Data Protection and Digital Information (No 2) Bill: a second attempt at data protection reform

Alistair Sloan, Advocate

In the summer of 2022, the then Secretary of State for Digital, Culture, Media and Sport, Nadine Dorries MP, introduced the Data Protection and Digital Information Bill into the House of Commons. That Bill proposed various changes to the UK GDPR and the Data Protection Act 2018. The Bill had its first reading in the House of Commons and shortly before its scheduled second reading, it was dropped from the parliamentary calendar and further consultation with business was announced. Nothing further happened with the Bill until last month when it was formally withdrawn and the Secretary of State for Science, Innovation and Technology, Michelle Donelan MP, introduced the (imaginatively named) Data Protection and Digital Information (No 2) Bill. This piece will briefly consider some of the data protection reforms proposed in the second Bill.

The Information Commissioner

One of the most significant proposed changes is to abolish the office of Information Commissioner and replace it with a new body to be called the Information Commission. As things currently stand the Information Commissioner is the regulator for data protection across the whole of the United Kingdom; he also has responsibility for regulating and enforcing other legislation in the field of information law. The model of having a single office holder as the regulator for data protection (supported by staff and other officers appointed by them) has existed since the Data Protection Act 1984 created the Data Protection Registrar. That office has, over the decades, morphed into the current office of Information Commissioner. However, the government considers that the model which has operated thus far is no longer appropriate for such a large regulator with functions across a number of areas.

The new Commission would inherit the functions and powers of the Information Commissioner so functionally not much would change beyond who was exercising those functions. However, some other aspects of the Bill have caused concern about the future independence of the Commissioner and, in due course, the Commission.

The Chair of the Commission would be appointed by the King on the advice of the Secretary of State (as is currently the case for the Information Commissioner), but other members of the Board would be appointed by the Secretary of State. The Chief Executive would be appointed by the non-executive members of the Commission (which would include the Chair) but must consult with the Secretary of State before doing so.

Clause 28 of the Bill proposes introducing a new section 120E into the Data Protection Act 2018 which would empower the Secretary of State to issue a statement of priorities in relation to data protection. The Commissioner (and later, the Commission) would be required to have regard to that statement of priorities when carrying out their functions. There is a degree of concern that these provisions would impinge upon the independence of the regulator. However, the duty to have regard to the statement of priorities would not apply to the carrying out of functions in relation to a particular person, case or investigation. This suggests that the regulator would continue to be entirely independent from the Executive in the carrying out of their investigatory and enforcement functions. These provisions could raise some difficulties in relation to the adequacy decision by the European Union in respect of the United Kingdom; that is certainly an area to keep under review as it could have a negative impact upon data flows between the United Kingdom and the European Union.

Interview Notices

Clause 36 of the Bill proposes introducing a new section 148A into the Data Protection Act 2018. This would give the Information Commissioner the power to issue an “Interview Notice”. This power would enable the regulator to require a person to attend an interview in the circumstances outlined in the proposed section 148A(1); this includes where the Commissioner suspects that a criminal offence has been committed.

It would be possible to appeal the notice to the First-Tier Tribunal and as such the date and time of the interview cannot be before the expiry of the period in which an appeal may be made. There would be no requirement to comply with the notice until any appeal against it had been determined or withdrawn.

It will be a criminal offence, in responding to such a notice, to make a false statement knowingly or recklessly in a material respect. However, other than in relation to the offence of making false statements, any statement made in response to an interview notice would not be admissible in criminal proceedings brought against that person for offences under the Data Protection Act 2018 unless (i) in giving evidence at trial the individual states something that is inconsistent with the earlier statement; or (ii) it is introduced or adduced by the individual or on their behalf.

There would be other protections, for example, against self-incrimination and in relation to material covered by legal privilege.

Direct Marketing

Spam texts and E-mails and nuisance telephone calls for the purposes of direct marketing is a matter of public concern and an area in which the Information Commissioner remains active in terms of enforcement. The Bill proposes several changes in this area.

Direct Marketing is principally regulated by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). There is currently no definition of direct marketing within PECR; instead, it is necessary to look to the Data Protection Act 2018 for the definition. Clause 81 of the Bill proposes introducing a definition of direct marketing into PECR; it is the same definition as is currently provided for within the Data Protection Act 2018 so it changes nothing in substance but will make PECR more readable.

So-called “non-commercial organisations” would be able to rely upon what has come to be known as the “soft opt-in” for the purposes of being able to undertake direct marketing. It would apply to organisations which have charitable, political or non-commercial objectives, enabling them to undertake direct marketing to further their objectives using personal data collected from people who have expressed an interest in or provided support for their objectives.

The Bill proposes that the Secretary of State will be able to make Regulations exempting marketing communications for the purposes of political engagement from the direct marketing provisions, provided that they are not directed at children under the age of 14.

The enforcement provisions for PECR will become linked to the enforcement powers within the Data Protection Act 2018. Currently, the Commissioner’s enforcement powers in relation to PECR are linked to the Data Protection Act 1998, which has been repealed other than to the extent it has been saved for the purposes of enforcing PECR. This will see the potential financial penalties for breaches of PECR increase from the present maximum of £500,000 to the same as those under the UK GDPR (£17,500,000 or 4% for global turnover, whichever is greater).

The Bill also introduces a new obligation on electronic communications network providers to notify the Information Commissioner of “any reasonable grounds” that they have for suspecting that a person is contravening or has contravened the direct marketing rules. There will be penalties for non-compliance. What “reasonable grounds” means is unclear, but the Explanatory Notes accompanying the Bill suggest that interception or examination of the content of communications won’t be necessary for compliance.

Record keeping

Article 30 of the UK GDPR, which makes provision for ‘Records of Processing Activities’ is going and will be replaced with a new Article 30A. Controllers and processers will be exempt from a need to keep records of processing “unless taking into account the nature, scope, context and purposes of the processing, it is likely to result in a high risk to the rights and freedoms of individuals.” Section 61 of the Data Protection Act 2018 is also going and will be replaced by a new section 61A on records of processing activities in the context of law enforcement processing.

Legitimate Interests

The first iteration of the Bill proposed that businesses could rely upon the legitimate interests ground of processing, without the need to conduct a balancing exercise between the legitimate interests and the rights and freedom of data subjects, where the legitimate interests in question were “recognised”. These recognised legitimate interests would be:

  • national security, public security and defence
  • emergencies
  • crime
  • safeguarding vulnerable individuals
  • democratic engagement

The new iteration of the Bill maintains this position; however, it goes on to provide examples of situations where the legitimate interests ground of processing might be an appropriate lawful basis for processing personal data. These examples are not part of the “recognised legitimate interests” and so a legitimate interests assessment would still be required. It would seem to be the intention that this provision is designed to try and clear up some of the misunderstanding around the legitimate interests ground of processing.

Complaints by Data Subjects

The Bill also introduces a new right for a data subject to complain to the controller about the processing of their personal data. Data subjects have always been able to make such complaints, but the law will now require the controller to deal with such complaints and to facilitate them. Furthermore, the Commissioner may refuse to accept a complaint by a data subject about a controller’s processing where no such complaint has been made to the controller first and it is less than 45 days since the complaint was made. The Bill also proposes giving powers to the Secretary of State to require controllers to inform the Commissioner of the number of complaints they have received from data subjects.

The Commissioner will also be able to refuse to deal with a complaint made by a data subject where the complaint is vexatious or excessive. There will exist a right of appeal to the First-Tier Tribunal against any refusal by the Commissioner to deal with a complaint made to him by a data subject. The requirement to complain to the controller would only apply before making a complaint to the Commissioner, it will not, as a matter of law, be a gateway to raising court proceedings for compensation or a compliance order.

Personal Data

The definition of personal data will be slightly narrowed so as to limit the assessment of identifiability to the controller or processor or anyone likely to receive the information. As the definition is drafted it means that if anyone anywhere in the world could identify the data subject then it is caught.

The Bill is still in the early days of its journey through parliament and there will be plenty of opportunities for amendments to be proposed (and made) to the Bill before it completes that journey; however, the Department of Science, Innovation and Technology does not expect much in the way of amendment to the Bill. Some of the proposals within the Bill are significant while others are much more mundane in nature and are ones which the government hopes will make some aspects of the data protection framework clearer to businesses.


Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.

Briefing Paper on the Convention-compatibility of new pre-trial defence disclosure regime

Lewis Kennedy, Advocate.

Defence Statements under section 70A of the Criminal Procedure (Scotland) Act 1995:


Defence statements are now a statutory requirement in respect of solemn cases commenced after 6 June 2011[1], under section 70A in the Criminal Procedure (Scotland) Act 1995 (as inserted by section 124 of the Criminal Justice and Licensing (Scotland) Act 2010).

It is a matter of some concern that these provisions constitute an erosion of the common law adversarial system. In recent years, there has been a perceptible movement away from the traditional adversarial model towards a more inquisitorial form of trial – with the judicial micro-management of cases dressed up with the antiseptic label of ‘case management’. A culture has emerged subordinating procedure to substance. With this new regime, there is an increased risk that the judge might enter the arena too enthusiastically, acting as an advocate and second prosecutor – such that the impartial administration of justice might appear to be prejudiced.

In England, the correlating legislation could at least be said to have been directed towards assisting in the operation of a more sophisticated and regulated disclosure regime. Here, the equivalent legislation has no stated purpose. Certainly, there is no indication as to the rationale behind this legislation in the Explanatory Notes in the Criminal Justice and Licensing (Scotland) Act 2010.

This paper considers whether the requirement for an accused person to lodge a ‘defence statement’ is in breach of general fair hearing requirements (as guaranteed by Article 6(1), ECHR); the Convention right to ‘equality of arms’, in the regulation of respective disclosure requirements for the Crown and defence (under Article 6(1) and Article 6(3)(b)); the Convention right to a presumption of innocence, the right to silence and the privilege against self-incrimination (in terms of Article 6(2)); and the right to legal professional privilege in the conduct of an accused’s defence at trial (under Article 6(3)(c)).

If so, it could be argued that these newly enacted provisions are ultra vires – in so far that this legislation has exceeded the legislative competence of the Scottish Parliament – thereby precipitating a ‘Devolution Issue’ Minute.

The information required:

Section 70A(9) provides as follows:-

‘(9) In this section, “defence statement” means a statement setting out-

the nature of the accused’s defence, including any particular defences on which the accused intends to rely,

any matters of fact on which the accused takes issue with the prosecution and the reason for doing so,

particulars of the matters of fact on which the accused intends to rely for the purposes of the accused’s defence,

any point of law which the accused wishes to take and any authority on which the accused intends to rely for that purpose,

by reference to the accused’s defence, the nature of any information that the accused requires the prosecutor to disclose, and

the reasons why the accused considers that disclosure by the prosecutor of any such information is necessary.’

It can be seen that there is an obligation upon the defence to include a considerable degree of information – in particular, any matters of fact with which the accused takes issue in the prosecution case, and his reasons for doing so (paragraph (b)); and particulars of the matters of fact on which the accused intends to rely for the purposes of his defence (paragraph (c)).

Indeed, the defence must give notice of any issues, which may be in dispute – implying that the defence must subsequently obtain leave of the Court to argue issues, which have not previously been identified in the defence statement.

Depending on what is said in the defence statement, further disclosure of prosecution material, which is relevant to the stated defence, may be triggered.

The relevant form is prescribed by the Act of Adjournal (Criminal Procedure Rules Amendment No. 4) (Disclosure) 2011, which provides (7A.2.) that the ‘defence statement’ lodged under section 70A shall be in Form 7A.2-A. The form requires to be served upon the Crown and any co-accused.

The time limit for compliance is extremely short – the form must be lodged at least 14 days before the First Diet in Sheriff and Jury proceedings; and the Preliminary Hearing in High Court proceedings.

Unsurprisingly, the provisions do not impose any corresponding obligation upon the Crown. It is not as if the prosecution is required to supply a ‘case statement’ – or if the Court has been empowered with a discretion to order production of a case statement’ by the Crown.

Sanctions for non-compliance:

On the basis of the English experience, it would appear that it is not open to the defence lawyer to advise his client not to file a ‘defence statement’.

However, though the statutory obligation is mandatory, there do not appear to be any identified sanctions for non-compliance in terms of the Scottish legislative scheme.

Nonetheless, the very real risk is that an accused might be left open to cross-examination, and adverse comment from the Crown; a co-accused’s lawyer; and the trial Sheriff.

It is not immediately apparent from the wording of the Scottish statute that the Court might draw adverse inferences from non-compliance – but equally, this prospect is not expressly excluded. It would appear that on the basis of the relevant English interpretative case law, whether or not adverse comment is permitted is a matter for the Court’s discretion.

Failure to comply could even be regarded as an obstruction of justice and/or a Contempt of Court.

Meanwhile, an accused person could conceivably be prosecuted for making a false exculpatory ‘defence statement’. As a condition of defending himself the accused risks a perjury prosecution.

It is a matter of particular concern that the defence lawyer even could be found in Contempt of Court if he has failed, without reasonable excuse, to comply with this mandatory requirement.

The ‘errant’ or non-compliant lawyer could also be the subject of a disciplinary complaint to his regulatory body. Or to the Scottish Legal Aid Board (with the implied threat of de-registration and an ensuing loss of livelihood). [10] It is not know whether it is seriously being suggested that the Court is not just to try a case, but is to discipline parties for the conduct of their cases.

Possible aggravating factor in sentence:

Perhaps more practically, it is likely that the failure of the accused (or of his lawyer acting on his instructions) to comply would be regarded as an aggravating factor in sentencing in the event of conviction.

Notifying all elements of the offence as being in dispute would almost certainly be held against the accused. As would giving notice that all issues are in dispute, without identifying the particular issues in dispute. Or a failure to notify adequately the issues in dispute; or even by maintaining that some issues remains in dispute. Even the existence of a single outstanding disputed issue might subsequently test the patience of certain sentencers.

Download PDF

Lewis Kennedy, Advocate

We should always be wary of euphemistic language. We should remember to speak of the Police Office – and not the Police Station – because a Police Station is an intimidating and sinister venue. We used to deal with the Police Force – and not the Police Service. Equally, the solicitor is not participating in a mere ‘interview’ of his client. This is not some perfunctory business meeting – but a ‘custodial interrogation’ of a detainee (to apply the phraseology of the European Court) in a criminal trial process, which is necessarily adversarial in character. As such, these can be occasionally hostile and aggressive encounters.

So, what exactly is the difference between a police interview and a police interrogation? In one word: everything. An interview is a fact-gathering contact. An interrogation is what the police do when your client is their suspect and their purpose is to extract an incriminating statement from him, which can then be used to convict him.

To the detainee, the whole interaction with the police correlates to his first day of trial; and the laying of a criminal charge, which is akin to a preliminary determination of guilt. The investigative stage of the criminal process involves an intimidating environment with accusatory features. All steps taken during this stage have an impact on the suspect’s defence.

It should be remembered that the police are allowed to employ trickery, lies, and threats of certain kinds, promises and other forms of deception and psychological manipulation, in order to get suspects to waive their right to legal representation and to admit their crimes. In practice, the interrogation room is often imbued with an atmosphere of implied violence and physical coercion – none of which would be permitted in the courtroom context.

Each police officer understands the enormous difference between, on the one hand, a police-station interrogation of an unrepresented, unprepared and frightened suspect – and, on the other hand, the formal questioning of a ‘lawyered-up’, well-prepared suspect. In the eyes of the police, the latter is no substitute for the former. Cops want to solve crimes in real time. They want to find the body while it is still warm – or, even better, still alive. They understand that confessions offered under the pressure of police interrogation may be faulty, but the physical evidence to which they may lead will often be self-proving and crime solving.

Police investigators will thus have considerable incentives to interrogate vulnerable suspects, especially if they can use the fruits of such interrogations to do their crime-solving jobs – an entirely different remit from the prosecutor who can only seek conviction at trial with admissible evidence.

Accordingly, safeguarding suspects’ rights in a substantial and effective manner can demand real commitment from the defence solicitor.

The purpose of this paper is to address the following issues:

What exactly is the solicitor’s purpose in attending on his client in police custody; the limitations of providing only telephone advice; special considerations in respect of the vulnerable or mentally disturbed suspect; consideration of whether detainee waiver of the right to legal representation has been legitimate; the pre-conditions, which the solicitor should insist upon, particularly by way of pre-interview disclosure; whether the police should even be questioning the ‘chargeable suspect’; how the solicitor should deal with oppressive and objectionable police questioning or obstructive police conduct; whether absolute silence is truly the best policy; immunity; compulsory questioning under section 172 of the Road Traffic Act; the taking of forensic samples; whether the solicitor might even challenge a Search Warrant application, hitherto an exclusively ex parte affair, since any such hearing now coincides with his representation of his client; and how to deal with the refractory client who is determined to talk in defiance of legal advice.

Download PDF

Alice Whitefield v P.F. Portree [2012] HCJAC 70

Determination by the court on the forfeiture of a vehicle following a conviction for failing to provide a specimin of breath. The court held that forfeiture was excessive in the circumstances and the order was quashed.

Hector MacLennan v HMA [2012] HCJAC 94

Lewis Kennedy, Advocate


The polygraph and Luke Mitchell – gimmick or overlooked forensic tool?

Download PDF

Articles & Cases