The UK's draft Data (Use and Access) Bill (DUA Bill) was published in the House of Lords on 23 October 2024. It replaces the Data Protection and Digital Information Bill (DPDI Bill) which failed to pass before the July general election. Much of the DUA Bill's content will be familiar to those who had worked their way through the iterations of the DPDI Bill but there are some notable differences. Here we look at the reforms to the governance, duties and powers of the UK's Data Protection Authority, currently known as the Information Commissioner's Office (ICO), in relation to its role as regulator, in particular under the UK GDPR and the Data Protection Act 2018 (DPA).
What's in a name?
The DUA Bill will abolish the ICO and replace it with a new Information Commission (IC) with a board. The functions of the Information Commissioner are transferred to the IC. References in legislation to the Information Commissioner, including in the DUA Bill itself, are to be treated as references to the IC.
The IC will consist of between 3-14 executive and non-executive members although this number can be amended by the Secretary of State (SoS). The SoS must ensure as far as possible that the number of non-executive members is at all times greater than the number of executive members. Non-executive members are appointed for terms of up to seven years, renewable by up to seven years. Executive members are employees of the IC and are employed on terms determined by the non-executive members.
The Information Commissioner's role becomes that of Chair of the IC (a non-executive role). The then current ICO (when the DUA Bill becomes law) will be appointed as the first Chair of the IC until such time as their current term as ICO expires. Chairs are appointed for terms of seven years, renewable by up to seven years. Other non-executive members are appointed by the SoS following consultation with the Chair.
The Chair, in consultation with the SoS, will appoint the first chef executive (the interim chief executive) of the IC for a term of not more than two years, extendable by up to two years. Thereafter, the chief executive will be appointed by the non-executive members following consultation with the SoS. Other executives members are appointed by the non-executive members.
Members must be selected on merit on the basis fair and open competition and must be able to demonstrate that they do not have any conflict of interest. All IC roles are paid. Members can be removed by the SoS under specified circumstances including serious misconduct and conflict of interest.
The IC may appoint employees and may delegate any of its functions to a member or employee of the Commission or to a committee of the Commission.
The IC's role
One of the most controversial clauses in the DPDI Bill was clause 32 (in the last version before the Bill failed). This gave the SoS the power to produce a designated statement of priorities which the IC would be required to take into account when carrying out its duties. There was also concern about the SoS's role in approving new codes of practice required in relation to some of the proposed changes to the accountability regime. There were fears that this would weaken the IC's independence and potentially even jeopardise the EU adequacy decision as a result.
These provisions have gone although throughout the legislation, the SoS retains considerable discretion (not least in relation to adequacy arrangements with third countries, and appointment of the Chair of the IC). In addition, under s120B DUA Bill, the IC is still required to take certain factors into consideration when exercising its functions. These include: promoting innovation and competition; prevention, investigation, detection and prosecution of crimes; public and national security; and the fact that children may be less aware of the risks and consequences of personal data processing and of how to exercise their rights.
The current ICO has demonstrated its awareness of the potential vulnerability of children and has both stated and demonstrated that it is a pragmatic regulator and there is no reason to expect this to change. Whether this approach will be sufficient to satisfy the requirements of s120B and what might happen were the IC not to take these issues into account, are somewhat unclear. Potentially, the SoS could dismiss the Chair and other members in an extreme situation.
Duties and powers under UK GDPR and DPA18
There are a number of changes made to the UK GDPR and the DPA relating to the IC's duties and enforcement powers.
In addition to the new duties to promote certain policy goals mentioned above, changes to duties include:
- A new duty to promote public trust and confidence in the processing of personal data
- A requirement to prepare a strategy for carrying out new s120B functions, to prepare reports on them and to consult other regulators
- A requirement to produce codes of practice on additional issues where required to do so by secondary legislation and specifications as to how to do that, including by setting up panels to consider the codes and publishing impact assessments on key regulatory products and interventions
- Clarifications on the right to charge for manifestly and unfounded requests made under the DPA or UK GDPR
- A requirement to publish an analysis of the IC's performance against KPIs at least annually and to publish an annual report on regulatory action containing specified information.
New or clarified powers under the UK GDPR and/or DPA include:
- Provision to allow the ICO to send notices electronically without prior consent
- Clarification that the power to require information includes the power to require documents
- The power to use an approved person to complete a report
- A new power to issue interview notices to controllers or processors under certain circumstances
- Clarification of wording in the DPA around issuing penalty notices
For changes to the IC's role and powers in relation to the Privacy and Electronic Communications Regulations (PECR) see here.
What does the ICO think about this?
Shortly after the DUA Bill's publication, the ICO published its response. The ICO is broadly positive, in particular about the issues covered beyond data protection reform like information standards for health and social care, open data, and digital ID verification.
In response to the data protection reforms, the ICO welcomes the government's recognition of stakeholder concerns around the previous requirement in the DPDI Bill on the ICO to take into account the SoS's statements of priority. It is also pleased the government took on board its recommendation that the Chair and board rather than the SoS appoint the chief executive.
The ICO welcomes the strengthening of its enforcement powers, more in relation to PECR rather than to the UK GDPR and DPA. It also welcomes the updated regulatory toolkit and ability to serve legal notices on controllers electronically without their prior consent, something it sees as particularly helpful when enforcing against overseas organisations
The ICO sees the changes to the way it operates as bringing it in line with comparable regulators and says: "in my view, our refreshed governance arrangements will maintain our independence and enhance our accountability…Having an independent regulator that is properly accountable to Parliament, is vital for a data protection regime to function properly. It is also key to maintaining the UK's adequacy status from the EU, which we know is a priority for so many of our stakeholders".
What next?
The DUA Bill is expected to have a relatively smooth passage through Parliament and was begun in the Lords to facilitate this. As much of the Bill has already been debated in similar form and some of the DPDI's more controversial provisions have been removed, it would be surprising if the DUA Bill did not pass in very similar form to that in which it was presented.
While the ICO may be changing to the IC and there are some changes to powers and duties, we do not expect to see a significantly different approach to regulating and enforcing data protection law in the UK as a result.