In response to a call for evidence by the Joint Committee on Human Rights, we set out how the Data Protection and Digital Information Bill (No. 2) poses significant threats to individual rights and already marginalised groups – and how we can mitigate them.

Read our evidence submission

The changes envisaged by the Bill will have serious implications for data subjects’ rights.

By lowering the threshold at which a subject access request may be refused, the Bill creates a risk of systemic breaches of data subjects’ article 8 rights.

The Bill reverses the presumption that solely automated decisions cannot be made about a person where that decision has legal or similarly significant effects and allows for solely automated decisions in all contexts except where special category data is used. These changes could lead to serious and discriminatory effects on people’s lives, including disproportionate impacts on marginalised groups, which has implications under article 14 ECHR.

The Bill requires significantly less information to be provided when undertaking Data Protection Impact Assessments, which will make establishing discrimination more difficult.

To combat these risks, we recommend that:

  • The current prohibition on solely automated decision-making under Article 22 is preserved, rather than narrowed.
  • The Secretary of State’s power under the Bill to vary the safeguards in Clause 11 should be replaced with a power only to add safeguards.
  • Legislation is needed to broaden the application of safeguards, so that they are required in circumstances in which ADM plays a significant role in decision-making, but there is human review (and therefore not solely ADM). This must include requirements for transparency about the use of ADM, how the system works, and the role it plays in decision-making.
  • The proposed changes to DPIAs under Clause 17 of the Bill should not be pursued; existing, more detailed requirements should be retained.

Read our evidence submission