Paul Tang, a Member of the European Parliament, has raised concerns about the UK’s new Data Protection and Digital Information Bill (DPDI) and its potential to undermine elements of the GDPR.

Tang’s recent letter states that the proposed UK bill might weaken the GDPR’s protection for EU citizens and could potentially violate the EU-UK Trade and Cooperation Agreement. The agreement, established in 2019, guarantees the smooth flow of data between the EU and UK.

Last year it was reported how Westminster’s plan to replace its version of the GDPR turned heads in Brussels, largely due to its potential to affect the EU-UK data adequacy agreement.

There are now concerns that the proposed changes might allow EU citizens’ data to be shared with third parties who do not meet the EU’s strict data protection standards.

“Not only is it eliminating the Biometrics and Surveillance Camera Commissioner, but it also allows indefinite retention of certain biometric data by UK law enforcement”, Tang said regarding the bill in his note to the Commission.

“The DPDI undermines safeguards set by the European Court of Human Rights, potentially jeopardising law enforcement cooperation frameworks like Prüm II and the Law Enforcement Directive”, he continued.

Put forward in December 2021, the EU Commission’s “Prüm II” proposes to update the current Prüm Framework for enhanced police cooperation. This initiative seeks to streamline cross-border criminal investigations through automated data exchange.

Tang’s first question to the EU Commission was:

“Has the Commission considered the consequences that these provisions may have on law enforcement cooperation between the EU and the UK, for instance, within the Prüm I and Prüm II Framework or against the UK adequacy decision adopted under the Law Enforcement Directive?”

The MEP asked whether or not the Commission had weighed up the potential consequences of the DPDI on the safeguarding of EU citizens biometric data under the GDPR, and how well these protective measures sit with the European Court of Human Rights (ECtHR) ruling in S and Marper vs. UK. The case established the existence of a breach of privacy rights (as per the European Convention on Human Rights) in the event of holding DNA data of individuals who were arrested but who were then acquitted or who had charges against them dropped.

Tang also asked:

“Does the Commission intend to annul the adequacy decision granting a free data flow between the EU and the UK once this bill is adopted?”

In a recent debate, UK MPs discussed anxieties raised by British companies and researchers over the possible threat to data adequacy posed by the bill. Julia Lopez, Minister of State for the Department of Culture, Media, and Sport, stated that the UK had maintained constant communication with the Commission during the bill’s development.

The Head of UK affairs at the 5Rights Foundation, said:


“We are worried about changes to fundamental principles, including the meaning of personal data, uses of data for scientific research and impact assessments.” 

“We are extremely concerned about the status of the Age Appropriate Design code and children’s personal data.


“Although the major loss will be felt to those residing in the UK, given the huge amount of people, commerce and data that flows between the EU and the UK any change to the UK regime will always impact EU citizens,”

the 5Rights Foundation continued.

Know the risks

As the UK prepares for the new version of the Data Protection and Digital Information Bill, businesses and data practitioners need to stay on top of how the new laws stand to impact the way organisations handle personal information of citizens in Britain and abroad.

The topic falls into focus next month at PrivSec & GRC Connect London where experts will debate the risks and obligations that come with the new legislation.


Not to be missed at PrivSec & GRC Connect London

UK Data Protection Bill No.2 – What has changed?

Theatre: Privacy & Security (P&S)

Time: 10:00 – 10:40am GMT

Date: Tuesday 12 March 2024 (Day 1)

On 8 March 2023, the UK government presented a new version of the UK Data Protection and Digital Information Bill. As with the previous bill, the new bill aims to alleviate the burden of compliance with the UK GDPR and its implementing UK Data Protection Act (2018) for organisations based in the UK, or trading with the UK.

So, what are the main proposed changes, and how will organisations be affected?

On the panel:

  • Alexandra Khammud, Senior Project Manager - Data Protection, Privacy, Information Security, Activision Blizzard (Panel Moderator)
  • Henry Davies, Data Protection Lead, Likewize
  • Lorraine Pintér, Group Privacy Manager, Vodafone
  • Joseph Byrne, Principal Solutions Engineer, FIP, CIPP/E, CIPM, CIPT, GRCP

UK Data Protection Bill No.2 – What has changed? is just one of the exclusive sessions taking place at PrivSec & GRC Connect London taking place March 12 and 13, 2024.

Click here to see the full agenda

Discover more at PrivSec & GRC Connect London

GRC, Data Protection, Security and Privacy professionals face ongoing challenges to help mitigate risk, comply with regulations, and help achieve their business objectives - they must…

  • Continually adopt new technologies to improve efficiency and effectiveness.
  • Build a culture of compliance and risk awareness throughout the organisation.
  • Communicate effectively with stakeholders and keep them informed of GRC activities.

PrivSec & GRC Connect London takes you to the heart of the key issues, bringing together the most influential GRC, Data Protection, Privacy and Security professionals, to present, debate, learn and exchange ideas.

Click here to register for free to PrivSec & GRC Connect London