On 23rd October 2024, the Labour Government introduced into Parliament the Data Use and Access Bill. The Bill was highlighted in the King’s Speech in July (under its old name of the “Digital Information and Smart Data Bill”) where his Majesty announced that there would be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies.” However this statement of intent does not match the reality; many of the Bill’s core provisions are a “cut and paste” of the Data Protection and Digital Information Bill (DP Bill), which failed to pass before last year’s snap General Election.
Key Provisions
Let’s examine the key provisions of the new Bill against those in the DP Bill.
Smart Data: The new Bill retains the provisions from the DP Bill that will enable the creation of a legal framework for Smart Data. This involves companies securely sharing customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs will provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only current example of a regime that is comparable to a ‘Smart Data scheme’.
The new Bill will give such schemes a statutory footing, from which they can grow and expand.
Digital Identity Products: Just like its predecessor, the new Bill contains provisions aimed at establishing digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services
e.g. to help with moving house, pre-employment checks and buying age restricted goods and services. It is important to note that this is not the same as compulsory digital ID cards as some media outlets have reported.
Research Provisions: The new Bill keeps the DP Bill’s provisions that clarify that companies can use personal data for research and development projects, as long as they follow data protection safeguards.
Legitimate Interests: The new Bill retains the concept of ‘recognised legitimate interests’ under Article 6 of the UK GDPR- specific purposes for personal data processing such as national security, emergency response, and safeguarding for which Data Controllers will be exempt from conducting a full Legitimate Interests Assessment when processing personal data.
Automated Decision Making: Like the DP Bill, the new Bill seeks to limit the right, under Article 22 of the UK GDPR, for a data subject not to be subject to automated decision making or profiling to only cases where Special Category Data is used.
Under new article 22A, a decision would qualify as being “based solely on automated processing” if there was “no meaningful human involvement in the taking of the decision”. This could give the green light to companies to use AI techniques on personal data scraped from the internet for the purposes of pre employment background checks.
International Transfers: The new Bill maintains most of the DP Bill’s international transfer provisions. There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR
Health and Social Care Information: The new Bill maintains, without any changes, the provisions that establish consistent information standards for health and adult social care IT systems in England, enabling the creation of unified medical records accessible across all related services.
PECR Changes: One of the most significant changes, copied from the DP Bill, is the increase in fines for breaches of PECR, from £500,000 to UK GDPR levels; meaning organisations could face fines of up to up to £17.5m of 4% of global annual turnover (whichever is higher) for the most serious infringements. Other changes include allowing cookies to be used without consent for the purposes of web analytics and to install automatic software updates.
What is not in the new Bill?
Most of the controversial parts of the DP Bill have been have not made it into the new Bill. These include:
- Replacing the terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, with “vexatious” or “excessive” requests. Explanation and examples of such requests would also have been included.
- Exempting all controllers and processors from the duty to maintain a ROPA, under Article 30, unless they are carrying out high risk processing activities.
- The “strategic priorities” mechanism, which would have allowed the Secretary of State to set binding priorities for the Information Commissioner.
- The requirements for the Information Commissioner to submit codes of practice to the Secretary of State for review and recommendations.
The Data Use and Access Bill, in its current form, will not fundamentally change UK data protection laws. This is unlikely to change during its passage through Parliament as most of its provisions are copied from the DP Bill introduced by those who are now the official Opposition.
This and other data protection developments will be discussed in detail on our forthcoming GDPR Update workshop.
Are you a privacy professional wishing to advance your career in 2025? The Advanced Certificate in GDPR Practice is designed for experienced DPOs seeking to refine and expand their DPO skills and expertise. The course comprises of a rigorous set of engaging masterclasses that teach you to dissect complex data protection scenarios and give practical compliance advice. This immersive experience will empower you with the skills and confidence needed to tackle the most challenging data protection projects within your organisation
0 Comments