New development: DPDI Bill fails to become law

The Data Protection and Digital Information Bill (DPDIB), the proposal for post-Brexit data protection laws in the UK, did not pass through Parliament before its dissolution on 24 May 2024 ahead of the general election on 4 July 2024. This means that the DPDIB has failed to become law and any proposals for data reform in the UK will largely need to start afresh in the new Parliament.

The data protection framework in the UK therefore remains based on the EU General Data Protection Regulation as it forms part of retained EU law in the UK (UK GDPR) and the UK Data Protection Act 2018 (DPA). Rather than entirely reconceiving data protection laws in the UK, the DPDIB contained provisions that amended the UK GDPR and DPA, including the following:

• a new accountability regime, by which the concept of data protection officers was replaced with that of a “senior responsible individual” within an organisation’s senior management
• allowing a controller to refuse, or charge for, a response to a data subject access request under broader circumstances
• varying the definition of “personal data”, to potentially make this narrower than the current definition
• defining a list of recognised “legitimate interests” that do not require a balancing test to be performed.

It is, as yet, unclear whether the new Labour Government will resurrect the DPDIB, either as drafted or in a changed format. For our coverage of the bill in its earlier draft forms, see our Autumn 2022 edition of Snapshots (which can be found here).

Summer 2024