New Data (Use and Access) Bill

The question

What does the new Data (Use and Access) Bill (the Data Bill) mean for businesses?

The key takeaway

The Data Bill, whilst not as ambitious as the previous Data Protection and Digital Information Bill (the DPDI Bill), introduces several new business-friendly changes to the UK data protection regime.

The background

The previous government had introduced the DPDI Bill as a progressive, business-friendly framework that would cut down on costs and paperwork. The DPDI Bill then went through several iterations and was described as a 'Christmas-tree' bill for the number of different provisions it sought to include. On the whole, however, the new regime would still have been very similar to the EU GDPR as too great a departure would threaten the UK's EU adequacy (also a concern with the new Data Bill).

Ultimately, the DPDI Bill did not pass through Parliament before its dissolution on 24 May 2024 ahead of the general election on 4 July 2024 and failed to become law. Eyes were on the new government as to whether it would resurrect the DPDI Bill and in what form.

The development

On 23 October 2024, the government introduced the Data Bill to Parliament. Like the DPDI Bill, the Data Bill serves multiple purposes. In addition to making GDPR-specific changes, the Data Bill introduces a new Smart Data scheme (that allows for the sharing and access of customer and business data), new digital verification services, and changes to the structure of the ICO.

The Data Bill introduces the following amendments to the UK data protection regime:

• Legitimate interests: The Data Bill includes certain "recognised legitimate interests" which do not require that a balancing test is performed to be relied on as a lawful basis of processing. Additions to this list can be made by the Secretary of State but must be in the public interest. Otherwise, businesses can rely on the existing legitimate interest lawful basis subject to performing the balancing test and the Data Bill includes certain types of processing that might fall within this category e.g. processing for direct marketing, intra-group transmission for admin purposes and to ensure security of IT systems (these examples were already in the recitals of UK GDPR but for clarity have been moved into the substantive provisions).
  
  
• Automated decision-making: The Data Bill includes additional controls on automated decision-making including clarifying where there is meaningful human involvement in any decisions (and therefore where the automated decision-making prohibition does not apply).
  
  
• Research and statistics: The Data Bill clarifies the meaning of scientific research purposes and statistical purposes in UK GDPR.For example it makes clear that data processing in the context of privately-funded commercial activity or technology development can still benefit from the provisions related to scientific research as long as the activities can reasonably be described as scientific.
  
  
• Data protection test: The Data Bill provides for a new "data protection test" instead of the adequacy test under the EU GDPR to be carried out prior to any international transfer. Organisations will be required to consider whether the standard of data protection in a third country is “not materially lower” than that under the UK GDPR.
  
  
• Special category data: The Data Bill allows the Secretary of State to amend the Article 9 prohibition on processing special category data to add new special categories of data (e.g. neuro data), state that certain processing does not fall within the prohibition and amend how an exception to the prohibition should apply.
  
  
• DSARs: The Data Bill codifies case law by providing that organisations only have to carry out reasonable and proportionate searches when responding to a DSAR but must do so "without delay" and in any case within a month of receiving the request, subject to exceptions where an extension is available.
  
  
• Processing purposes: The Data Bill clarifies when processing may be carried out for a new purpose which is compatible with the original purpose of processing.
  
  
• PECR: The Data Bill aligns the fine for PECR breaches and time limit for reporting PECR breaches to the GDPR standard in both cases.It also introduces an exception to the requirement for consent for certain non-intrusive cookies or similar technologies (e.g. to measure website use in order to improve the site), provided that users are given clear and comprehensive information about the cookies and an opportunity to object.

On the other hand, the Data Bill does not include the following a­­­mendments that were proposed in the DPDI Bill:

• Accountability: The DPDI Bill sought to simplify the accountability regime for organisations by introducing the concept of a Senior Responsible Individual (to replace a DPO), limiting the obligation to produce records of processing activity only to high risk processing, replacing data protection impact assessments with assessments of high risk processing, and removing the requirement for overseas organisations to have a UK representative. These changes have not been carried through.
  
  
• Definition of personal data: The DPDI Bill intended to restrict the definition of "personal data" to where the information is identifiable by the controller or a third party by reasonable means. This has not been carried into the Data Bill.
  
  
• Vexatious/excessive requests: Under the DPDI Bill, organisations had the right to refuse a data subject request where it was vexatious or excessive. This right has been removed.

Why is this important?

The Data Bill is the Labour government's attempt at recalibrating the UK's approach to data protection, after the previous government failed to push the DPDI Bill through. The narrower scope of the Data Bill will disappoint businesses expecting a less burdensome regime, but this may be a tactical decision to ensure that the UK does not lose its EU adequacy. However, with the more ambitious DPDI Bill,  organisations that operate across the UK and EU would have needed to decide how to manage both sets of requirements – either adopt a dual-track system for the UK and EU or require that the entire business complies with the stricter EU regime.  With the more limited changes proposed by the Data Bill, such organisations will not need to make such strategic decisions but they may be able to take advantage of minor tweaks to their UK processing.

Any practical tips?

The Data Bill is currently making its way through the House of Lords before continuing through the House of Commons. It's still very early days and the text may go through several rounds of amendments.  However, much of the Data Bill had cross-party support when it appeared in the DPDI Bill and some of the more controversial reforms to the data protection regime have been removed, so the government's target of achieving Royal Assent by Spring 2025 with commencement later in the year does not seem overly ambitious.

Businesses should keep track of the draft through the Parliamentary process and begin initial analysis of how these changes would affect contracts and processes.