. (2) The Commission’s property is not to be regarded— (a) as property of the Crown, or (b) as property held on behalf of the Crown. 35 194 Data Protection and Digital Information (No. 2) Bill Schedule 13—The Information Commission Number of members 2 The number of members of the Commission is to be determined by the Secretary of State.... (1) (2) That number must not be— (a) less than 3, or 5 (b) more than 14. (3) The Secretary of State may by regulations substitute a different number for the number for the time being specified in sub...
- ‼️ Tech Company Regulation
(Variously affected)
- ‼️ Cybersecurity
(Variously affected)
- ‼️ Freedom of Information
(Variously affected)
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 33 and 40 of the 2018 Act
The bill proposes amendments to the 2018 Act to provide a clear definition of "consent" in the context of data processing. It also outlines the conditions for consent, including the requirement for the controller to demonstrate that the data subject has given consent, the need for clear and plain language in consent requests, the right of the data subject to withdraw consent at any time, and the requirement for the controller or processor to inform the data subject of the right to withdraw consent before it is given.
Exemplar quote from bill: ...r expressed) include consent described in paragraph 7.” 4 Consent to law enforcement processing (1) The 2018 Act is amended as follows. (2) In section 33 (definitions), after subsection (1) insert— 5 ...“(1A) “Consent” of the data subject to the processing of personal data means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data (and see section 40A).”...).” (3) In section 34(2) (overview of Chapter 2 of Part 3), after paragraph (a) (but before the “and” at the end of that paragraph) insert— “(aa) section 40A makes provision about processing carried o...
- ‼️ Human Rights
The proposed changes strengthen the rights of individuals by providing a clear definition of consent and outlining the conditions for its validity. This could potentially enhance the protection of personal data and ensure that individuals have more control over their data.
- ‼️ Digital Privacy
The amendments provide a clear framework for obtaining consent for data processing, which could potentially enhance digital privacy by ensuring that individuals are fully informed and have given explicit consent before their data is processed.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Automated decision-making safeguards
The bill proposes the introduction of safeguards for automated decision-making. These safeguards include providing the data subject with information about decisions taken in relation to them, enabling the data subject to make representations about such decisions, enabling the data subject to obtain human intervention on the part of the controller in relation to such decisions, and enabling the data subject to contest such decisions.
Exemplar quote from bill: ...the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4). (2) ...The safeguards must consist of or include measures which— (a) provide the data subject with information about decisions 35 described in subsection (1) taken in relation to the data subject; (b) enable the data subject to make representations about such decisions; (c) 40 enable the data subject to obtain human intervention on the part of the controller in relation to such decisions; (d) enable the data subject to contest such decisions....l Part 1—Data protection (d) enable the data subject to contest such decisions. (3) Subsections (1) and (2) do not apply in relation to a significant decision if— (a) 5 exemption from those provision...
- ‼️ Human Rights
The proposed change enhances the rights of individuals in relation to automated decision-making, providing them with more control and transparency.
- ‼️ Digital Privacy
The proposed change strengthens digital privacy by ensuring human intervention in automated decision-making and providing individuals with the ability to contest such decisions.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Article 57(1) (Information Commissioner’s tasks)
The bill proposes to insert a new task for the Information Commissioner in Article 57(1). The Commissioner is to produce and publish a document containing examples of processing types that are likely to result in a high risk to the rights and freedoms of individuals.
Exemplar quote from bill: ... 1—Data protection (ii) for “to assess if processing is performed in accordance with the data protection impact assessment” substitute “of an assessment pursuant to paragraph 1 where necessary and”. ...(4) 5 In Article 57(1) (Information Commissioner’s tasks), for paragraph (k) substitute— “(k) produce and publish a document containing examples of types of processing which the Commissioner considers are likely to result in a high risk to the rights and freedoms of individuals (for the purposes of Articles 27A, 30A and 35);”.... (5) The 2018 Act is amended in accordance with subsections (6) and (7). 10 (6) Before section 64 insert— “Risk assessment and prior consultation”. (7) In section 64 (data protection impact assessment...
- ‼️ Data Protection
This insertion could enhance data protection by providing clear examples of high-risk processing, potentially helping entities to better understand and avoid such practices.
- ‼️ Human Rights
By highlighting processing types that pose a high risk to individuals' rights and freedoms, this change could help protect those rights.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 68A (Codes of conduct)
The bill proposes to insert a new section, 68A, which mandates the Commissioner to encourage expert public bodies to produce codes of conduct that contribute to compliance with this Part. The Commissioner is also required to encourage the production of codes that consider the specific features of various processing sectors.
Exemplar quote from bill: ...of processing), at the end insert— “(3) Adherence to a code of conduct approved under section 68A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).” ...(6) After section 68 insert— 30 “Codes of conduct 68A Codes of conduct (1) The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part. (2) Under subsection (1), the Commissioner must, among other things, 35 encourage the production of codes which take account of the specific features of the various processing sectors.... 34 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection (3) For the purposes of this section— (a) “public body” means a body or other person whose functions are, or include, f...
- ‼️ Data Protection
The introduction of codes of conduct could enhance data protection by providing clear guidelines for compliance, particularly as these codes are to consider the specific features of various processing sectors.
- ‼️ Tech Company Regulation
The production of sector-specific codes of conduct could impact tech companies by providing clearer compliance guidelines, potentially reducing regulatory uncertainty.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Article 84C
The bill introduces Article 84C, which outlines the conditions under which the processing of personal data is considered to be carried out with appropriate safeguards. These conditions include the absence of substantial damage or distress to the data subject and the inclusion of technical and organisational measures for data minimisation, such as pseudonymisation.
Exemplar quote from bill: ... (3) of the 2018 Act (information relating to an identifiable living individual). 36 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection Article 84C Appropriate safeguards 1. ...This Article makes provision about when the requirement under Article 84B(1) for processing of personal data to be carried out subject to appropriate safeguards is satisfied....d. 2. The requirement is not satisfied if the processing is likely to cause substantial damage or substantial distress to a data subject to whom the personal data relates. 3. 10 The requirement is not...
- ‼️ Digital Privacy
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 82D Records of designation notices
The bill introduces a new provision that requires the Secretary of State to send a copy of the designation notice to the Commissioner, and the Commissioner must publish a record of the notice.
Exemplar quote from bill: ...ignated as soon as possible, and (b) where relevant, the time needed to effect an orderly transition 20 to new arrangements for the processing of personal data. 82D Records of designation notices (1) ...Where the Secretary of State gives a designation notice— (a) the Secretary of State must send a copy of the notice to the Commissioner, and (b) the Commissioner must publish a record of the notice....ce. (2) The record must contain— (a) the Secretary of State’s name, (b) the date on which the notice was given, (c) the date on which the notice ceases to have effect (if not 30 previously withdrawn),...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- ‼️ Freedom of Information
(Variously affected)
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 82E Appeal against designation notice
The bill introduces a new provision that allows a person directly affected by a designation notice to appeal to the Tribunal against the notice.
Exemplar quote from bill: ... notice is in force. (5) Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner. 82E Appeal against designation notice 5 (1) ...A person directly affected by a designation notice may appeal to the Tribunal against the notice.... (2) If, on an appeal under this section, the Tribunal finds that, applying 10 the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable g...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 120H
The bill introduces a new provision that requires the Secretary of State to present the statement of strategic priorities to Parliament before it can be designated.
Exemplar quote from bill: ...protection (b) the amended statement was not designated because within the period mentioned in section 120H(2) either House of Parliament resolved not to approve it. 120H Parliamentary procedure (1) ...Before the Secretary of State designates a statement as the statement of strategic priorities, the Secretary of State must lay the statement before Parliament....t. (2) The Secretary of State must then wait until the end of the 40-day 10 period and may not designate the statement if, within that period, either House of Parliament resolves not to approve it. (3...
- ‼️ Political Power
This change could potentially increase the transparency and accountability of the Secretary of State's actions in setting strategic priorities for data protection.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
2018 Act
The bill proposes to insert a new section (139A) into the 2018 Act, requiring the Commissioner to prepare and publish an annual analysis of their performance using key performance indicators.
Exemplar quote from bill: ...paragraph (b) (and the “or” before it). (4) 30 In Article 57 of the UK GDPR (Information Commissioner’s tasks), omit paragraph 4. 33 Analysis of performance In the 2018 Act, after section 139 insert— ...“139A Analysis of performance (1) 35 The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators. (2) The analysis must be prepared and published at least annually. Data Protection and Digital Information (No. 2) Bill 57 Part 1—Data protection (3) In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.... Documents and notices”. Enforcement 5 34 Power of the Commissioner to require documents (1) The 2018 Act is amended as follows. (2) In section 142 (information notices)— (a) in subsection (1)— (i) in...
- ‼️ Public Health
This change could potentially increase transparency and accountability in the Commissioner's performance, which could have implications for public trust in data protection measures.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
2018 Act
The bill proposes to insert new provisions into section 146 of the 2018 Act, allowing for the arrangement of an approved person to prepare a report on a specified matter and provide it to the Commissioner.
Exemplar quote from bill: ...or documents are”, and (b) in the words after paragraph (b), after “information” insert “or documents”. 35 Power of the Commissioner to require a report 20 (1) The 2018 Act is amended as follows. (2) ...In section 146 (assessment notices)— (a) in subsection (2), after paragraph (i), insert— “(j) 25 make arrangements for an approved person to prepare a report on a specified matter; (k) provide to the Commissioner a report prepared in pursuance of such arrangements.”... (b) after subsection (3) insert— “(3A) 30 An assessment notice that requires a controller or processor to make arrangements for an approved person to prepare a report may require the arrangements to ...
- ‼️ Justice System
This change could potentially affect how assessments are conducted, possibly leading to more thorough and expert evaluations.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 161A
The bill introduces a requirement for the Commissioner to produce and publish an annual report on regulatory action. This report must include information about UK GDPR investigations, such as the number of investigations, the types of acts and omissions investigated, the enforcement powers exercised, the duration of investigations, and the outcomes of investigations.
Exemplar quote from bill: ... insert— “(2A) The report under this section may include the annual report under 20 section 161A.” (3) In the heading before section 160, at the end insert “and report”. (4) After section 161 insert— ...“161A Annual report on regulatory action (1) The Commissioner must produce and publish an annual report 25 containing the information described in subsections (2) to (5). (2) The report must include the following information about UK GDPR investigations— (a) 30 the number of investigations begun, continued or completed by the Commissioner during the reporting period, (b) the different types of act and omission that were the subject matter of the investigations, (c) the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations, (d) the duration of investigations that ended in the reporting 35 period, and (e) the different types of outcome in investigations that ended in that period.... 66 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection (3) The report must include information about the enforcement powers exercised by the Commissioner in the reporting per...
- ‼️ Justice System
(Variously affected)
- ‼️ Freedom of Information
(Variously affected)
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 164A
The bill proposes a new section that allows data subjects to make complaints directly to the controller if they believe there has been an infringement of the UK GDPR or Part 3 of the Act. The controller is required to facilitate the making of complaints, acknowledge receipt within 30 days, and respond without undue delay. The controller must also keep the complainant informed about the progress of the complaint.
Exemplar quote from bill: ...DPR (investigations on the application of the UK GDPR).” 39 Complaints to controllers (1) The 2018 Act is amended as follows. (2) Before section 165 (but after the cross-heading preceding it) insert— ...“164A Complaints by data subjects to controllers (1) A data subject may make a complaint to the controller if the data 35 subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act. (2) 40 A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means. (3) If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning with the day on which it is received. (4) 5 If a controller receives a complaint under this section, the controller must without undue delay— (a) take appropriate steps to respond to the complaint, and (b) inform the complainant of the outcome of the complaint. (5) The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes— (a) making enquiries into the subject matter of the complaint, to 10 the extent appropriate, and (b) informing the complainant about progress on the complaint.... appropriate, and (b) informing the complainant about progress on the complaint. 164B Controllers to notify the Commissioner of the number of complaints (1) 15 The Secretary of State may by regulation...
- ‼️ Human Rights
This change empowers individuals by giving them a direct avenue to raise concerns about potential infringements of their data rights.
- ‼️ Justice System
This change could potentially increase the workload of controllers, as they will now be required to handle complaints directly and respond in a timely manner.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 164B
The bill proposes a new section that allows the Secretary of State to require controllers to notify the Commissioner of the number of complaints they receive. The regulations may specify the form and manner of notification, the time or period within which a notification must be made, and how the number of complaints is to be calculated.
Exemplar quote from bill: ...ps to respond to the complaint includes— (a) making enquiries into the subject matter of the complaint, to 10 the extent appropriate, and (b) informing the complainant about progress on the complaint....“164B Controllers to notify the Commissioner of the number of complaints (1) 15 The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations. (2) Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations. (3) Regulations under this section may include— 20 (a) provision about a matter listed in subsection (4), or (b) provision conferring power on the Commissioner to determine those matters. (4) The matters are— (a) the form and manner in which a notification must be made, 25 (b) the time at which, or period within which, a notification must be made, and (c) how the number of complaints made to a controller during a period is to be calculated. (5) Regulations under this section are subject to the negative resolution 30 procedure.”... 40 Power of the Commissioner to refuse to act on certain complaints (1) The 2018 Act is amended as follows. (2) In section 165 (complaints by data subject to the Commissioner)— (a) omit subsection (1...
- ‼️ Human Rights
This change could potentially improve transparency and accountability in the handling of data protection complaints.
- ‼️ Justice System
This change could potentially increase the workload of controllers, as they will now be required to track and report the number of complaints they receive.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 183A of the 2018 Act
The bill proposes the insertion of a new section 183A into the 2018 Act. This section provides that a law or rule that imposes a duty or confers a power to process personal data does not override the requirements of the main data protection legislation. However, this does not apply to a relevant enactment forming part of the main data protection legislation or if an enactment makes express provision to the contrary. It also does not prevent a duty or power to process personal data from being considered when determining if an exception to a requirement under the main data protection legislation is available.
Exemplar quote from bill: ...nd data subject’s rights 43 Protection of prohibitions, restrictions and data subject’s rights 20 (1) The 2018 Act is amended in accordance with subsections (2) and (3). (2) After section 183 insert— ...“Prohibitions and restrictions etc on processing 183A Protection of prohibitions and restrictions etc on processing (1) A relevant enactment or rule of law which imposes a duty, or confers 25 a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data. (2) Subsection (1) does not apply— (a) to a relevant enactment forming part of the main data 30 protection legislation, or (b) to the extent that an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation). (3) Subsection (1) does not prevent a duty or power to process personal 35 data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power.... 72 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection (4) In this section— “the main data protection legislation” means the data protection legislation other than provision ...
- ‼️ Human Rights
This change strengthens the protection of personal data by ensuring that other laws or rules do not override the requirements of the main data protection legislation. This could have significant implications for the protection of privacy and personal data.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Paragraph 7
The bill introduces definitions for "safeguarding" and "vulnerable individual". Safeguarding refers to protecting a vulnerable individual from neglect or harm, or protecting their well-being. A vulnerable individual is defined as someone under 18 or someone 18 or over who is at risk.
Exemplar quote from bill: ...ct or another individual. Safeguarding vulnerable individuals 5 7. This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual. 8. In paragraph 7— ...“safeguarding”, in relation to vulnerable individual, means — (a) protecting a vulnerable individual from neglect or physical, mental 10 or emotional harm, or (b) protecting the physical, mental or emotional well-being of a vulnerable individual; “vulnerable individual” means an individual— (a) aged under 18, or 15 (b) aged 18 or over and at risk.... 9. For the purposes of paragraph 8— (a) protection of an individual, or of the well-being of an individual, includes 20 both protection relating to a particular individual and protection relating to ...
- ‼️ Human Rights
This change could potentially enhance the protection of vulnerable individuals, particularly minors and adults at risk, by providing a clear definition for safeguarding measures.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵🔵 High
- Type: insertion
Article 4(1) of the UK GDPR
The bill introduces a new definition for "senior responsible individual" in Article 4(1) of the UK GDPR. This term refers to an individual designated as the senior responsible individual of a controller or processor under Article 27A.
Exemplar quote from bill: ...mount of penalty), for “49,” substitute “50B, 20 50C,”. SCHEDULE 4 Section 20 OBLIGATIONS OF CONTROLLERS AND PROCESSORS: CONSEQUENTIAL AMENDMENTS The UK GDPR 1 The UK GDPR is amended as follows. 25 2 ...In Article 4(1) (definitions), after point (11) insert— “(11A) “senior responsible individual” means an individual designated as the senior responsible individual of a controller or processor under Article 27A;”.... 3 In Article 13(1)(b) (information to be provided where personal data is 30 collected from the data subject), for “data protection officer” substitute “senior responsible individual”. 4 In Article 14...
- ‼️ Digital Privacy
This change could potentially enhance accountability and responsibility in data processing activities by introducing a designated senior responsible individual.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵 Moderate
- Type: insertion
Section 148B
The bill introduces a new provision that protects the privileges of either House of Parliament, stating that an interview notice does not require an individual to answer questions if doing so would infringe upon these privileges.
Exemplar quote from bill: ... hours beginning when the notice is given. (9) 20 The Commissioner may cancel or vary an interview notice by written notice to the individual to whom it was given. 148B Interview notices: restrictions...“(1) An interview notice does not require an individual to answer questions to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.”...(2) An interview notice does not require an individual to answer questions 25 in respect of a communication which is made— (a) between a professional legal adviser and the adviser’s client, and (b) 30...
- ‼️ Political Power
This change could potentially protect the privileges of Parliament, potentially impacting the balance of power between the legislative branch and the Commissioner.
- 🟢🟢 Flagged as ?positive?
- Impact: 🔵🔵 Moderate
- Type: insertion
Section 60
The Secretary of State is required to prepare and publish reports on the operation of this part of the bill.
Exemplar quote from bill: ...ich any such payments are to be repaid to the Secretary of State. (3) Regulations under this section are subject to the affirmative resolution 5 procedure. 60 Report on the operation of this Part (1) ...The Secretary of State must prepare and publish reports on the operation of this Part.... (2) The first report must be published within the period of 12 months beginning 10 with the day on which section 47 comes into force. (3) The reports must be published not more than 12 months apart. ...
- ‼️ Transparency
This change increases transparency by requiring the Secretary of State to publish reports on the operation of this part of the bill.
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: substitution
Article 22 of the UK GDPR (automated individual decision-making, including profiling)
The substitution replaces Article 22 of the UK GDPR with a new provision on automated individual decision-making, including a definition of automated processing and significant decisions.
Exemplar quote from bill: ...ption;”, and (d) in subsection (6), after “(a)” insert “, (aa)”. Data Protection and Digital Information (No. 2) Bill 17 Part 1—Data protection Automated decision-making 11 Automated decision-making ...(1) For Article 22 of the UK GDPR (automated individual decision-making, including profiling) substitute— “Section 4A 5 Automated individual decision-making Article 22A Automated processing and significant decisions... 1. For the purposes of Articles 22B and 22C— (a) a decision is based solely on automated processing if there is no 10 meaningful human involvement in the taking of the decision, and (b) a decision is...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: substitution
Sections 49 and 50 (law enforcement processing: automated individual decision making)
The substitution replaces sections 49 and 50 with a new provision on automated processing and significant decisions.
Exemplar quote from bill: ...ect to the affirmative resolution 35 procedure.” (2) The 2018 Act is amended in accordance with subsections (3) to (5). Data Protection and Digital Information (No. 2) Bill 19 Part 1—Data protection ...(3) For sections 49 and 50 (law enforcement processing: automated individual decision making) substitute— “50A Automated processing and significant decisions... (1) For the purposes of sections 50B and 50C— (a) a decision is based solely on automated processing if there is 5 no meaningful human involvement in the taking of the decision, and (b) a decision is...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
UK GDPR
The bill proposes to amend the UK GDPR to include a new section and article that mandates the designation of a senior responsible individual within an organization.
Exemplar quote from bill: ...or restricted), omit sub-paragraph (b)(ii). Data Protection and Digital Information (No. 2) Bill 9 Part 1—Data protection Data subjects' rights 7 Vexatious or excessive requests by data subjects (1) ...The UK GDPR is amended in accordance with subsections (2) and (3).... (2) 5 In Article 12 (transparent information, communication and modalities for the exercise of rights of the data subject)— (a) in paragraph 2, at the end insert “(or refusal is allowed under Article...
- ‼️ Corporate Governance
This change would require organizations to have a designated individual responsible for data protection, which could significantly impact their governance structures and processes.
- ‼️ Data Protection
This change would likely enhance data protection by ensuring that there is a designated individual responsible for overseeing and ensuring compliance with data protection laws.
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
UK GDPR
The bill proposes to add a new article to the UK GDPR that outlines the tasks of the senior responsible individual, including monitoring compliance with data protection laws, ensuring the development and implementation of compliance measures, and dealing with complaints and data breaches.
Exemplar quote from bill: ...in relation to an organisation, means the individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised. ...Article 27B Senior responsible individual’s tasks 1. The senior responsible individual designated by a controller must be responsible at least for performing the tasks listed in paragraph 2 or securing that they are performed by another person....on. 2. Those tasks are— (a) 25 monitoring compliance by the controller with the data protection legislation; (b) ensuring that the controller develops, implements, reviews and updates measures to ensu...
- ‼️ Corporate Governance
This change would require organizations to have a designated individual responsible for a range of data protection tasks, which could significantly impact their governance structures and processes.
- ‼️ Data Protection
This change would likely enhance data protection by ensuring that there is a designated individual responsible for overseeing and ensuring compliance with data protection laws.
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
UK GDPR
The bill proposes to add a new article to the UK GDPR that outlines the position of the senior responsible individual, including the requirement for the controller or processor to support the individual in performing their tasks.
Exemplar quote from bill: ...task, and (c) whether the other person is involved in day-to-day processing of personal data for the controller or processor and, if so, whether that affects the person’s ability to perform the task. ...Article 27C Senior responsible individual’s position 1. A controller or processor must support its senior responsible individual in the performance of the individual’s tasks, including by providing the individual with appropriate resources....es. 2. 30 A controller or processor must not dismiss or penalise its senior responsible individual for performing the individual’s tasks. 3. Where the senior responsible individual decides that one or...
- ‼️ Corporate Governance
This change would require organizations to support their designated senior responsible individual, which could significantly impact their governance structures and processes.
- ‼️ Data Protection
This change would likely enhance data protection by ensuring that the senior responsible individual is adequately supported in their role.
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Part 2 of the Bill
The bill proposes the establishment of a new framework to secure the reliability of digital verification services. This includes the creation of a trust framework, a register, an information gateway, and a trust mark.
Exemplar quote from bill: ...d), after “Act” insert “or the UK GDPR”. 45 Minor amendments Schedule 9 contains minor amendments of the UK GDPR and the 2018 Act. 25 PART 2 DIGITAL VERIFICATION SERVICES Introductory 46 Introductory ...(1) This Part contains provision to secure the reliability of digital verification 30 services by means of— (a) a trust framework (see section 47), (b) a register (see section 48), (c) an information gateway (see section 54), and (d) a trust mark (see section 57).... 35 (2) In this Part— Data Protection and Digital Information (No. 2) Bill 75 Part 2—Digital verification services “digital verification services” means verification services provided to any extent b...
- ‼️ Digital Economy
This change could have significant implications for the digital economy, particularly for businesses that provide digital verification services. It could also impact consumers by providing greater security and reliability when using these services.
- ‼️ Tech Company Regulation
The establishment of a new framework for digital verification services could lead to increased regulation of tech companies that provide these services.
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Enforcement of data regulations
The bill proposes that the Secretary of State or the Treasury may by regulations make provision for the enforcement of data regulations and for the enforcement of requirements imposed in exercise of a power conferred by regulations under this Part, including provision for enforcement by a specified public body (an “enforcer”).
Exemplar quote from bill: ...s under the regulations (including provision enabling or requiring 10 decision-makers with functions exercisable jointly or concurrently to produce joint guidance). 67 Enforcement of data regulations ...(1) The Secretary of State or the Treasury may by regulations make provision— (a) for the enforcement of data regulations, and (b) for the enforcement of requirements imposed in exercise of a power conferred by regulations under this Part, including provision for enforcement by a specified public body (an “enforcer”)....”). (2) The following subsections and sections 68 and 69 make provision about what regulations under subsection (1) may or must (among other things) contain. (3) The regulations may confer powers of i...
- ‼️ Justice System
This change could potentially affect the enforcement of data regulations, which could impact the protection of individuals' data rights.
- ‼️ Political Power
This change could potentially increase the powers of the Secretary of State or the Treasury in relation to the enforcement of data regulations, which could impact the balance of power within the government.
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: transfer
Functions of the Information Commissioner
The bill transfers the functions of the Information Commissioner to the newly established Information Commission.
Exemplar quote from bill: ...) (extent)— (a) omit “and” at the end of paragraph (a), and (b) omit paragraph (b). (7) Omit Schedule 12 (the Information Commissioner). 30 102 Transfer of functions to the Information Commission (1) ...The functions of the Information Commissioner are transferred to the Information Commission.... 124 Data Protection and Digital Information (No. 2) Bill Part 5—Regulation and oversight (2) So far as is appropriate in consequence of subsection (1), a reference to the Information Commissioner (h...
- ‼️ Political Power
(Variously affected)
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Schedule 10 Section 86 PRIVACY AND ELECTRONIC COMMUNICATIONS: COMMISSIONER’S ENFORCEMENT POWERS
The bill proposes to insert a new Schedule 10 Section 86, which outlines the enforcement powers of the Information Commissioner in relation to privacy and electronic communications.
Exemplar quote from bill: ...out in 25 preparation for disclosure described in sub-paragraph (i) or (ii),”. 25 In paragraph 2(a) of Schedule 11 (other exemptions under Part 4: crime), after “prevention” insert “, investigation”. ...SCHEDULE 10 Section 86 PRIVACY AND ELECTRONIC COMMUNICATIONS: COMMISSIONER’S ENFORCEMENT POWERS... “SCHEDULE 1 Regulation 31 30 INFORMATION COMMISSIONER’S ENFORCEMENT POWERS Provisions applied for enforcement purposes 1 For the purposes of enforcing these Regulations, the following provisions 35 o...
- ‼️ Digital Privacy
(Variously affected)
- ‼️ Data Protection
(Variously affected)
- ‼️ Internet Governance
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🟣🟣🟣🟣 Reshaping
- Type: insertion
Schedule 13—The Information Commission
The bill proposes the establishment of the Information Commission, which will have the power to delegate functions, regulate its own procedures, keep records of its proceedings, receive payments from the Secretary of State, collect fees and other sums, maintain proper accounts, and authenticate the application of its seal.
Exemplar quote from bill: ...ission to delegate a 10 function, and to determine the extent and terms of the delegation, is subject to the Commission’s power to direct what a committee established by it may and may not do. (6) 15 ...The delegation of a function by the Commission or a committee of the Commission under this paragraph does not prevent the Commission or the committee from exercising that function.... Advice from committees 15 The Commission may require a committee of the Commission to 20 give the Commission advice about matters relating to the discharge of the Commission’s functions. Proceedings ...
- ‼️ Political Power
The establishment of the Information Commission represents a significant shift in political power, as it will have the authority to regulate the processing of information relating to identified or identifiable living individuals, oversee the use of information to ascertain and verify facts about individuals, and manage access to customer data and business data.
- ‼️ Public Health
The Information Commission will also have the power to set information standards for health and social care, which could have significant implications for public health.
- ‼️ Human Rights
The creation of the Information Commission could have far-reaching implications for human rights, particularly in relation to privacy and data protection.
- ‼️ Justice System
The Information Commission will have the power to collect fees, charges, penalties and other sums, which could have implications for the justice system.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 3 of the Data Protection Act 2018
The bill proposes to amend Section 3 of the Data Protection Act 2018 to provide more clarity on when an individual is considered identifiable from information. It introduces the concepts of "directly" and "indirectly" identifiable, with the former meaning the individual can be identified without additional information, and the latter meaning the individual can only be identified with the use of additional information.
Exemplar quote from bill: ...l, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:— PART 1 DATA PROTECTION Definitions 1 Information relating to an identifiable living individual (1) ...In section 3 of the Data Protection Act 2018 (referred to in this Act as “the 2018 Act”) (terms relating to the processing of personal data)— (a) in subsection (3) (definition of “identifiable living individual”), after paragraph (b) insert— “(and see section 3A for provision about when information relates to an identifiable living individual).”, and (b) after that subsection insert— “(3A) An individual is identifiable from information “directly” if the individual can be identified without the use of additional information. (3B) An individual is identifiable from information “indirectly” if the individual can be identified only with the use of additional information.”...on “indirectly” if 5 the individual can be identified only with the use of additional information.” (2) In the 2018 Act, after section 3 insert— “3A Information relating to an identifiable living indi...
- ‼️ Digital Privacy
This amendment provides more clarity on the definition of identifiable information, which is a key concept in data protection and privacy laws. It could potentially affect how data is collected, processed, and shared, and could have implications for both individuals' privacy rights and businesses' data practices.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Article 4 of the UK GDPR
The bill proposes to amend Article 4 of the UK GDPR to align its definitions with those proposed for the Data Protection Act 2018. It replaces the term "identifiable natural person" with "identifiable living individual" and introduces the concepts of "directly" and "indirectly" identifiable.
Exemplar quote from bill: ... taking into account, among other things— (a) the time, effort and costs involved in identifying the individual by that means, and (b) the technology and other resources available to the person.” (3) ...In Article 4 of the UK GDPR (definitions)— (a) the existing text becomes paragraph 1, (b) in paragraph 1(1) (definition of “personal data”)— (i) for “identifiable natural person”, in both places it appears, substitute “identifiable living individual”, (ii) for “that natural person” substitute “the individual”, and (iii) at the end insert “(and see paragraph 2)”, (c) in paragraph 1, after point (1) insert— “(1A) an individual is identifiable from information “directly” if the individual can be identified without the use of additional information; (1B) an individual is identifiable from information “indirectly” if the individual can be identified only with the use of additional information;”...ly” if the individual can be identified only with the use of additional information;”, (d) in paragraph 1, for point (5) substitute— “(5) “pseudonymisation” means the processing of personal 15 data in...
- ‼️ Digital Privacy
This amendment aligns the UK GDPR with the proposed changes to the Data Protection Act 2018, providing more clarity on the definition of identifiable information. This could potentially affect how data is collected, processed, and shared under the GDPR, and could have implications for both individuals' privacy rights and businesses' data practices.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Senior responsible individual's tasks and position
The bill proposes amendments to the responsibilities and protections of the senior responsible individual designated by a data processor. This individual is tasked with monitoring compliance, cooperating with the Commissioner, and acting as a contact point for issues related to data processing. The bill also stipulates that the controller or processor must support this individual by providing appropriate resources and not penalizing them for performing their tasks.
Exemplar quote from bill: ...ntroller; (h) 40 acting as the contact point for the Commissioner on issues relating to processing of personal data. Data Protection and Digital Information (No. 2) Bill 25 Part 1—Data protection 3. ...The senior responsible individual designated by a processor must be responsible at least for performing the tasks listed in subsection (4) or securing that they are performed by another person.... Those tasks are— (a) monitoring compliance by the processor with Articles 28, 30A 5 and 32; (b) co-operating with the Commissioner on behalf of the processor; (c) acting as the contact point for the ...
- ‼️ Corporate Governance
This change could potentially increase accountability and transparency in data processing activities, as it mandates a specific individual to oversee compliance and cooperate with regulatory authorities.
- ‼️ Human Rights
This change could potentially enhance the protection of personal data, as it ensures that there is a dedicated individual responsible for overseeing data processing activities and compliance with data protection laws.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Records of processing of personal data
The bill proposes amendments to the UK GDPR to require controllers and processors to maintain appropriate records of personal data processing. These records must be made available to the Commissioner upon request.
Exemplar quote from bill: ...nsert “(to processing of personal data)”, 5 (b) for “Part” substitute “Parts 3 and”, and (c) for “section” substitute “sections 33, 40A and”. Data protection principles 5 Lawfulness of processing (1) ...The UK GDPR is amended in accordance with subsections (2) to (4).... 10 (2) In Article 6(1) (lawful processing)— (a) in point (e)— (i) after “task” insert “of the controller”, and (ii) after “or” insert “a task carried out”, (b) after that point insert— 15 “(ea) proce...
- ‼️ Corporate Governance
This change could potentially increase transparency and accountability in data processing activities, as it mandates the maintenance of detailed records and their availability to regulatory authorities.
- ‼️ Human Rights
This change could potentially enhance the protection of personal data, as it ensures that there is a record of all data processing activities that can be reviewed by regulatory authorities.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Article 35 (data protection impact assessment)
The bill proposes to amend Article 35, changing the title from "data protection impact assessment" to "Assessment of high risk processing". It also changes the term "natural persons" to "individuals" and omits several paragraphs. The controller is required to produce a document recording compliance with the article, including a summary of the processing purposes, an assessment of necessity and risks, and a description of risk mitigation strategies. The term "data protection impact assessment" is replaced with "an assessment of the envisaged processing operations on the protection of personal data".
Exemplar quote from bill: ...he UK GDPR is amended in accordance with subsections (2) to (4). (2) In the heading of Section 3 of Chapter 4, for “Data protection impact assessment” substitute “Assessment of high risk processing”. ...(3) In Article 35 (data protection impact assessment)— 15 (a) for the heading substitute “Assessment of high risk processing”, (b) in paragraph 1, for “natural persons” substitute “individuals”, (c) omit paragraphs 2 to 5, (d) for paragraph 7 substitute— “7 The controller must produce a document recording 20 compliance with this Article which includes at least— (a) a summary of the purposes of the processing, (b) an assessment of whether the processing is necessary for those purposes, (c) an assessment of the risks to individuals referred to 25 in paragraph 1, and (d) a description of how the controller proposes to mitigate those risks.”, (e) 30 in paragraph 8, for “, in particular for the purposes of a data protection impact assessment” substitute “for the purposes of an assessment required by paragraph 1”, (f) omit paragraph 9, (g) in paragraph 10— (i) 35 for “a data protection impact assessment” substitute “an assessment of the envisaged processing operations on the protection of personal data”, and (ii) omit “for the processing”, and (h) in paragraph 11— (i) omit “Where necessary,”, and 32 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection (ii) for “to assess if processing is performed in accordance with the data protection impact assessment” substitute “of an assessment pursuant to paragraph 1 where necessary and”.... (4) 5 In Article 57(1) (Information Commissioner’s tasks), for paragraph (k) substitute— “(k) produce and publish a document containing examples of types of processing which the Commissioner consider...
- ‼️ Data Protection
This amendment refocuses the assessment process on high-risk processing, potentially increasing the protection of individuals' data by requiring a more detailed risk assessment and mitigation strategy.
- ‼️ Human Rights
The change from "natural persons" to "individuals" could potentially broaden the scope of data protection, as the term "individuals" may include entities such as corporations.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Article 84D
The bill introduces Article 84D, which gives the Secretary of State the power to make further regulations about when the requirement for appropriate safeguards under Article 84B(1) is satisfied. These regulations are subject to the affirmative resolution procedure.
Exemplar quote from bill: ...land falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)). Article 84D 10 Appropriate safeguards: further provision 1. ...The Secretary of State may by regulations make further provision about when the requirement for appropriate safeguards under Article 84B(1) is satisfied.... 2. The power under this Article includes power to amend Article 84C 15 by adding, varying or omitting provision, except that it does not include power— (a) to vary or omit paragraph 1 of that Article...
- ‼️ Digital Privacy
(Variously affected)
- ‼️ Political Power
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 82B Duration of designation notice
The bill introduces a new provision that sets the duration of a designation notice. The notice will cease to be in force at the earliest of the following times: at the end of 5 years from when it comes into force, at the end of a shorter period specified in the notice, or when the notice is withdrawn under section 82C.
Exemplar quote from bill: ...ith this Part in relation to the processing are determined in an arrangement under section 104. 82B Duration of designation notice (1) A designation notice must state when it comes into force. (2) 15 ...A designation notice ceases to be in force at the earliest of the following times— (a) at the end of the period of 5 years beginning with the day on which it comes into force; (b) (if relevant) at the end of a shorter period specified in the notice; (c) when the notice is withdrawn under section 82C.... 20 (3) The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice. 82C Review and withdrawal of designati...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 82C Review and withdrawal of designation notice
The bill introduces a new provision that requires the Secretary of State to annually review each designation notice in force and consider whether the designation of the processing, which is the subject of the notice, continues to be required for the purposes of safeguarding national security.
Exemplar quote from bill: ...ut in reliance on the notice, and (b) an explanation of why the person considers that designation 35 of the processing continues to be required for the purposes of safeguarding national security. (4) ...The Secretary of State must at least annually— (a) review each designation notice that is for the time being in force, and (b) consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security....notice continues to be required for the purposes of safeguarding national security. (5) The Secretary of State— (a) may withdraw a designation notice by giving a further notice 5 (a “withdrawal notice...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- ‼️ National Security
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 120C Strategy
The bill introduces a new provision that requires the Commissioner to prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under sections 120A and 120B, section 108 of the Deregulation Act 2015, and section 21 of the Legislative and Regulatory Reform Act 2006.
Exemplar quote from bill: ...competition; (c) the importance of the prevention, investigation, detection and prosecution of criminal offences; (d) the need to safeguard public security and national security. 120C Strategy 10 (1) ...The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under— (a) sections 120A and 120B, (b) section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and (c) section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles)....s). (2) The Commissioner must— (a) review the strategy from time to time, and 20 (b) revise the strategy as appropriate. (3) The Commissioner must publish the strategy and any revised strategy. 120D D...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- ‼️ Public Health
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 120D
The bill introduces a new duty for the Commissioner to consult with certain individuals about how the Commissioner's actions under the data protection legislation may impact economic growth, innovation, and competition.
Exemplar quote from bill: ...ew the strategy from time to time, and 20 (b) revise the strategy as appropriate. (3) The Commissioner must publish the strategy and any revised strategy. 120D Duty to consult other regulators (1) 25 ...The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition.... (2) The persons are— (a) such persons exercising regulatory functions as the 30 Commissioner considers appropriate; (b) such other persons as the Commissioner considers appropriate. (3) In this secti...
- ‼️ Economic Impact
This change could potentially influence the economic landscape by ensuring that data protection measures do not stifle economic growth, innovation, and competition.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 124A of the 2018 Act
The bill proposes the insertion of a new section 124A in the 2018 Act, which mandates the Commissioner to prepare codes of practice for the processing of personal data, if required by regulations made by the Secretary of State.
Exemplar quote from bill: ...0E”. 29 Codes of practice for the processing of personal data (1) The 2018 Act is amended in accordance with subsections (2) to (6). 30 (2) After section 124 insert— “124A Other codes of practice (1) ...The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State....te. (2) Regulations under this section— 52 Data Protection and Digital Information (No. 2) Bill Part 1—Data protection (a) must describe the personal data or processing to which the code of practice ...
- ‼️ Data Protection
This change could potentially enhance data protection by providing clear guidelines on the processing of personal data.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 124B of the 2018 Act
The bill proposes the insertion of a new section 124B in the 2018 Act, which mandates the Commissioner to establish a panel of individuals to consider the code of practice.
Exemplar quote from bill: ...ction 29 of this Act) insert— “124B Panels to consider codes of practice (1) This section applies where a code is prepared under section 121, 122, 20 123, 124 or 124A, subject to subsection (11). (2) ...The Commissioner must establish a panel of individuals to consider the code.... (3) The panel must consist of— (a) individuals the Commissioner considers have expertise in the 25 subject matter of the code, and (b) individuals the Commissioner considers— (i) are likely to be aff...
- ‼️ Data Protection
This change could potentially enhance data protection by ensuring that the code of practice is thoroughly reviewed by a panel of experts.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 124C of the 2018 Act
The bill proposes the insertion of a new section 124C in the 2018 Act, which mandates the Commissioner to carry out and publish an assessment of the likely impact of the code of practice.
Exemplar quote from bill: ...er section 124A, and (b) is specified in the regulations. 35 (12) Regulations under this section are subject to the negative resolution procedure. 124C Impact assessments for codes of practice (1) 40 ...Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of— (a) who would be likely to be affected by the code, and (b) the effect the code would be likely to have on them....Part 1—Data protection (b) the effect the code would be likely to have on them. (2) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in r...
- ‼️ Data Protection
This change could potentially enhance data protection by ensuring that the impact of the code of practice is thoroughly assessed and made public.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 124D of the 2018 Act
The bill proposes the insertion of a new section 124D in the 2018 Act, which mandates the Commissioner to submit the final version of the code of practice to the Secretary of State.
Exemplar quote from bill: ...y the Secretary of State 5 (1) The 2018 Act is amended as follows. (2) After section 124C (inserted by section 30 of this Act) insert— “124D Approval by Secretary of State of codes of practice (1) 10 ...Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must submit the final version to the Secretary of State.... (2) Within the period of 40 days beginning with the day on which the code is submitted to the Secretary of State, the Secretary of State must decide whether to approve the code. (3) If the Secretary ...
- ‼️ Data Protection
This change could potentially enhance data protection by ensuring that the final version of the code of practice is reviewed by the Secretary of State.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 148A
The bill introduces a new provision that allows the Commissioner to issue an "interview notice" requiring an individual to attend a specified location and answer questions relevant to an investigation into a suspected failure or offence.
Exemplar quote from bill: ...on applies where the Commissioner suspects that a controller or processor— (a) has failed or is failing as described in section 149(2), or (b) has committed or is committing an offence under this Act....“(2) For the purpose of investigating the suspected failure or offence, the Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to— (a) attend at a place specified in the notice, and (b) answer questions with respect to any matter relevant to the investigation.”...tion. (3) An individual is within this subsection if the individual— (a) is the controller or processor, (b) is or was at any time employed by, or otherwise working for, the controller or processor, o...
- ‼️ Justice System
This change could potentially increase the powers of the Commissioner in investigating suspected failures or offences, potentially impacting the legal processes involved.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
DVS trust framework
The Secretary of State is required to prepare and publish a document outlining rules for the provision of digital verification services, known as the DVS trust framework. This framework must be reviewed and potentially revised at least every 12 months, with consultation from the Information Commissioner and other relevant parties.
Exemplar quote from bill: ...he individual, and (b) confirming to another person that the fact about the individual has been ascertained or verified from information so provided. DVS trust framework 47 DVS trust framework 10 (1) ...The Secretary of State must prepare and publish a document setting out rules concerning the provision of digital verification services.... (2) The document is referred to in this Part as the DVS trust framework. (3) In preparing the DVS trust framework, the Secretary of State must consult— (a) the Information Commissioner, and 15 (b) su...
- ‼️ Internet Governance
The creation of the DVS trust framework will establish a new set of rules for the provision of digital verification services, impacting how these services are governed and regulated.
- ‼️ Tech Company Regulation
Tech companies providing digital verification services will be directly affected by the rules set out in the DVS trust framework, potentially impacting their operations and responsibilities.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
DVS register
The Secretary of State is required to establish and maintain a public register of persons providing digital verification services, known as the DVS register. To be registered, a person must hold a certificate from an accredited conformity assessment body, apply for registration, comply with any requirements, and pay any required fee.
Exemplar quote from bill: ...nd any revised version of the framework, may— (a) specify different commencement times for different purposes, and (b) include transitional provisions and savings. DVS register 30 48 DVS register (1) ...The Secretary of State must establish and maintain a register of persons providing digital verification services.... (2) The register is referred to in this Part as the DVS register. (3) The Secretary of State must make the DVS register publicly available. 35 76 Data Protection and Digital Information (No. 2) Bill ...
- ‼️ Internet Governance
The establishment of the DVS register will create a new mechanism for tracking and regulating providers of digital verification services, impacting the governance of these services.
- ‼️ Tech Company Regulation
Tech companies providing digital verification services will be required to register in the DVS register, potentially impacting their operations and responsibilities.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 2—Digital verification services
The bill mandates the Secretary of State to prepare and publish a code of practice regarding the disclosure of information under the proposed section.
Exemplar quote from bill: ...ication services “the Revenue and Customs” has the meaning given by section 17(3) of the Commissioners for Revenue and Customs Act 2005. 56 Code of practice about the disclosure of information (1) 5 ...The Secretary of State must prepare and publish a code of practice about the disclosure of information under section 54.... (2) The code of practice must be consistent with the code of practice prepared under section 121 of the 2018 Act (data-sharing code) and issued under section 125(4) of that Act (as altered or replace...
- ‼️ Human Rights
(Variously affected)
- ‼️ Digital Privacy
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Regulation of customer data
The bill proposes regulations on how customers can authorize others to receive their data, how customer data is provided and how customers' rights are exercised. It also proposes regulations on the processing of customer data and the assistance required from those who process customer data in the course of business.
Exemplar quote from bill: ...ain. (2) The regulations may make provision about requests relating to customer data, including provision about the circumstances in which a data holder may or must refuse to act on a request. (3) 20 ...The regulations may make provision about the procedure by which customers authorise persons to receive customer data or to do other things..., including— (a) provision restricting the persons that may be authorised to persons that comply with specified conditions or conditions imposed by a specified person; (b) 25 provision for a specified...
- ‼️ Digital Privacy
The proposed changes will significantly impact digital privacy as they regulate how customer data is handled, processed, and shared.
- ‼️ Tech Company Regulation
Tech companies that handle customer data will be directly affected by these regulations, as they will need to comply with new procedures and requirements.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Regulation of business data
The bill proposes regulations on the publication, provision, collection, retention, and processing of business data. These regulations will be made by the Secretary of State or the Treasury.
Exemplar quote from bill: ...s data includes a reference to a person obtaining access to such data or the ability to provide other persons with access to such data. 62 Power to make provision in connection with customer data (1) ...The Secretary of State or the Treasury may by regulations make provision requiring a data holder to publish business data or to provide business data on request...s request, or 30 (b) to a person who is authorised by the customer to receive the data (an “authorised person”), at the customer’s request or at the authorised person’s request. (2) 35 The Secretary o...
- ‼️ Digital Economy
The proposed changes will impact the digital economy as they regulate how business data is handled, processed, and shared.
- ‼️ Tech Company Regulation
Tech companies that handle business data will be directly affected by these regulations, as they will need to comply with new procedures and requirements.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Dispute resolution and complaint handling
The bill proposes regulations on the handling of complaints and the resolution of disputes related to customer and business data. These regulations will require data holders, authorised persons, and decision-makers to implement procedures for handling complaints and resolving disputes.
Exemplar quote from bill: ...ligations of persons under the regulations, including information about the activities carried out by the data holder or approved person in performance of their obligations under the regulations. (9) ...The regulations may make provision about complaints, including provision requiring data holders, authorised persons or decision-makers to implement procedures for the handling of complaints....and Digital Information (No. 2) Bill Part 3—Customer data and business data (10) The regulations may make provision about procedures for the resolution of disputes, including— (a) provision appointin...
- ‼️ Justice System
The proposed changes will impact the justice system by introducing new procedures for handling complaints and resolving disputes related to customer and business data.
- ‼️ Tech Company Regulation
Tech companies that handle customer and business data will be directly affected by these regulations, as they will need to implement new complaint handling and dispute resolution procedures.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Regulations about data holders and approved persons
The bill proposes regulations that may enable or require data holders or approved persons to publish specified information relating to the rights and obligations of persons under the regulations. This includes information about the activities carried out by the data holder or approved person in performance of their obligations under the regulations.
Exemplar quote from bill: ...a person to whom business data is further disclosed to be subject to some or all of the obligations imposed on customers or third party recipients by the regulations in relation to the business data. ...(8) The regulations may make provision enabling or requiring a data holder or an approved person to publish specified information relating to the rights and obligations of persons under the regulations, including information about the activities carried out by the data holder or approved person in performance of their obligations under the regulations....ns. (9) The regulations may make provision about complaints, including provision requiring data holders or decision-makers to implement procedures for the handling of complaints. 90 Data Protection an...
- ‼️ Human Rights
This change could potentially increase transparency and accountability of data holders and approved persons, which could enhance the protection of individuals' data rights.
- ‼️ Freedom of Information
This change could potentially increase the availability of information about the activities of data holders and approved persons, which could enhance public understanding and scrutiny of these entities.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Regulations about decision-makers
The bill proposes regulations that may make provision about the appointment of a decision-maker and enabling or requiring a decision-maker to suspend or revoke a decision.
Exemplar quote from bill: ...effect of decisions relating to disputes; (d) provision for the person to review the person’s decisions relating to disputes; (e) provision about appeals to a court or tribunal. 66 Decision-makers 10 ...(1) This section is about the provision about decision-makers that regulations under section 62 or 64 must or may (among other things) contain. (2) The regulations may make provision about the appointment of a decision-maker. (3) The regulations may make provision enabling or requiring a decision-maker to suspend or revoke a decision....on. (4) The regulations may confer powers on a decision-maker for the purpose of monitoring compliance with conditions for authorisation or approval 20 (“monitoring powers”) (and see section 67 for pr...
- ‼️ Justice System
This change could potentially affect the appointment and decision-making processes of decision-makers, which could impact the enforcement of data regulations.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that defines the scope of information that falls under this subsection. This includes information related to communications between a professional legal adviser and their client, or between such an adviser or client and another person, in connection with or in contemplation of proceedings under or arising out of data regulations.
Exemplar quote from bill: ... professional legal adviser and the adviser’s client, and 10 (b) in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under data regulations. ...(4) Information is within this subsection if it is information in respect of a communication which is made— (a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person, (b) in connection with or in contemplation of proceedings under or arising out of data regulations, and (c) for the purposes of such proceedings....gs. (5) In subsections (3) and (4), references to the client of a professional legal adviser 20 include references to a person acting on behalf of the client. (6) Information is within this subsection...
- ‼️ Justice System
(Variously affected)
- ‼️ Digital Privacy
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that defines the scope of information that falls under this subsection. This includes information that, if required to be provided, would expose a person to proceedings for an offence by revealing evidence of the commission of that offence.
Exemplar quote from bill: ...nd (c) for the purposes of such proceedings. (5) In subsections (3) and (4), references to the client of a professional legal adviser 20 include references to a person acting on behalf of the client. ...(6) Information is within this subsection if requiring a person to provide the information would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.... (7) The reference to an offence in subsection (6) does not include an offence 25 under— (a) regulations made under this Part; (b) section 5 of the Perjury Act 1911 (false statements made otherwise th...
- ‼️ Justice System
(Variously affected)
- ‼️ Digital Privacy
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that restricts the use of an oral or written statement provided by a person in response to a request for information made by a decision-maker or an enforcer in accordance with regulations under this Part. Such a statement may not be used in evidence against that person on a prosecution for an offence, unless certain conditions are met.
Exemplar quote from bill: ...alse statements made otherwise than on oath); (d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements). ...(8) An oral or written statement provided by a person in response to a request for information made by a decision-maker or an enforcer in accordance with regulations under this Part may not be used in evidence against that person on a prosecution for an offence (other than an offence under regulations made under this Part) unless in the proceedings— (a) in giving evidence the person provides information inconsistent with the statement, and (b) evidence relating to the statement is adduced, or a question relating to it is asked, by that person or on that person’s behalf....ehalf. 94 Data Protection and Digital Information (No. 2) Bill Part 3—Customer data and business data (9) In this section, “justice” means— (a) in England and Wales, a justice of the peace, (b) in Sc...
- ‼️ Justice System
(Variously affected)
- ‼️ Digital Privacy
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that outlines the power of an enforcer to impose a financial penalty under regulations of this Part.
Exemplar quote from bill: ...nd business data (9) In this section, “justice” means— (a) in England and Wales, a justice of the peace, (b) in Scotland, a sheriff or summary sheriff, and (c) in Northern Ireland, a lay magistrate. ...69 Financial penalties (1) This section is about provision that regulations under this Part conferring power on an enforcer to impose a financial penalty may or must (among other things) contain....n. (2) 10 The amount of a financial penalty must be specified in, or determined in accordance with, the regulations. (3) The regulations must include provision— (a) requiring an enforcer to issue guid...
- ‼️ Justice System
(Variously affected)
- ‼️ Economic Impact
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that allows the Secretary of State or the Treasury to make regulations enabling certain persons to require others to pay fees for the purpose of meeting expenses incurred in performing duties or exercising powers under this Part. It also provides for how these fees must or may be used.
Exemplar quote from bill: ... for a financial penalty to be increased by an amount specified in or 35 determined in accordance with the regulations in the event of late payment; (d) as to how financial penalties are recoverable. ...70 Fees (1) The Secretary of State or the Treasury may by regulations— (a) make provision enabling a person listed in subsection (2), or a person acting on their behalf, to require other persons to pay fees for the purpose of meeting expenses incurred, or to be incurred, in performing duties, or exercising powers, imposed or conferred by regulations under this Part, and (b) make provision about how amounts paid as fees must or may be used....lations under this Part, and (b) make provision about how amounts paid as fees must or may be used. (2) Those persons are— (a) data holders; 5 (b) decision-makers; (c) enforcers; (d) other persons on ...
- ‼️ Economic Impact
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that allows the Secretary of State or the Treasury to make regulations imposing a levy on data holders for the purpose of meeting all or part of the expenses incurred by decision-makers or enforcers or by persons acting on their behalf. It also provides for how funds raised by means of the levy must or may be used.
Exemplar quote from bill: ...out the amount and how it is determined. (7) 30 Regulations under subsection (1) may (among other things) make provision about— (a) interest on any unpaid amounts; (b) the recovery of unpaid amounts. ...71 Levy (1) The Secretary of State or the Treasury may by regulations— (a) impose, or provide for a specified public body to impose, a levy on data holders for the purpose of meeting all or part of the expenses incurred, or to be incurred, during a period by decision-makers or enforcers or by persons acting on their behalf, and (b) make provision about how funds raised by means of the levy must or may be used.... used. 96 Data Protection and Digital Information (No. 2) Bill Part 3—Customer data and business data (2) Regulations under subsection (1) may only provide for a levy in respect of expenses of decisi...
- ‼️ Economic Impact
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that allows the Secretary of State or the Treasury to give financial assistance to a person for the purpose of meeting any expenses incurred in performing duties or exercising powers under regulations made under this Part.
Exemplar quote from bill: ...etermined. (4) Regulations under subsection (1) may (among other things) make provision about— (a) interest on any unpaid amounts payable by way of a levy; 15 (b) the recovery of such unpaid amounts. ...72 Financial assistance (1) The Secretary of State or the Treasury may give financial assistance to a person for the purpose of meeting any expenses incurred, or to be incurred, by the person in performing duties or exercising powers under, or in connection with, regulations made under this Part....rt. (2) But subsection (1) does not enable financial assistance to be provided to data holders, customers, authorised persons or approved persons. (3) 25 The financial assistance may be given on such ...
- ‼️ Economic Impact
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill proposes the insertion of a provision that allows for the processing of information in accordance with regulations under this Part not to be in breach of any obligation of confidence owed by the person processing the information, or any other restriction on the processing of information.
Exemplar quote from bill: ...on, “financial assistance” means any kind of financial assistance whether actual or contingent, including a grant, loan, guarantee or indemnity, but does not include buying a company’s share capital. ...73 Confidentiality and data protection (1) Except as provided by subsection (2), regulations under this Part may provide for the processing of information in accordance with the regulations not to be in breach of— (a) any obligation of confidence owed by the person processing the information, or (b) any other restriction on the processing of information (however imposed)....osed). (2) Regulations under this Part are not to be read as authorising or requiring processing of personal data that would contravene the data protection 40 legislation (but in determining whether p...
- ‼️ Digital Privacy
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 3—Customer data and business data
The bill introduces regulations that provide a framework for handling customer and business data. These regulations can be applied generally or to specific cases, and can be different for different purposes or areas. They also dictate the form and manner of actions, the content of requests, notices or other documents, and the timeframes for actions. The regulations can refer to specifications or technical requirements published by a specified person, and can confer functions on a person, including discretionary functions. They can also make incidental, supplementary, consequential, transitory, transitional or saving provisions.
Exemplar quote from bill: ...ed or duty imposed by the provision of the regulations in question). Data Protection and Digital Information (No. 2) Bill 97 Part 3—Customer data and business data 74 Regulations under this Part (1) ...Regulations under this Part may (among other things)— (a) make provision generally or in relation to particular cases; (b) make different provision for different purposes or areas; (c) make provision about the form and manner in which things must or may be done; (d) make provision about the content of requests, notices or other documents; (e) make provision about the time by which, or period within which, things must or may be done; (f) make provision by reference to specifications or technical requirements published from time to time by a specified person; (g) confer functions on a person, including functions involving the exercise of a discretion; (h) make incidental, supplementary, consequential, transitory, transitional or saving provision....ovision. (2) Regulations under this Part making the following types of provision may amend or repeal primary legislation— (a) provision about the handling of complaints; (b) provision about the resolu...
- ‼️ Digital Privacy
The regulations provide a framework for handling customer and business data, which could have significant implications for digital privacy.
- ‼️ Tech Company Regulation
The regulations could affect how tech companies handle customer and business data, potentially impacting their operations and responsibilities.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
PEC Regulations
The bill proposes a new duty for providers of public electronic communications services to notify the Commissioner if they suspect any contravention of direct marketing regulations.
Exemplar quote from bill: ...marketing (1) The PEC Regulations are amended as follows. 40 110 Data Protection and Digital Information (No. 2) Bill Part 4—Other provision about digital information (2) After regulation 26 insert— ...“26A Duty to notify Commissioner of unlawful direct marketing (1) A provider of a public electronic communications service must notify the Commissioner of any reasonable grounds the provider has for suspecting that a person is contravening or has contravened any of the direct marketing regulations in the course of using the service....e. (2) A provider of a public electronic communications network must notify the Commissioner of any reasonable grounds the provider has for 10 suspecting that a person is contravening or has contraven...
- ‼️ Digital Privacy
This change could potentially increase digital privacy by ensuring that violations of direct marketing regulations are reported and potentially addressed.
- ‼️ Tech Company Regulation
This change imposes a new duty on tech companies providing public electronic communications services, potentially increasing their regulatory burden.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
PEC Regulations
The bill proposes a new fixed monetary penalty for providers of public electronic communications services or networks who fail to comply with the new duty to notify the Commissioner of suspected contraventions of direct marketing regulations.
Exemplar quote from bill: ...hin the period 15 of 28 days beginning with the day on which the reasonable grounds for suspicion come to the attention of the provider. (4) “Direct marketing regulations” means regulations 19 to 22. ...26B Fixed penalty for failure to comply with regulation 26A (1) If a provider of a public electronic communications service or public electronic communications network fails to comply with regulation 26A, the Commissioner may issue a fixed monetary penalty notice in respect of the failure....re. (2) The amount of a fixed monetary penalty under this regulation shall be £1,000. (3) 25 Before serving a fixed monetary penalty notice, the Commissioner must serve the provider with a notice of i...
- ‼️ Tech Company Regulation
This change could potentially increase the regulatory burden on tech companies by introducing a new penalty for non-compliance with the new duty to report suspected contraventions of direct marketing regulations.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
eIDAS Regulation
The bill proposes to amend the eIDAS Regulation to include a new Article 24B, which provides for the recognition of EU conformity assessment bodies for the purposes of Articles 20(1), 21 and 24(1)(d).
Exemplar quote from bill: ...n” means Regulation (EU) No. 20 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market. ...88 Recognition of EU conformity assessment bodies In Chapter 3 of the eIDAS Regulation (trust services), after Article 24A insert— 25 “Article 24B Recognition of EU conformity assessment bodies For the purposes of Articles 20(1), 21 and 24(1)(d), a body is to 30 be treated as if it were a conformity assessment body in relation to a description of trust services provider (and trust service) if it is a conformity assessment body in relation to that description of provider (and service) for the purposes of the equivalent EU law.”... 89 Removal of recognition of EU standards etc (1) The Secretary of State may by regulations— 35 114 Data Protection and Digital Information (No. 2) Bill Part 4—Other provision about digital informati...
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
eIDAS Regulation
The bill proposes to amend the eIDAS Regulation to allow the Secretary of State to provide by regulations that an overseas trust product of a specified description is to be treated as qualified for the purposes of certain articles.
Exemplar quote from bill: ...aying down specifications relating to formats of advance electronic signatures and advance seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of the eIDAS Regulation. ...90 Recognition of overseas trust products (1) The eIDAS Regulation is amended as follows. Data Protection and Digital Information (No. 2) Bill 115 Part 4—Other provision about digital information (2) In Chapter 3 of the eIDAS Regulation, after Article 45 insert— “Section 9 Recognition of overseas trust services Article 45A Legal effects of overseas electronic signatures etc 5 1. The Secretary of State may by regulations provide that, for the purposes of Articles 25(2), 35(2), 41(2) and 43(2), an overseas trust product of a specified description is to be treated as qualified.... 2. In this Article— “overseas”, in relation to a trust product, means provided by a 10 person established in a country or territory outside the United Kingdom; “specified” means specified by regulati...
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
eIDAS Regulation
The bill proposes to amend Article 18 of the eIDAS Regulation to replace references to "EU" and "public authority in the EU" with "overseas" and "designated overseas authority", respectively.
Exemplar quote from bill: ...ticle 45A or 45B is subject to annulment in pursuance of either House of Parliament.” (3) 5 In Article 3(21) (definition of “product”), at the end insert “(except in the expression “trust product”)”. ...91 Co-operation between supervisory authority and overseas authorities (1) Article 18 of the eIDAS Regulation (co-operation with EU authorities) is amended as follows. (2) In the heading, for “EU” substitute “overseas”. (3) In paragraph 1, for “public authority in the EU” substitute “designated 10 overseas authority”.... (4) In paragraph 2, for “other than in accordance with the data protection legislation” substitute “if the processing would contravene the data protection 15 legislation (but in determining whether p...
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 35 of the Digital Economy Act 2017
The amendment expands the scope of Section 35 of the Digital Economy Act 2017 to include "undertakings" in the disclosure of information to improve public service delivery. Undertakings are defined as any person, other than a public authority, carrying on a trade or business, or any body or trustees of a trust established for charitable purposes only.
Exemplar quote from bill: ...tions under this Article is subject to annulment in pursuance of either House of Parliament.” Sharing of information 30 92 Disclosure of information to improve public service delivery to undertakings ...(1) Section 35 of the Digital Economy Act 2017 (disclosure of information to improve public service delivery) is amended as follows. (2) In subsection (9)— (a) in paragraph (a), for “or households” substitute “, households or 35 undertakings”, and 118 Data Protection and Digital Information (No. 2) Bill Part 4—Other provision about digital information (b) in paragraph (b), for “or households” substitute “, households or undertakings”. (3) In subsection (10)— (a) the words after “its purpose” become paragraph (a), and (b) at the end of that paragraph, insert “, or 5 (b) the assisting of undertakings in connection with any trade, business or charitable purpose.” (4) After subsection (12) insert— “(13) In this section “undertaking” means— (a) any person, other than a public authority, carrying on a trade 10 or business, whether or not with a view to profit, or (b) any body, or the trustees of a trust, established for charitable purposes only.... (14) 15 In this section, in so far as it forms the law in Scotland and Northern Ireland, “charitable purpose” has the same meaning as it has in the law of England and Wales (see section 2 of the Char...
- ‼️ Economic Impact
This amendment could potentially impact businesses and charities by allowing them to receive disclosed information to improve public service delivery.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Implementation of law enforcement information-sharing agreements
The bill introduces a provision that allows the Secretary of State to make regulations for implementing international agreements related to the sharing of information for law enforcement purposes.
Exemplar quote from bill: ...ection, in so far as it forms the law in Scotland and Northern Ireland, “charitable purpose” has the same meaning as it has in the law of England and Wales (see section 2 of the Charities Act 2011).” ...93 Implementation of law enforcement information-sharing agreements (1) The Secretary of State may by regulations make such provision as the Secretary 20 of State considers appropriate for the purpose of, or in connection with, implementing an international agreement so far as relating to the sharing of information for law enforcement purposes, as it has effect from time to time.... (2) Regulations under this section may— (a) make different provision for different purposes, and (b) make transitional, transitory or saving provision. (3) Subject to subsections (4) and (5), regulat...
- ‼️ National Security
This provision could potentially enhance the UK's ability to cooperate with international law enforcement agencies, thereby strengthening national security.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 39A (regulations made by the Minister: further provisions)
The amendment requires that any statutory instrument containing regulations made by the Minister under section 38B must be laid before and approved by a resolution of each House of Parliament before it can be made.
Exemplar quote from bill: ...ied. (3) In this section “specified” means specified in regulations under this section.” Data Protection and Digital Information (No. 2) Bill 121 Part 4—Other provision about digital information (3) ...In section 39A (regulations made by the Minister: further provisions), after subsection (5) insert— “(6) A statutory instrument that contains (whether alone or with other 5 provision) regulations made by the Minister under section 38B may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.”... 97 Treatment of existing registers and records (1) The repeal of section 28 of the Births and Deaths Registration Act 1953 by section 94 above does not affect— (a) the requirement under section 28(2)...
- ‼️ Political Power
(Variously affected)
- ‼️ Justice System
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Subsection (4)
The amendment modifies the conditions under which a transferring controller can make a transfer in a relevant restricted transfer case. It also restricts the UK authoriser from authorising a further transfer of personal data unless the overseas authoriser has authorised the further transfer or subsection (5) applies.
Exemplar quote from bill: ...riser cannot be obtained in good time.” (4) In subsection (2), for “A competent authority” substitute “The UK authoriser”. (5) In subsection (3), for “competent authority” substitute “UK authoriser”. ...(6) For subsection (4) substitute— “(4) In a relevant restricted transfer case— 25 (a) the transferring controller must make the transfer subject to the condition described in subsection (1)(a), and (b) the UK authoriser may not authorise a further transfer of 30 personal data under subsection (1)(a) unless the overseas authoriser has authorised the further transfer or subsection (5) applies.”... (7) In subsection (5)— (a) for the words before paragraph (a) substitute “This subsection applies if—”, (b) in paragraph (a), for the words from “either” to “State” substitute 35 “to the public secur...
- ‼️ Digital Privacy
This amendment could potentially increase the protection of personal data during transfers, as it adds an additional layer of authorisation from the overseas authoriser.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Subsection (5)
The amendment modifies the conditions under which subsection (5) applies, and changes the criteria in paragraph (a) and (b) to include public security, national security or essential interests of a third country or the United Kingdom, and authorisation from the overseas authoriser.
Exemplar quote from bill: ...ations under section 74AA that are in force at the time of the transfer, (b) 25 is made subject to appropriate safeguards (see section 75), or (c) is based on special circumstances (see section 76).” ...(7) In subsection (5)— (a) for the words before paragraph (a) substitute “This subsection applies if—”, (b) in paragraph (a), for the words from “either” to “State” substitute 35 “to the public security, national security or essential interests of a third country or the United Kingdom”, and (c) in paragraph (b), for “the authorisation” substitute “authorisation from the overseas authoriser”.... (5) In subsection (6)— 35 (a) for “without the authorisation” substitute “in a relevant restricted transfer case without the authorisation from the overseas authoriser”, and (b) 40 for the words from...
- ‼️ Digital Privacy
This amendment could potentially increase the protection of personal data during transfers, as it adds an additional layer of authorisation from the overseas authoriser and includes national security interests.
- ‼️ National Security
The inclusion of national security interests in the criteria could potentially increase the security of personal data during transfers.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Subsection (6)
The amendment modifies the conditions under which a transfer can be made in a relevant restricted transfer case in subsection (6), requiring authorisation from the overseas authoriser.
Exemplar quote from bill: ...ecurity, national security or essential interests of a third country or the United Kingdom”, and (c) in paragraph (b), for “the authorisation” substitute “authorisation from the overseas authoriser”. ...(8) In subsection (6)— 40 Data Protection and Digital Information (No. 2) Bill 159 Schedule 6—Transfers of personal data to third countries etc: law enforcement processing (a) for “without the authorisation” substitute “in a relevant restricted transfer case without the authorisation from the overseas authoriser”, and (b) 5 for the words from “(4)” to “the transfer” substitute “(4)(b), the overseas authoriser”.... SCHEDULE 7 Section 21 TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES ETC: CONSEQUENTIAL AND TRANSITIONAL PROVISION PART 1 CONSEQUENTIAL PROVISION 10 The UK GDPR 1 The UK GDPR is amended as follows. 2 ...
- ‼️ Digital Privacy
This amendment could potentially increase the protection of personal data during transfers, as it adds an additional layer of authorisation from the overseas authoriser.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards
The amendment clarifies the conditions under which a transfer of personal data to a third country or international organisation is considered to be made subject to appropriate safeguards. These conditions include the existence of a binding legal instrument and the fact that the transfer would have been considered safe under the previous law.
Exemplar quote from bill: ..., “the relevant day” means the day on which paragraph 4 of Schedule 6 to this Act comes into force. Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards 30 ...For the purposes of section 73(3) of the 2018 Act (general principles for transfers of personal data), a transfer of personal data to a third country or an international organisation made on or after the relevant day is a transfer made subject to appropriate safeguards where— (a) an appropriate pre-commencement legal instrument binds the intended recipient of the data, and (b) if the transfer had been made immediately before the relevant day, it would have been a transfer based on there being appropriate safeguards by virtue of that instrument and section 75(1)(a) of the 2018 Act.... 2018 Act. (2) Sub-paragraph (1) has effect in addition to section 75(1A) of the 2018 Act. 30 (3) For the purposes of sub-paragraph (1), a legal instrument is an “appropriate pre-commencement legal in...
- ‼️ Human Rights
The amendment provides additional safeguards for the transfer of personal data, potentially enhancing the protection of individuals' privacy rights.
- ‼️ National Security
The amendment could impact how law enforcement agencies transfer data internationally, potentially affecting national security operations.
- ‼️ Digital Privacy
The amendment directly relates to the protection of personal data during international transfers, a key aspect of digital privacy.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
The UK GDPR
The amendment changes the process for lodging a complaint under the UK GDPR. Instead of lodging a complaint with the Commissioner, individuals will now make a complaint to the controller under section 164A of the 2018 Act or to the Commissioner under section 165 of that Act.
Exemplar quote from bill: ...comes into force; 10 “third country” has the same meaning as in Part 3 of the 2018 Act (see section 33 of that Act). SCHEDULE 8 Section 41 COMPLAINTS: MINOR AND CONSEQUENTIAL AMENDMENTS The UK GDPR 1 ...The UK GDPR is amended as follows. 2 In Article 12(4) (transparent information, communication and modalities for the exercise of the rights of the data subject), for “lodging a complaint with the Commissioner” substitute “making a complaint to the controller under section 164A of the 2018 Act, making a complaint to the Commissioner under section 165 of that Act”....t”. 3 Article 13(2) (information to be provided where personal data are collected 20 from the data subject) is amended as follows. (1) (2) After point (c) insert— “(ca) the right to make a complaint t...
- ‼️ Human Rights
The amendment changes the process for individuals to exercise their right to lodge a complaint, potentially affecting their ability to seek redress for violations of their privacy rights.
- ‼️ Digital Privacy
The amendment directly relates to the process for lodging complaints under the UK GDPR, a key aspect of digital privacy.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 149 (enforcement notices)
The bill proposes to amend Section 149 by adding a new type of failure where a controller has failed, or is failing, to comply with section 164A or with regulations under section 164B.
Exemplar quote from bill: ...ded or excessive requests by data subjects), after subsection (5) (inserted by section 32 of this Act), insert— “(6) In this section, “request” does not include a complaint under section 165.” 19 (1) ...Section 149 (enforcement notices) is amended as follows. (2) In subsection (1), for “or (5)” substitute “, (5) or (5A)”. (3) After subsection (5) insert— “(5A) The fifth type of failure is where a controller has failed, or is failing, to comply with section 164A or with regulations under section 164B.” (4) In subsection (6), for “or (5)” substitute “, (5) or (5A)”.... section 164A or with regulations under section 164B.” (4) In subsection (6), for “or (5)” substitute “, (5) or (5A)”. 20 In section 155 (penalty notices), in subsection (1)(a), for “or (5)” substitut...
- ‼️ Human Rights
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 157 (maximum amount of penalty)
The bill proposes to amend Section 157 by specifying that the maximum penalty for an infringement of section 164A or regulations under section 164B is the standard maximum amount.
Exemplar quote from bill: ...regulations under section 164B.” (4) In subsection (6), for “or (5)” substitute “, (5) or (5A)”. 20 In section 155 (penalty notices), in subsection (1)(a), for “or (5)” substitute “, (5) or (5A)”. 21 ...In section 157 (maximum amount of penalty), after subsection (4) insert— “(4A) In relation to an infringement of section 164A or of regulations under section 164B, the maximum amount of the penalty that may be imposed by a penalty notice is the standard maximum amount.”...t.” 22 In section 165 (complaints by data subjects), in the heading, at the end insert “to the Commissioner”. 23 (1) Section 166 (orders to progress complaints) is amended as follows. 15 (2) In the he...
- ‼️ Human Rights
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 187 (representation of data subjects with their authority)
The bill proposes to amend Section 187 by changing the references in subsections (1)(a) and (2) to specify the right under section 164A (complaints to the controller) and to substitute "165(2) and (4)(d)" with "165".
Exemplar quote from bill: ...3 (1) Section 166 (orders to progress complaints) is amended as follows. 15 (2) In the heading, at the end insert “to the Commissioner”. (3) In subsection (1), omit “or Article 77 of the UK GDPR”. 24 ...Section 187 (representation of data subjects with their authority) is amended as follows. (2) In subsection (1)(a)— (a) for “Articles 77,” substitute “sections 164A and 165 (complaints) and Articles”, and (b) omit “to lodge complaints and”. (3) In subsection (2)— (a) before paragraph (a) insert— “(za) the right under section 164A (complaints to the controller);”, and (b) in paragraph (a), for “165(2) and (4)(d)” substitute “165”....ute “165”. 25 30 Section 204A (vexatious or excessive) (inserted by section 7 of this Act) is amended as follows. (1) (2) After subsection (1) insert— “(1A) For the purposes of this Act, whether a com...
- ‼️ Human Rights
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 204A (vexatious or excessive)
The bill proposes to amend Section 204A by adding a new subsection (1A) that provides criteria for determining whether a complaint to the Commissioner is vexatious or excessive. It also proposes to amend subsection (2) to include "and complaints" after "requests".
Exemplar quote from bill: ...) In subsection (2)— (a) before paragraph (a) insert— 25 “(za) the right under section 164A (complaints to the controller);”, and (b) in paragraph (a), for “165(2) and (4)(d)” substitute “165”. 25 30 ...Section 204A (vexatious or excessive) (inserted by section 7 of this Act) is amended as follows. (2) After subsection (1) insert— “(1A) For the purposes of this Act, whether a complaint to the Commissioner is vexatious or excessive must be determined having regard to the circumstances of the complaint, including (so far as relevant)— (a) the nature of the complaint, (b) the complainant’s relationship with the person who is the subject of the complaint (“the subject”) and the Commissioner, (c) the resources available to the Commissioner, (d) the extent to which the complaint repeats a previous complaint made by the complainant to the subject or the Commissioner, (e) how long ago any previous complaint was made, and (f) whether the complaint overlaps with other complaints made by the complainant to the subject or the Commissioner.” (3) In subsection (2), after “requests”, in both places it occurs, insert “and complaints”....the subject or the Commissioner.” (3) In subsection (2), after “requests”, in both places it occurs, insert “and complaints”. SCHEDULE 9 Section 45 10 DATA PROTECTION: MINOR AMENDMENTS The UK GDPR 1 T...
- ‼️ Human Rights
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
The UK GDPR
The bill proposes to amend the UK GDPR by adding new definitions for "the data protection legislation", "direct marketing", "enactment", and "tribunal".
Exemplar quote from bill: ... the subject or the Commissioner.” (3) In subsection (2), after “requests”, in both places it occurs, insert “and complaints”. SCHEDULE 9 Section 45 10 DATA PROTECTION: MINOR AMENDMENTS The UK GDPR 1 ...The UK GDPR is amended as follows. 2 (1) Article 4(1) (interpretation) is amended as follows. (2) After point (A3) insert— “(A4) “the data protection legislation” has the same meaning as in the 2018 Act (see section 3(9) of that Act);”. (3) After point (15) insert— “(15A) “direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;”. (4) After point (28) insert— “(29) “enactment” has the same meaning as in the 2018 Act (see section 205 of that Act); (30) “tribunal” means any tribunal in which legal proceedings may be brought.”...brought.” 3 In Article 9 (processing of special categories of personal data)— (a) in paragraph 2, after “apply if” insert “the processing is based on Article 6(1) and”, (b) in paragraph 2(f), after “c...
- ‼️ Human Rights
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Article 9 (processing of special categories of personal data)
The bill proposes to amend Article 9 by specifying that the processing is based on Article 6(1), adding "or tribunals" after "courts", and changing the wording in paragraph 3.
Exemplar quote from bill: ...) After point (28) insert— “(29) “enactment” has the same meaning as in the 2018 Act (see section 205 of that Act); (30) “tribunal” means any tribunal in which legal proceedings 25 may be brought.” 3 ...In Article 9 (processing of special categories of personal data)— (a) in paragraph 2, after “apply if” insert “the processing is based on Article 6(1) and”, (b) in paragraph 2(f), after “courts” insert “or tribunals”, and (c) in paragraph 3, for the words from the beginning to “data are” substitute “Paragraph 1 is only disapplied by point (h) of paragraph 2 if the personal data is”....s”. 4 35 In Article 12(5) (information etc to be provided free of charge), at the beginning insert “Subject to Article 15(3),”. 5 In Article 23(1)(h) (restrictions), for “(a)” substitute “(c)”. Data P...
- ‼️ Human Rights
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Schedule 10—Privacy and electronic communications: Commissioner’s enforcement powers
The bill proposes to amend the language in Schedule 10, replacing references to "the processing of personal data" and "controller or processor" with broader terms such as "any activity regulated by the PEC Regulations" and "person". This change expands the scope of the regulations to cover any activity regulated by the PEC Regulations, not just the processing of personal data. It also broadens the entities that can be held accountable from just controllers or processors to any person involved in such activities.
Exemplar quote from bill: ...or” there were substituted “person to whom it is given”; 176 Data Protection and Digital Information (No. 2) Bill Schedule 10—Privacy and electronic communications: Commissioner’s enforcement powers ...(ii) in paragraph (h), for “the processing of personal data” there were substituted “any activity regulated by the PEC Regulations”;... (iii) 5 in paragraph (i), for “process personal data on behalf of the controller” there were substituted “are involved in any such activity on behalf of the person to whom the notice is given”; (d) i...
- ‼️ Digital Privacy
This amendment broadens the scope of privacy regulations, potentially increasing protections for individuals' digital information.
- ‼️ Tech Company Regulation
The change could have significant implications for tech companies, as it expands the range of activities and entities that can be held accountable under the PEC Regulations.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 155 (penalty notices)
The amendment modifies the conditions under which penalty notices can be issued, specifically to include failure to comply with the PEC Regulations and the prohibition in section 142(8B).
Exemplar quote from bill: ...unications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the PEC Regulations”. Modification of section 155 (penalty notices) 15 ...Section 155 has effect as if— 5 (a) in subsection (1)— (i) in paragraph (a), for “as described in section 149(2), (3), (4), (5) or (5A)” there were substituted “to comply with a requirement of the PEC Regulations”; (ii) after paragraph (c), there were inserted “or 10 (d) has failed to comply with the prohibition in section 142(8B),”;... (b) after subsection (1) there were inserted— “(1A) 15 But the Commissioner may not give a penalty notice to a person in respect of a failure to comply with regulation 5A or 26A of the PEC Regulation...
- ‼️ Justice System
The amendment could potentially increase the number of penalty notices issued, impacting the legal processes and enforcement mechanisms.
- ‼️ Digital Privacy
The amendment could potentially increase the enforcement of digital privacy regulations, impacting the rights and protections of individuals.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 155 (penalty notices)
The amendment allows for penalty notices to be issued to an officer of a body corporate or a Scottish partnership if the Commissioner is satisfied that the failure to comply with regulations 19 to 24 of the PEC Regulations took place with the consent or connivance of the officer, or was attributable to any neglect on the part of the officer.
Exemplar quote from bill: ... compliance with the requirements of the PEC Regulations”; (iv) paragraph (g) were omitted; (v) in paragraph (j), the words “or certification mechanism” were omitted; (e) subsection (4) were omitted; ...(f) after subsection (4) there were inserted— 35 “(4A) If a penalty notice is given to a body in respect of a failure to comply with any of regulations 19 to 24 of the PEC Regulations, the Commissioner may also give a penalty notice 40 to an officer of the body if the Commissioner is satisfied that the failure— (a) took place with the consent or connivance of the officer, or (b) was attributable to any neglect on the part of the officer....le 10—Privacy and electronic communications: Commissioner’s enforcement powers (b) was attributable to any neglect on the part of the officer. (4B) In subsection (4A)— 5 “body” means a body corporate...
- ‼️ Justice System
The amendment could potentially increase the accountability of officers in a body corporate or a Scottish partnership, impacting the legal processes and enforcement mechanisms.
- ‼️ Digital Privacy
The amendment could potentially increase the enforcement of digital privacy regulations, impacting the rights and protections of individuals.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: amendment
Health and Social Care Act 2012
The bill proposes amendments to the Health and Social Care Act 2012, specifically in Part 9, to include powers to publish standards, a standard relating to information technology or IT services used in connection with the processing of information, and the definition of "relevant IT provider".
Exemplar quote from bill: ...1—Registers of births and deaths: minor and consequential amendments Part 2—Amendments of other legislation SCHEDULE 12 Section 99 INFORMATION STANDARDS FOR HEALTH AND ADULT SOCIAL CARE IN ENGLAND 1 ...Part 9 of the Health and Social Care Act 2012 (health and adult social care services: information) is amended as follows.... 2 Before section 250 insert— 5 “Powers to publish standards”. 3 Section 250 (powers to publish information standards) is amended as follows. (1) (2) 10 In subsection (2), at the end insert “and inclu...
- ‼️ Public Health
(Variously affected)
- ‼️ Tech Company Regulation
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 250A
The bill proposes the insertion of a new section 250A, which allows for the creation of information standards relating to information technology or IT services. These standards can cover a wide range of aspects, including the design, quality, capabilities, or other characteristics of such technology or services, as well as the contracts or arrangements under which they are made available. The standards can also include technical provisions about functionality, connectivity, interoperability, portability, storage of and access to information, and security of information. The standards can be made by reference to open or proprietary standards.
Exemplar quote from bill: ...r as the technology or service is used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care.” 4 After section 250 insert— 15 ...“250A Standards relating to information technology (1) An information standard relating to information technology or IT services may, among other things, make provision about— (a) 20 the design, quality, capabilities or other characteristics of such technology or services; (b) contracts or other arrangements under which such technology or services are marketed, supplied, provided or otherwise made available. (2) 25 An information standard may include technical provision about information technology or IT services, including provision about— (a) functionality; (b) connectivity; (c) interoperability; (d) portability; (e) storage of, and access to, information; 30 (f) security of information. (3) An information standard may make provision by reference to open standards or proprietary standards.”... 5 (1) Section 251 (information standards: procedure etc) is amended as follows. (2) In the heading omit “Information standards:”. 35 (3) For subsection (3) substitute— “(3) The power under section 25...
- ‼️ Digital Economy
(Variously affected)
- ‼️ Tech Company Regulation
(Variously affected)
- ‼️ Cybersecurity
(Variously affected)
- ‼️ Interoperability
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 251ZB
The bill proposes the insertion of a new section 251ZB, which gives the Secretary of State the power to issue a written notice to IT providers suspected of non-compliance with an information standard. The notice must identify the standard in question, set out the grounds for suspicion, ask the provider to comply within a specified period, ask the provider to provide evidence of compliance, and may set out the steps the provider must take to comply.
Exemplar quote from bill: ...me.” 6 After section 251 insert— “Compliance with standards”. 5 7 For the heading of section 251ZA (information standards: compliance) substitute “Monitoring compliance”. 8 After that section insert— ...“251ZB Notice requesting compliance by relevant IT providers (1) If the Secretary of State has reasonable grounds to suspect that a 10 relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may give the provider a written notice which— (a) identifies the standard in question, (b) sets out the Secretary of State’s grounds for suspecting that 15 the provider is not complying with the standard, (c) asks the provider to comply with the standard within a period specified in the notice, (d) 20 asks the provider, within a period specified in the notice, to provide evidence to the Secretary of State’s satisfaction that the provider is complying with the standard, and (e) if the Secretary of State considers it appropriate, sets out the steps that the Secretary of State considers the provider must 25 take, within a period specified in the notice, in order to comply with the standard.... (2) A period specified for the purposes of subsection (1)(c), (d) or (e) must be a period of at least 28 days beginning with the day on which the notice is given. (3) 30 The Secretary of State may, b...
- ‼️ Tech Company Regulation
(Variously affected)
- ‼️ Cybersecurity
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 251ZC
The bill proposes the insertion of a new section 251ZC, which gives the Secretary of State the power to publicly censure IT providers suspected of non-compliance with an information standard.
Exemplar quote from bill: ...beginning with the day on which the notice is given. (3) 30 The Secretary of State may, by giving the relevant IT provider a further written notice, vary or revoke a notice given under subsection (1)....“251ZC Public censure of relevant IT providers (1) If the Secretary of State has reasonable grounds to suspect that a 35 relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may publish a statement to that effect.... (2) The statement may include the text of a notice given to the provider under section 251ZB. 192 Data Protection and Digital Information (No. 2) Bill Schedule 12—Information standards for health and...
- ‼️ Tech Company Regulation
(Variously affected)
- ‼️ Cybersecurity
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Section 251ZE
The bill proposes the insertion of a new section 251ZE, which allows for the creation of regulations to establish and operate an accreditation scheme for information technology and IT services used or intended to be used in connection with the provision of health care or adult social care in England.
Exemplar quote from bill: ...te. (5) 30 Section 304(9) applies in relation to the power to make arrangements under subsection (2) as it applies to a power of the Secretary of State to give directions under this Act. Accreditation...“251ZE Accreditation of information technology etc (1) 35 Regulations may make provision for the establishment and operation of a scheme for the accreditation of information technology and IT services so far as used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care.... Data Protection and Digital Information (No. 2) Bill 193 Schedule 12—Information standards for health and adult social care in England (2) The regulations may provide for the scheme to be establishe...
- ‼️ Tech Company Regulation
(Variously affected)
- ‼️ Public Health
(Variously affected)
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Schedule 13—The Information Commission
The bill proposes a new regulation for the appointment of the chair and members of the Information Commission. They must be selected on merit through a fair and open competition.
Exemplar quote from bill: ...tion and Digital Information (No. 2) Bill 195 Schedule 13—The Information Commission as practicable, at all times greater than the number of executive members. Membership: selection on merit etc 5 5 ...The Secretary of State may not recommend a person for appointment as the chair of the Commission unless the person has been selected on merit on the basis of fair and open competition....ion. (2) A person may not be appointed as a member of the Commission 10 unless the person has been selected on merit on the basis of fair and open competition. Membership: conflicts of interests 6 (1)...
- ‼️ Political Power
This change could potentially increase the transparency and fairness of the appointment process for the Information Commission, which could lead to a more competent and diverse Commission.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Schedule 13—The Information Commission
The bill introduces a new regulation that requires the Secretary of State to ensure that a person does not have a conflict of interest before recommending them for appointment as the chair or a non-executive member of the Information Commission.
Exemplar quote from bill: ...on. (2) A person may not be appointed as a member of the Commission 10 unless the person has been selected on merit on the basis of fair and open competition. Membership: conflicts of interests 6 (1) ...Before— (a) recommending a person for appointment as the chair of the Commission, or (b) appointing a person as a non-executive member of the Commission, the Secretary of State must be satisfied that the person does not have a conflict of interest....st. (2) 20 The Secretary of State must check from time to time that none of the non-executive members has a conflict of interest. (3) The Secretary of State may require a non-executive member to provi...
- ‼️ Political Power
This change could potentially reduce the risk of corruption or bias in the Information Commission, which could lead to more impartial decision-making.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Schedule 13—The Information Commission
The bill proposes new regulations for the tenure of the chair of the Information Commission. The chair is to be appointed for a term of not more than 7 years and cannot be appointed more than once.
Exemplar quote from bill: ... to a person, 30 means a financial or other interest which is likely to affect prejudicially the discharge by the person of the person’s functions as a member of the Commission. Tenure of the chair 7 ...The chair of the Commission holds and vacates office in accordance with the terms of the chair’s appointment, subject to the provisions of this paragraph....ph. (1) (2) The chair must be appointed for a term of not more than 7 years. (3) On the recommendation of the Secretary of State, His Majesty may by Letters Patent extend the term of the chair’s appoi...
- ‼️ Political Power
This change could potentially prevent the concentration of power in the hands of a single individual, which could lead to a more democratic and accountable Information Commission.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵🔵 High
- Type: insertion
Term limit for the chair of the Information Commission
The bill proposes a term limit for the chair of the Information Commission. The term may not be extended such that it exceeds a total of 7 years from the day the person took office.
Exemplar quote from bill: ... chair of the Information Commission for a term that expires at the time the person would cease to hold the office of Information Commissioner but for the abolition of that office by section 101. (3) ...The term for which the person is treated as having been appointed as the chair of the Information Commission may not be extended under paragraph 7(3) of Schedule 12A to the 2018 Act so that the term as extended expires after the end of the period of 7 years beginning with the day the person began to hold the office of Information Commissioner....er. 204 Data Protection and Digital Information (No. 2) Bill Schedule 13—The Information Commission ...
- ‼️ Political Power
This change could potentially limit the concentration of power in the hands of the chair of the Information Commission by ensuring a regular turnover in leadership. This could promote fresh perspectives and prevent stagnation in the Commission's approach to data protection and digital information.
- ‼️ Justice System
This change could impact the continuity and consistency of the Commission's decisions and policies, as new chairs may bring different priorities and interpretations of the law.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: amendment
Assessment of high risk processing
The bill proposes to amend the UK GDPR to replace the term "Data protection impact assessment" with "Assessment of high risk processing".
Exemplar quote from bill: ...ustification for, and”, and (b) in subsection (3)(a), omit “justification for, and”. 10 17 Assessment of high risk processing (1) The UK GDPR is amended in accordance with subsections (2) to (4). (2) ...In the heading of Section 3 of Chapter 4, for “Data protection impact assessment” substitute “Assessment of high risk processing”.... (3) In Article 35 (data protection impact assessment)— 15 (a) for the heading substitute “Assessment of high risk processing”, (b) in paragraph 1, for “natural persons” substitute “individuals”, (c) ...
- ‼️ Corporate Governance
This change could potentially increase the focus on high-risk data processing activities, leading to more stringent assessments and potentially better data protection.
- ‼️ Human Rights
This change could potentially enhance the protection of personal data, as it emphasizes the need for assessments of high-risk data processing activities.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: insertion
Section 120G
The bill introduces a new provision that requires the Secretary of State to review the statement of strategic priorities every three years.
Exemplar quote from bill: ... in any part of the United Kingdom. (6) For a further duty of the Commissioner in relation to the statement of strategic priorities, see section 139(1A)(c). 120G Review of designated statement 20 (1) ...The Secretary of State must review the statement of strategic priorities if a period of 3 years has elapsed since the relevant time.... (2) The “relevant time”, in relation to the statement of strategic priorities, means— (a) the time when the statement was first designated under section 25 120E, or (b) if later, the time when a revi...
- ‼️ Political Power
This change could potentially ensure that the strategic priorities for data protection are regularly updated and remain relevant.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: insertion
Part 3—Customer data and business data
The bill introduces a requirement for the relevant person to review data regulations currently in force before the end of a 5-year period starting from when the regulations come into force, and at subsequent intervals not exceeding 5 years.
Exemplar quote from bill: ... data (b) an Act of the Scottish Parliament; (c) a Measure or Act of Senedd Cymru; (d) Northern Ireland legislation; (e) retained direct principal EU legislation. 75 Duty to review regulations 5 (1) ...The relevant person must review data regulations for the time being in force— (a) before the end of the period of 5 years beginning with the day on which the regulations come into force, and (b) at subsequent intervals not exceeding 5 years.... (2) In carrying out the review, the relevant person must have regard to the matters 10 to which the relevant person was required to have regard in deciding whether to make the regulations (see sectio...
- ‼️ Digital Privacy
The regular review of data regulations could help ensure that they remain relevant and effective in protecting digital privacy.
- ‼️ Tech Company Regulation
The regular review of data regulations could impact tech companies by potentially leading to changes in the regulations they must comply with.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: insertion
PEC Regulations
The bill proposes that the Commissioner must produce and publish guidance on what may constitute reasonable grounds for suspecting contraventions of direct marketing regulations.
Exemplar quote from bill: ...) A statutory instrument containing regulations under this regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. ...26C Guidance in relation to regulation 26A (1) The Commissioner must produce and publish guidance about what may constitute reasonable grounds for suspecting that a person is contravening or has contravened any of the direct marketing regulations in the course of using a public electronic communications service or public electronic communications network....in the course of using a public electronic communications service or public electronic communications network. (2) The Commissioner may— (a) alter and replace guidance produced under this regulation, ...
- ‼️ Tech Company Regulation
This change could potentially provide clarity for tech companies on their new duty to report suspected contraventions of direct marketing regulations.
- 🟢 Flagged for scrutiny
- Impact: 🔵🔵 Moderate
- Type: insertion
Schedule 13—The Information Commission
The bill allows the Information Commission to establish committees, which can include individuals who are neither members nor employees of the Commission.
Exemplar quote from bill: ... of loss of employment) as the Commission may determine, and (b) provide and maintain for them such pension schemes 25 (whether contributory or not) as the Commission may determine. Committees 13 (1) ...The Commission may establish committees.... (2) A committee of the Commission may consist of or include persons who are neither members nor employees of the Commission. (3) But a committee of the Commission to which functions are 30 delegated ...
- ‼️ Political Power
This change could potentially increase the diversity of perspectives in the committees of the Information Commission, which could lead to more comprehensive and inclusive decision-making.
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 2—Digital verification services
The bill proposes a new process for removing a person from the Digital Verification Services (DVS) register and refusing their re-registration for a specified period.
Exemplar quote from bill: ...(7) When deciding whether to remove the person from the DVS register, the Secretary of State must consider any oral or written representations made by the person in accordance with the notice. (8) 40 ...Where the Secretary of State removes the person from the DVS register, the Secretary of State must by written notice inform the person— (a) that the person has been removed from the register, and (b) that any application for re-registration made by the person during a period specified in the notice must be refused....or re-registration made by the person during a period specified in the notice must be refused. (9) If the person applies to be re-registered during the period specified in the 5 notice under subsectio...
- ‼️ Justice System
(Variously affected)
- ‼️ Digital Identity
(Variously affected)
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 2—Digital verification services
The bill introduces a provision for the Secretary of State to revise and republish the DVS trust framework, including the addition or alteration of rules.
Exemplar quote from bill: ...) The period specified in the notice under subsection (8)(b) must begin with the day the notice is given and must not exceed two years. 53 Revising the DVS trust framework: top-up certificates (1) 10 ...This section applies where the Secretary of State revises and republishes the DVS trust framework and the revisions include— (a) the addition of a rule, or (b) the alteration of an existing rule.... (2) The DVS trust framework may provide that, on and after a specified date, a 15 pre-revision certificate is required to be ignored for the purposes of section 48(4)(a) and 51(1)(c), unless the pers...
- ‼️ Justice System
(Variously affected)
- ‼️ Digital Identity
(Variously affected)
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: insertion
Part 2—Digital verification services
The bill proposes a new power for the Secretary of State to require information from an accredited conformity assessment body or a person registered in the DVS register.
Exemplar quote from bill: ...es. (4) The Secretary of State may enforce subsection (3) in civil proceedings for an injunction or, in Scotland, an interdict. Supplementary 58 Power of Secretary of State to require information (1) ...The Secretary of State may by written notice require— (a) an accredited conformity assessment body, or (b) a person registered in the DVS register, to provide the Secretary of State with information that the Secretary of State reasonably requires for the purposes of the exercise of the Secretary of State’s functions under this Part.... Part. (2) A notice under this section must state why the information is required for the purposes of the exercise of those functions. (3) A notice under this section— (a) 25 may specify or describe p...
- ‼️ Justice System
(Variously affected)
- ‼️ Digital Identity
(Variously affected)
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: substitution
Schedule 1
The bill proposes to substitute Schedule 1 with the Schedule set out in Schedule 10.
Exemplar quote from bill: ...ommissioner under those provisions, as applied by that Schedule.” (6) Omit regulation 31A (third party information notices). (7) Omit regulation 31B (appeals against third party information notices). ...(8) For Schedule 1 substitute the Schedule set out in Schedule 10.... (9) In paragraph 58(1) of Schedule 20 to the 2018 Act (transitional provision 15 relating to the PEC Regulations) for “regulations 2, 31 and 31B of, and Schedule 1 to,” substitute “regulation 2 of”. ...
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 20
The bill proposes to amend Section 20 to change the title of the Commissioner for the Retention and Use of Biometric Material to the Investigatory Powers Commissioner.
Exemplar quote from bill: ...e Retention and Use of Biometric Material 5 is abolished. (2) Part 1 of the Protection of Freedoms Act 2012 (regulation of biometric data) is amended in accordance with subsections (3) to (6). (3) 10 ...For the heading before section 20 substitute “Functions of the Investigatory Powers Commissioner”.... (4) In section 20 (appointment and functions of the Commissioner for the Retention and Use of Biometric Material)— (a) in the heading, omit “Appointment and”, (b) omit subsection (1), (c) after that ...
- ‼️ Justice System
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 22
The bill proposes to amend Section 22 to replace references to the Commissioner for the Retention and Use of Biometric Material with the Investigatory Powers Commissioner.
Exemplar quote from bill: ...nctions under this section and the section 63D functions.” (5) Omit section 21 (reports by Commissioner). 126 Data Protection and Digital Information (No. 2) Bill Part 5—Regulation and oversight (6) ...In section 22 (guidance on making national security determinations)— (a) in subsection (4)— (i) for “the guidance, or revising guidance already given” substitute “guidance or revised guidance under this section”, and (ii) for “Commissioner for the Retention and Use of Biometric Material” substitute “Investigatory Powers Commissioner”...r”, (b) in subsection (5)— (i) after “giving guidance” insert “or revised guidance”, (ii) omit “or revising guidance already given,” (iii) in paragraph (a), for “revisions” substitute “revised guidanc...
- ‼️ Justice System
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: amendment
Section 63AB of the Police and Criminal Evidence Act 1984
The bill proposes to amend Section 63AB of the Police and Criminal Evidence Act 1984 to change the title of the National DNA Database Strategy Board to the Oversight of Biometrics Databases.
Exemplar quote from bill: ...amera Commissioner”; (b) in Part 6 of Schedule 1 to the Freedom of Information Act 2000 (public authorities), omit “The Surveillance Camera Commissioner”. 106 Oversight of biometrics databases 30 (1) ...Section 63AB of the Police and Criminal Evidence Act 1984 (National DNA Database Strategy Board) is amended as follows. (2) For the heading substitute “Oversight of biometrics databases”.... (3) In subsection (1)— (a) for “National DNA Database Strategy Board” substitute “Strategy 35 Board (“the Board”)”, (b) after “of” insert “— (a) ”, and (c) at the end insert “, and 128 Data Protectio...
- ‼️ Justice System
(Variously affected)
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵🔵 High
- Type: amendment
Births and Deaths Registration Act 1953
The bill proposes several amendments to the Births and Deaths Registration Act 1953. These changes include modifications to the process of re-registration of births, registration of name changes, correction of errors in registers, searches of indexes kept by the Registrar General, obtaining copies of entries from registrars, issuance of short certificates of birth, and the interpretation of what constitutes a register in hard copy form.
Exemplar quote from bill: ...THS AND DEATHS REGISTRATION ACT 1953 1 The Births and Deaths Registration Act 1953 is amended as follows. 25 2 Section 3A (registration of births of abandoned children) is amended as follows. (1) (2) ...In subsection (5), for the words from “direct” to the end substitute “enter 30 in the margin of the relevant register of births a reference to the re-registration of the birth or, if the relevant register of births is in hard copy form, shall direct the officer having custody of that register to do so.”... Data Protection and Digital Information (No. 2) Bill 183 Schedule 11—Registers of births and deaths: minor and consequential amendments Part 1—Amendments of the Births and Deaths Registration Act 195...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Section 43 (overview and scope of Chapter 3 of Part 3: rights of the data subject in connection with law enforcement processing)
The amendment changes the references in section 43 from section 44 to sections 44 and 45A, and from section 45 to sections 45 and 45A.
Exemplar quote from bill: ... legitimate interests, including by making the information available publicly.” 10 Data subjects’ rights to information: legal professional privilege exemption (1) The 2018 Act is amended as follows. ...(2) In section 43 (overview and scope of Chapter 3 of Part 3: rights of the data subject in connection with law enforcement processing)— (a) in subsection (1)(a), for “section 44” substitute “sections 44 and 45A”, 25 and (b) in subsection (1)(b), for “section 45” substitute “sections 45 and 45A”.... (3) For the italic heading before section 44 substitute— “Data subject’s rights to information”. (4) In the heading of section 44, omit “Information:”. 30 (5) Omit the italic heading before section 4...
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: insertion
Part 2—Digital verification services
The bill introduces a provision for the Secretary of State to designate a mark for use in the course of providing or offering to provide digital verification services.
Exemplar quote from bill: ...erson exercising functions of a public nature. 82 Data Protection and Digital Information (No. 2) Bill Part 2—Digital verification services Trust mark 57 Trust mark for use by registered persons (1) ...The Secretary of State may designate a mark for use in the course of providing, or offering to provide, digital verification services.... (2) A mark designated under this section must be published by the Secretary of 5 State. (3) A mark designated under this section may not be used by a person in the course of providing, or offering to...
- ‼️ Digital Identity
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Regulations 32 and 33
The bill proposes to amend regulations 32 and 33 to define "enforcement functions" as the functions of the Information Commissioner under those provisions.
Exemplar quote from bill: ...enforcement powers 5 (1) Schedule 1 provides for certain provisions of Parts 5 to 7 of the Data Protection Act 2018 to apply with modifications for the purposes of enforcing these Regulations. (2) 10 ...In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under those provisions, as applied by that Schedule.”... (6) Omit regulation 31A (third party information notices). (7) Omit regulation 31B (appeals against third party information notices). (8) For Schedule 1 substitute the Schedule set out in Schedule 10...
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Paragraph 58(1) of Schedule 20 to the 2018 Act
The bill proposes to amend paragraph 58(1) of Schedule 20 to the 2018 Act, replacing the reference to "regulations 2, 31 and 31B of, and Schedule 1 to," with "regulation 2 of".
Exemplar quote from bill: ...6) Omit regulation 31A (third party information notices). (7) Omit regulation 31B (appeals against third party information notices). (8) For Schedule 1 substitute the Schedule set out in Schedule 10. ...(9) In paragraph 58(1) of Schedule 20 to the 2018 Act (transitional provision 15 relating to the PEC Regulations) for “regulations 2, 31 and 31B of, and Schedule 1 to,” substitute “regulation 2 of”.... Trust services 87 The eIDAS Regulation In sections 88 to 91, “the eIDAS Regulation” means Regulation (EU) No. 20 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic iden...
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: insertion
eIDAS Regulation
The bill proposes to insert a definition for "the eIDAS Regulation" in sections 88 to 91, referring to Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
Exemplar quote from bill: ...to the 2018 Act (transitional provision 15 relating to the PEC Regulations) for “regulations 2, 31 and 31B of, and Schedule 1 to,” substitute “regulation 2 of”. Trust services 87 The eIDAS Regulation ...In sections 88 to 91, “the eIDAS Regulation” means Regulation (EU) No. 20 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.... 88 Recognition of EU conformity assessment bodies In Chapter 3 of the eIDAS Regulation (trust services), after Article 24A insert— 25 “Article 24B Recognition of EU conformity assessment bodies For t...
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: repeal
Section 28 of the Births and Deaths Registration Act 1953
Section 28 of the Births and Deaths Registration Act 1953 is repealed, but the requirements under section 28(2) and 28(4) of that Act are not affected by the repeal.
Exemplar quote from bill: ...under section 38B may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.” 97 Treatment of existing registers and records (1) ...The repeal of section 28 of the Births and Deaths Registration Act 1953 by section 94 above does not affect—... (a) the requirement under section 28(2) of that Act for every 10 superintendent registrar (“S”) to keep with the records of S’s office any registers of live-births or of deaths which are in S’s custo...
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: insertion
Part 6—Final provisions
The bill provides for any expenditure incurred under this Act by the Secretary of State, the Treasury, or a government department to be paid out of money provided by Parliament. It also covers any increase attributable to this Act in the sums payable under any other Act out of money so provided.
Exemplar quote from bill: ...tion (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. ...110 Financial provision 20 There is to be paid out of money provided by Parliament— (a) any expenditure incurred under or by virtue of this Act by the Secretary of State, the Treasury or a government department, and (b) 25 any increase attributable to this Act in the sums payable under any other Act out of money so provided.... 111 Extent (1) This Act extends to England and Wales, Scotland and Northern Ireland, subject to subsections (2) to (4). (2) The following provisions extend to England and Wales only— (a) sections 94 ...
- ‼️ Economic Impact
This provision has implications for public spending, as it commits Parliament to cover any expenditure or increased costs resulting from this Act.
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: substitution
Section 67(4)(b), Section 68(2)(b), Section 134, Section 135(1)
The bill proposes to replace the term "data protection officer" with "senior responsible individual" in several sections of the existing legislation.
Exemplar quote from bill: ...n with the Commissioner (see section 63); (ad) 5 makes provision about risk assessment (see section 64) and prior consultation with the Commissioner (see section 65);”, and (c) omit paragraph (d). 15 ...In section 67(4)(b) (notification of a personal data breach to the Commissioner), for “data protection officer” substitute “senior responsible individual”....l”. 16 In section 68(2)(b) (communication of a personal data breach to the data subject), for “data protection officer” substitute “senior responsible individual”. 17 15 Section 134 (Commissioner’s po...
- ‼️ Human Rights
(Variously affected)
- ‼️ Justice System
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Section 135 (manifestly unfounded or excessive requests by data subjects)
The bill proposes to amend Section 135 by specifying that a "request" does not include a complaint under section 165.
Exemplar quote from bill: ...issioner”, in the first 30 place it occurs, insert “under section 165”. 17 In section 94(2)(f) (right of access), after “Commissioner”, in the first place it occurs, insert “under section 165”. 18 35 ...In section 135 (manifestly unfounded or excessive requests by data subjects), after subsection (5) (inserted by section 32 of this Act), insert— “(6) In this section, “request” does not include a complaint under section 165.”... 19 (1) Section 149 (enforcement notices) is amended as follows. Data Protection and Digital Information (No. 2) Bill 169 Schedule 8—Complaints: minor and consequential amendments (2) In subsection (...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Section 155 (penalty notices)
The bill proposes to amend Section 155 by changing the reference in subsection (1)(a) from "or (5)" to ", (5) or (5A)".
Exemplar quote from bill: ...e of failure is where a controller has failed, or is failing, 5 to comply with section 164A or with regulations under section 164B.” (4) In subsection (6), for “or (5)” substitute “, (5) or (5A)”. 20 ...In section 155 (penalty notices), in subsection (1)(a), for “or (5)” substitute “, (5) or (5A)”.... 21 In section 157 (maximum amount of penalty), after subsection (4) insert— “(4A) In relation to an infringement of section 164A or of regulations 10 under section 164B, the maximum amount of the pen...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Section 165 (complaints by data subjects)
The bill proposes to amend the heading of Section 165 to specify that complaints by data subjects are directed to the Commissioner.
Exemplar quote from bill: ...) In relation to an infringement of section 164A or of regulations 10 under section 164B, the maximum amount of the penalty that may be imposed by a penalty notice is the standard maximum amount.” 22 ...In section 165 (complaints by data subjects), in the heading, at the end insert “to the Commissioner”.... 23 (1) Section 166 (orders to progress complaints) is amended as follows. 15 (2) In the heading, at the end insert “to the Commissioner”. (3) In subsection (1), omit “or Article 77 of the UK GDPR”. 2...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Section 166 (orders to progress complaints)
The bill proposes to amend Section 166 by specifying in the heading that orders to progress complaints are directed to the Commissioner and by omitting the reference to "Article 77 of the UK GDPR" in subsection (1).
Exemplar quote from bill: ...f the penalty that may be imposed by a penalty notice is the standard maximum amount.” 22 In section 165 (complaints by data subjects), in the heading, at the end insert “to the Commissioner”. 23 (1) ...Section 166 (orders to progress complaints) is amended as follows. (2) In the heading, at the end insert “to the Commissioner”. (3) In subsection (1), omit “or Article 77 of the UK GDPR”....R”. 24 Section 187 (representation of data subjects with their authority) is amended as follows. (1) (2) In subsection (1)(a)— 20 (a) for “Articles 77,” substitute “sections 164A and 165 (complaints) ...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Article 12(5) (information etc to be provided free of charge)
The bill proposes to amend Article 12(5) by adding "Subject to Article 15(3)," at the beginning.
Exemplar quote from bill: ... insert “or tribunals”, and 30 (c) in paragraph 3, for the words from the beginning to “data are” substitute “Paragraph 1 is only disapplied by point (h) of paragraph 2 if the personal data is”. 4 35 ...In Article 12(5) (information etc to be provided free of charge), at the beginning insert “Subject to Article 15(3),”.... 5 In Article 23(1)(h) (restrictions), for “(a)” substitute “(c)”. Data Protection and Digital Information (No. 2) Bill 171 Schedule 9—Data protection: minor amendments 6 In Article 24(3) (responsibi...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Article 23(1)(h) (restrictions)
The bill proposes to amend Article 23(1)(h) by changing the reference from "(a)" to "(c)".
Exemplar quote from bill: ... is only disapplied by point (h) of paragraph 2 if the personal data is”. 4 35 In Article 12(5) (information etc to be provided free of charge), at the beginning insert “Subject to Article 15(3),”. 5 ...In Article 23(1)(h) (restrictions), for “(a)” substitute “(c)”.... Data Protection and Digital Information (No. 2) Bill 171 Schedule 9—Data protection: minor amendments 6 In Article 24(3) (responsibility of the controller), for “an element by which to demonstrate” ...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Article 24(3) (responsibility of the controller)
The bill proposes to amend Article 24(3) by changing the phrase "an element by which to demonstrate" to "a means of demonstrating".
Exemplar quote from bill: ...“Subject to Article 15(3),”. 5 In Article 23(1)(h) (restrictions), for “(a)” substitute “(c)”. Data Protection and Digital Information (No. 2) Bill 171 Schedule 9—Data protection: minor amendments 6 ...In Article 24(3) (responsibility of the controller), for “an element by which to demonstrate” substitute “a means of demonstrating”.... 7 In Article 25(3) (data protection by design and by default), for “an element to demonstrate” substitute “a means of demonstrating”. 8 In Article 28(5) (processors), for “an element by which to demo...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Article 25(3) (data protection by design and by default)
The bill proposes to amend Article 25(3) by changing the phrase "an element to demonstrate" to "a means of demonstrating".
Exemplar quote from bill: ...(No. 2) Bill 171 Schedule 9—Data protection: minor amendments 6 In Article 24(3) (responsibility of the controller), for “an element by which to demonstrate” substitute “a means of demonstrating”. 7 ...In Article 25(3) (data protection by design and by default), for “an element to demonstrate” substitute “a means of demonstrating”.... 8 In Article 28(5) (processors), for “an element by which to demonstrate” 5 substitute “a means of demonstrating”. 9 In Article 32(3) (security of processing), for “an element by which to demonstrate...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Article 28(5) (processors)
The bill proposes to amend Article 28(5) by changing the phrase "an element by which to demonstrate" to "a means of demonstrating".
Exemplar quote from bill: ...by which to demonstrate” substitute “a means of demonstrating”. 7 In Article 25(3) (data protection by design and by default), for “an element to demonstrate” substitute “a means of demonstrating”. 8 ...In Article 28(5) (processors), for “an element by which to demonstrate” substitute “a means of demonstrating”....”. 9 In Article 32(3) (security of processing), for “an element by which to demonstrate” substitute “a means of demonstrating”. 10 In Article 37(1)(a), after “courts” insert “and tribunals”. 11 Omit A...
- ‼️ Human Rights
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Registration Service Act 1953
The bill proposes amendments to the Registration Service Act 1953, specifically sections 10, 12, and 13. These changes involve the removal of certain phrases and the addition of a new provision regarding the determination of equipment or facilities to be provided at offices and stations by the council.
Exemplar quote from bill: ...py or similar form capable of being read with the naked eye.” PART 2 15 AMENDMENTS OF OTHER LEGISLATION Registration Service Act 1953 17 The Registration Service Act 1953 is amended as follows. 18 20 ...In section 10 (district register offices), in subsection (1), omit the words from “, and shall provide” to the end.... 19 In section 12 (provision of register boxes), omit “registrar of births and deaths and”. 20 In section 13 (local schemes of organisation), in subsection (2), after paragraph (b) insert— “(ba) deter...
- ‼️ Bureaucratic Processes
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Public Records Act 1958
The bill proposes an amendment to the Public Records Act 1958, specifically in Schedule 1, to include other records held by the Registrar General of information entered in any register of births or deaths.
Exemplar quote from bill: ... “(ba) determining the equipment or facilities to be provided at 25 those offices and stations by the council for the non-metropolitan county or metropolitan district;”. Public Records Act 1958 21 30 ...In Schedule 1 to the Public Records Act 1958 (definition of public records), in paragraph 2(2)(b), after “adoptions,” insert “or to any other records held by the Registrar General of information entered in any register of births or deaths kept under any such enactment,”.... Data Protection and Digital Information (No. 2) Bill 187 Schedule 11—Registers of births and deaths: minor and consequential amendments Part 2—Amendments of other legislation Social Security Adminis...
- ‼️ Bureaucratic Processes
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Social Security Administration Act 1992
The bill proposes an amendment to the Social Security Administration Act 1992, specifically in section 124, to include a reference to any register of births or deaths kept for the registrar’s sub-district or for a sub-district within the superintendent registrar’s district.
Exemplar quote from bill: ... Digital Information (No. 2) Bill 187 Schedule 11—Registers of births and deaths: minor and consequential amendments Part 2—Amendments of other legislation Social Security Administration Act 1992 22 ...In section 124 of the Social Security Administration Act 1992 (provisions relating to age, death and marriage), after subsection (5) insert—“(6) The reference in subsection (1) above to a register in the custody of a registrar or superintendent registrar includes, in relation to registers of births or deaths kept under the Births and Deaths Registration Act 1953, a reference to any such register kept for the registrar’s sub-district or (as the case may be) for a sub-district within the superintendent registrar’s district; and references in subsection (3) above to the custodian of the register are to be read accordingly.”...ngly.” Education Act 1996 23 Section 564 of the Education Act 1996 (certificates of birth and registrars’ returns) is amended as follows. (1) (2) In subsection (1), for “the registrar having the custo...
- ‼️ Bureaucratic Processes
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Education Act 1996
The bill proposes amendments to the Education Act 1996, specifically in section 564, to replace references to "the registrar having the custody of the register of births and deaths" with "the relevant registrar for the register". It also redefines "register" and "the relevant registrar".
Exemplar quote from bill: ...ay be) for a sub-district 10 within the superintendent registrar’s district; and references in subsection (3) above to the custodian of the register are to be read accordingly.” Education Act 1996 23 ...Section 564 of the Education Act 1996 (certificates of birth and registrars’ returns) is amended as follows.... (1) (2) In subsection (1), for “the registrar having the custody of the register of 15 births and deaths” substitute “the relevant registrar for the register”. (3) In subsection (3)— (a) for “A regis...
- ‼️ Education
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Adoption and Children Act 2002
The bill proposes an amendment to the Adoption and Children Act 2002, specifically in section 78, to replace "certified copies" with "registers".
Exemplar quote from bill: ...rotection and Digital Information (No. 2) Bill Schedule 11—Registers of births and deaths: minor and consequential amendments Part 2—Amendments of other legislation Adoption and Children Act 2002 24 ...In section 78 of the Adoption and Children Act 2002 (Adopted Children Register: searches and copies), in subsection (4)—(a) in paragraph (a), omit “certified copies of”; (b) in paragraph (b), for “certified copies” (in the second place it occurs) substitute “registers”....s”. Gender Recognition Act 2004 25 The Gender Recognition Act 2004 is amended as follows. 26 (1) Section 10 (registration) is amended as follows. (2) In subsection (2), omit the “or” after paragraph (...
- ‼️ Family and Children
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Gender Recognition Act 2004
The bill proposes amendments to the Gender Recognition Act 2004, specifically in section 10 and Part 1 of Schedule 3, to include an entry in a register kept under section 1 of the Births and Deaths Registration Act 1953 and to redefine "The appropriate Registrar General".
Exemplar quote from bill: ...subsection (4)— (a) in paragraph (a), omit “certified copies of”; (b) in paragraph (b), for “certified copies” (in the second place it occurs) 5 substitute “registers”. Gender Recognition Act 2004 25 ...The Gender Recognition Act 2004 is amended as follows.... 26 (1) Section 10 (registration) is amended as follows. (2) In subsection (2), omit the “or” after paragraph (a) and after paragraph (b) 10 insert “, or (c) an entry in a register kept under section ...
- ‼️ Gender and Sexuality
(Variously affected)
- âš« Notable
- Impact: 🔵🔵 Moderate
- Type: amendment
Presumption of Death Act 2013
The bill proposes an amendment to the Presumption of Death Act 2013, specifically in Schedule 1, to include the index kept in the General Register Office of such entries.
Exemplar quote from bill: ...r General for Northern Ireland.” 27 In Part 1 of Schedule 3 (registration: England and Wales), in paragraphs 5(3) and 8(2), for “or (b)” substitute “, (b) or (c)”. Presumption of Death Act 2013 30 28 ...In Schedule 1 to the Presumption of Death Act 2013 (Register of Presumed Deaths), in paragraph 7 (interpretation)—(a) after “means” insert “— (a)”; (b) at the end insert “, or (b) the index kept in the General Register Office of such entries.”...es.” Data Protection and Digital Information (No. 2) Bill 189 Schedule 11—Registers of births and deaths: minor and consequential amendments Part 2—Amendments of other legislation SCHEDULE 12 Section...
- ‼️ Bureaucratic Processes
(Variously affected)
- âš« Notable
- Impact: 🔵 Minor
- Type: amendment
Technical and organisational measures
The bill proposes to amend the language around the responsibility of the controller, replacing "appropriate technical and organisational measures" with "appropriate measures, including technical and organisational measures".
Exemplar quote from bill: ...dule 3 contains amendments consequential on this section. Obligations of controllers and processors 12 General obligations (1) The UK GDPR is amended in accordance with subsections (2) to (4). 20 (2) ...In Article 24(1) (responsibility of the controller), for “appropriate technical and organisational measures” substitute “appropriate measures, including technical and organisational measures,”.... (3) In Article 25 (data protection by design and by default)— (a) in paragraph 1, for “appropriate technical and organisational measures” 25 substitute “appropriate measures, including technical and ...
- ‼️ Digital Privacy
The proposed change could potentially broaden the scope of measures that controllers are required to take to protect data, although the impact is likely to be minor.
That's everything!
Remember: This document is not guaranteed to reflect the content of the bill, and may be entirely inaccurate in its summaries. This is an experimental analysis. Read the bill itself on the official parliament bills website: https://bills.parliament.uk/bills/3430