Progress on the UK’s Data (Use and Access) Bill \\ FLINN

Progress on the UK’s Data (Use and Access) Bill

1 April 2025

… and … no, it’s not a ‘poisson d’avril

Introduction

The UK’s Data Protection and Digital Information (No2) Bill (“DPDI-2 Bill”) failed to pass into law before Parliament was dissolved at the end of May 2024. However, the new Labour government has introduced a Data (Use and Access°) Bill (the “DUAB”), which revives many provisions of the previous legislative initiative. This article briefly discusses the DUAB its objectives, scope and implications for innovative data use.

Objectives of the DUAB:

The Data (Use and Access) Bill (DUAB) was introduced in the House of Lords on 23 October 2024, following the dissolution of the previous Parliament, which led to the loss of the DPDI-2 Bill. The DUAB aims to modernise the UK’s data protection framework, promote economic growth[1], improve public services[2], and make people’s lives easier[3].

DUAB Scope: key provisions:

When enacted, the DUAB will do much more than revise the UK’s data protection legislation (UKGDPR and the 2018 Data Protection Act). It will:

  1. Enable Smart Data Schemes: permitting consumers to securely share their data with authorised third-party providers (“ATPs”) for innovative services like automatic account management and switching of accounts enabled through data portability. For the present the ‘Open Banking’ standard and protocols are the only operational example of such a scheme.
  2. Help to establish Digital Verification Services (DVS): putting a legislative structure for DVS into place, thereby enabling users to create trusted digital identities with certified providers. This aims to provide digital identities in a form as reliable as any paper document.
  3. Establish a confidential National Underground Asset Register (NUAR): Providing secure access to location data about pipes, cables, and other underground apparatus to improve the efficiency and safety of underground work.
  4. Update the Registers for Births and Deaths: up-dating from paper-based to electronic systems, again enhancing efficiency and security of the information.
  5. Introduce Data Protection and Privacy changes: by making changes to the Data Protection Act 2018, UK GDPR, and Privacy and Electronic Communications Regulations 2003. Notable changes include those concerning:
  • Automated Decision-Making (ADM): Allowing decisions based solely on automated processes in wider circumstances although requiring stringent safeguards.
  • Legitimate Interests: Introducing a new lawful ground of ‘Recognised Legitimate Interest’ (“RLI”) without requiring data controllers to carry out a balancing test when processing personal data for key public interest purposes.
  1. Abolish the Information Commissioner’s Office: and transfer its functions to a new body, the Information Commission, with a chief executive and board of directors. (Although the ICO ‘brand’ will survive.)
  2. Strengthen obligations on providers of online services likely to be accessed by children: ensuring their safety and privacy by delineating Children’s Higher Protection Matters.
  3. Introduce new criminal offences: for creating or soliciting the creation of intimate images without consent.

Reactions and Concerns from the Information Commissioner’s Office:

The Information Commissioner has expressed his support for the DUAB’s ’pragmatic’ and ‘proportionate’ amendments.

“Overall, the Bill remains one which I support as improving the effectiveness of the data protection regime in the UK, upholding people’s rights, providing regulatory certainty and clarity for organisations and improving the way the ICO regulates”.

He has noted the concerns raised about widening the scope for Automated Decision Making (… ”this is an area of significant debate”…). He agrees that creating new criminal offences of producing sexually explicit digital images without consent is the most effective way to address these issues. On the other hand, he … “would welcome assurance from government that they have considered and assessed any implications for the European Commission’s forthcoming review of the UK’s adequacy status”, in view of statements regarding the incompatibility of the new offence with the European Convention of Human Rights (“ECHR”)[4]. (The EU Commission’s adequacy assessments for the UK are due to expire on 27 June 2025, unless renewed.)

 

Conclusions:

The DUAB represents a significant effort to modernise the UK’s data protection framework, promote economic growth, and improve public services. The DUAB is currently progressing towards its Report stage (a last chance for debate on the floor of the House) and Third Reading in the House of Commons. Amendments made by the House of Lords have been removed in the most recent text of the DUAB adopted after the House of Commons Committee stage, so it will have to be reviewed again in the House of Lords. Once the DUAB is adopted, it has been suggested that the Government is likely to follow-up by introducing legislation on AI within the next eighteen months.

 

[1] https://www.gov.uk/government/publications/data-use-and-access-bill-factsheets/data-use-and-access-bill-factsheet-growing-the-economy

[2] https://www.gov.uk/government/publications/data-use-and-access-bill-factsheets/data-use-and-access-bill-factsheet-improving-public-services

[3] https://www.gov.uk/government/publications/data-use-and-access-bill-factsheets/data-use-and-access-bill-factsheet-making-lives-easier

[4] Information Commissioner’s updated response to the DUAB HC, 10 February 2025. Available from https://ico.org.uk/about-the-ico/the-data-use-and-access-dua-bill/information-commissioner-s-updated-response-to-the-data-use-and-access-dua-bill-house-of-commons/ .

 

Disclaimer: This article may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions.

Share us!