Personal data rights in the Data Protection and Digital Information Bill

Published: 20 March 2024

What is the Data Protection and Digital Information Bill?

The Data Protection and Digital Information Bill (the Bill) progresses through Parliament this week. The Bill proposes changes to the UK’s General Data Protection Regulations (UK GDPR). UK GDPR sets out rules and principles for organisations using personal data. At the same time as proposing these changes, the Government has set out its five principles for regulating Artificial Intelligence (AI). These are:

  • safety, security and robustness
  • appropriate transparency and explainability
  • fairness
  • accountability and governance
  • contestability and redress

Many AI systems rely on huge amounts of personal data. Increasingly, these systems are being used to make and inform decisions about us. Without sufficient safeguards, this could result in discrimination.

The Bill could be used to strengthen UK GDPR and ensure it aligns with the Government’s principles for responsible AI. Some of the proposals in the Bill do not currently do this. The changes could favour data processors and risk breaching our rights to privacy and non-discrimination. We therefore urge caution in making changes to the safeguards that exist in UK GDPR.

What would the impact of the Bill be?

The Bill makes multiple changes to individual data rights. Taken together, these amount to a significant reduction in rights, especially in the context of the use of AI and personal data.

For example, the Bill makes changes to Subject Access Requests, which allow people to know what information an organisation holds about them. They are an important way for people to exercise their rights to privacy and non-discrimination. The Bill makes it harder for people to do this, limiting the ability to for people to know what personal data an organisation holds and how it has been used. Without this information it is very difficult to challenge instances where personal data has been used unlawfully.

The Bill also makes changes to automated decision-making, meaning that AI can be used to make significant decisions about people. This could increase the risk of discrimination if, for example, the data used to make these decisions contains biases. We are concerned that it will have a disproportionate impact on people with particular protected characteristics. We believe that meaningful human involvement in these decisions is vital to protect against these risks. 

The Bill also removes the requirement for organisations to do a Data Protection Impact Assessment (DPIA) when they use personal data in a high-risk way, such as in AI systems. A DPIA is a process that organisations use to identify and prevent risks that may result from using this data, including impacts on equality. Instead, organisations will need to do a less robust assessment, which increases the risk of discrimination.  

Why are we concerned?

Overall, we are concerned about the impact these changes will have on people’s data rights, particularly as the use of AI systems and algorithmic decision-making increases in the UK. We have published detailed advice for the House of Lords, highlighting the impact of the proposed changes on equality and privacy rights. As technology and data processing develops rapidly, it is critical that everyone's data is collected and used fairly and responsibly.