Overview
On October 23, the UK Government's House of Lords had its first reading of a new proposed data protection bill, the Data (Use and Access) Bill ("DUA Bill"), as sponsored by the Department of Science, Innovation, and Technology ("DSIT"). If passed, the DUA Bill will replace the current UK Data Protection Act 2018 which incorporates the UK version of EU General Data Protection Regulation (2016/679) (the "UK GDPR"). Although the DUA Bill is in the early stages of the UK legislative process with further readings and reporting stages, the DUA Bill carries on the UK government's ambition to restructure its data protection regime and aim of "harnessing the power of data for economic growth, supporting a modern digital government, and improving people's lives"1 as already alluded to in the King's Speech in July 2024.
According to its press release on October 24, the UK Government expects that the DUA Bill will generate an economic boost of £10 billion to the UK economy.2 In comparison, the old and since abandoned Data Protection and Digital Information Bill ("DPDI Bill") was expected to bring approx. £4.7 billion to the UK economy.3
Executive Summary
The DUA Bill introduces a series of updates across industries starting with "smart data schemes" aimed to improve interoperability across digital services and more standardized interfaces for customers; a "trust framework" for digital verification services enabling digital verification providers to become certified to ensure more secure and efficient verification of customers; standardized interoperability requirements targeted at the provision of IT services within the NHS to ensure greater data sharing. Additionally, law enforcement is empowered to access and retain data without unnecessary administrative burdens, UK underground energy assets are to be mapped to ensure efficient maintenance, and research relating to online safety is promoted by granting researchers more opportunities to access to commercial data.
The DUA Bill deviates from its predecessor, the DPDI Bill, whilst suggesting further tailoring to the UK GDPR to better suit the UK economy. The UK data protection authority, the Information Commissioner's Office (ICO), has echoed in its response to the DUA Bill on October 31 that the proposed changes are "pragmatic and proportionate amendments to the UK regulatory landscape". New definitions such as "customer data" and "business data" are introduced to facilitate more data portability and options to control data for customers. The ICO is expected to receive additional powers and a new name (the Information Commission). Other changes departing from the UK GDPR are put forward in relation to automated decision-making, the appropriate use of legitimate interests as a lawful basis for processing, and the handling of excessive data subject access requests. Whilst at the early stages in the legislative process, the DUA Bill appears to demonstrate greater synergies for the UK-EU data protection partnership.
Key Objectives
The DUA Bill is structured to amend existing UK legislation, including but not limited to the Data Protection Act 2018, the Health and Social Care Act 2012, and the Online Safety Act 2023. The DUA Bill therefore empowers other branches of the UK government to start working on new industry laws facilitating effective and secure data use.
The key objectives of the DUA Bill are as
follows:
(1) Smart Data Schemes
- Similar to the EU Data Act and the EU Data Governance Act, the UK aims to develop an economy-wide data sharing scheme enabling easier data sharing across services and platforms, e.g. by promoting the future of open banking in the UK. The DSIT proposes a new data portability regime going beyond the current right to data portability under the UK GDPR. A request from a customer would require a data holder to provide the data to a trusted third party (selected by the customer) immediately, as opposed to within 30 days as currently set forth under the UK GDPR.4 Requirements of standardized interfaces will apply to financial services. Such services may be subject to regulations issued by the Financial Conduct Authority ("FCA") establishing interface standards for how data may be shared and received.5
(2) Digital Verification Services
- The DUA Bill proposes provisions on the regulation of standards to digital verification schemes. The Secretary of State would be empowered to promulgate rules for a Digital Verification Services trust framework" ("DVS trust framework") enabling companies operating in the verification services industry to get certified.6 The certification scheme would be managed by a new Office for Digital Identities and Attributes ("OfDIA") that will be part of DSIT. The certification will give verification services a "trust mark" which customers can rely on when using digital services such as renting, starting work, and registering births and deaths. The UK government expects that this efficiency alone will generate an economic boost of £4.3 billion over the next decade.7
(3) The NHS
- The DUA Bill tackles the building of an NHS "fit for the future" according to the UK government by improving interoperability and reducing administrative burdens for health care professionals with expectations to improve efficiency by freeing up approx. 140,000 hours yearly for NHS workers enabling in turn more care time for patients.
- The DUA Bill introduces new information technology standards for health and adult social care in both public and private practice. IT suppliers of health and social care information systems would also be in-scope. The standards are aimed to strengthen compliance standards in the health and social care system, enable effective information sharing by imposing interoperability requirements on service providers, introduce expanded enforcement actions (such as compliance monitoring requirements and financial penalties), and proposing an accreditation scheme for IT products and services intended to be used within the NHS.8
(4) Additional updates
- Improved Research: The DUA Bill amends the Data Protection Act 2018 and the Online Safety Act 2023 and improves researchers' ability to access data for online safety related research, and especially related to privately-owned online search platforms and user-to-user platforms.9
- Law Enforcement & Criminal Investigation: The UK law enforcement agencies are expected to receive better access to and use of data to investigate crimes, expecting to save 1.5 million hours of administration and £42.8 million in publicly funded resources per year. Law enforcement agencies would be able to retain information, such as DNA samples, in pseudonymized form indefinitely for the purpose of national security.10
- National Underground Asset Register: The DUA Bill proposes efficiencies to the UK's underground infrastructure by creating a National Underground Asset Register ("NUAR").11 The cost for accidents related to the UK's underground energy, water, and telecom pipes and cables is estimated to be £2.4 billion a year.12
Key Deviations from the DPDI Bill and the EU GDPR
Compared to the DPDI Bill, the DUA Bill proposes less divergence from the EU GDPR's requirements. In contrast to the DPDI Bill, the DUA Bill does not remove the current accountability functions related to the requirements for organizations to appoint a data protection officer, to conduct records of processing, and data protection impact assessments. The DUA Bill arguably takes a more consistent approach with the EU data protection regime to preserve the UK-EU relationship and data flows, while also addressing UK-specific needs to grow its economy. There appears to be an acknowledgement that many UK-based companies have already made the effort to comply with the UK GDPR to date, meaning that the removal of maintaining records of processing and carrying out, where required, data protection impact assessments would, arguably, be detrimental for UK companies conducting business across the EU/EEA which would still be required to comply with similar requirements under the EU GDPR.
Some key differences are set out below:
- Additional definitions of data: The DUA Bill introduces new concepts of "customer data" and "business data", which can be accessed and used to facilitate better data portability options and improve customers' control over data. Customers would be enabled to designate authorized third persons to receive data held by a "trader" on behalf of the customer, e.g. related to their prior purchases and use of products and services. "Business data" includes information relating to purchased goods, services, or digital content, and information about customers' feedback.13 The Secretary of State or the Treasury would be empowered to promulgate regulations for how such data may be shared or disclosed.14
- A revamped UK data protection authority: The DUA Bill restructures the UK Information Commissioner's Office ("ICO") by instituting a new Information Commission ("IC").15 The IC would take over the oversight duties of the ICO whilst also gaining increased oversight powers in relation to the monitoring of the new proposed standards and schemes. The IC is set to have a 6-month time window in which to investigate claims that may lead to the issuance of fines for violations. The IC would have more responsibilities to promote innovation, suggesting that the IC will be seen as a consulting partner by other regulatory authorities and not just an enforcement authority.16 Information Commissioner Officer John Edwards released a statement in response to the introduction of the DUA Bill welcoming it, the IC's strengthened powers and looking forward to continuing "to operate as a trusted, fair and independent regulator and provide certainty as they innovate and promote the UK economy."
- Cookies and tracking technologies: The current privacy restrictions applicable to cookies would also apply to pixel tracking and finger printing of devices. Further, the Privacy and Electronic Communications Regulations would be updated with new consent requirements, including the ability to collect information from individuals' devices without consent, e.g. if the information is used for statistical purposes to evaluate the service or website in order to make improvements of the same.17
- Automated decision-making: Amendments would be made to restrictions on processing that involves automated decision-making, including additional provisions that enable automated decision-making based on special categories of personal data. Processing special category data may e.g. be permitted if two conditions are met: (i) the individual provides explicit consent, and (ii) the processing is necessary to enter into a contract, or as authorized by law.18
- Processing on the basis of legitimate interest: The DUA Bill introduces purposes that would be statutorily recognized as legitimate interests, without the need to assess whether the data controller has an interest that outweighs the rights of the individual.19 Processing that is: (i) necessary to disclose personal data as a response to a valid request, (ii) necessary for safeguarding national and public security, (iii) emergency response, (iv) crime prevention, detection, and investigation, and (v) safeguarding vulnerable individuals would all be considered recognized legitimate interests.20
- Restrictions on rejecting excessive data subject requests: Amendments suggest that data controllers would be permitted to reject excessive and vexatious data subject requests.21 Data controllers would be required to produce and publish guidance on when they intend to charge data subjects fees for addressing requests.22
- International data transfers: At the end of June 2025, the European Commission is tasked to review the UK's data protection legal framework, including the sufficiency of its data protection safeguards, to decide whether to extend the adequacy decision for an additional four years. The approach of the DUA Bill, compared to the DPDI Bill, favors the continuity of fluid commercial activities between the UK and the EU whilst staying away from causing administrative burdens and compliance costs for UK-based companies.
Next Steps
The DUA Bill is in the early stages of the legislative process currently sitting in the House of Lords with further amendments and updates likely to arise along the way. There is currently no set date for a second reading of the DUA Bill.
The DUA Bill (in its current version) is arguably a step closer to a unified UK – EU regime for data protection, enabling companies to continue to operate seamlessly in both regions. The UK government's ambition to promote a strong UK in the digital era is evidenced notably through provisions on improved data sharing and digital verification resulting in significant cost savings and greater efficiencies across several industries. However, such data sharing efficiencies may also result in greater risks of data mishandling, which will need to be carefully thought through along the legislative process.
Footnotes
1. See Impact Assessment - Data (Use and Access) Bill, IA number: DSIT001(FIA)-24-DTT, Department for Science, Innovation and Technology, Oct 23, 2024.
2. See press release on the UK government's website, New data laws unveiled to improve public services and boost UK economy by £10 billion, Department for Science, Innovation and Technology, Department of Health and Social Care, Home Office and The Rt Hon Peter Kyle MP, Published October 24, 2024 (available here) ("the UK government's press release, Oct 24, 2024")
3. See Overview of the Expected Impact of Changes to the Data Protection and Digital Information Bill following Report Stage, Department for Science, Innovation & Technology.
4. Impact Assessment – Regulatory Powers for Smart Data, IA number: DBT-046-24-CMRR, Department for Business and Trade, Oct 23, 2024, p. 8.
5. See Part 1, Sec.14.1(a)-(c) of the DUA Bill.
6. See Part 2, Sec. 28 of the DUA Bill.
7. See the UK government's press release, Oct 24, 2024.
8. See section 7 and schedule 15 of the DUA Bill, amending Part 9, section 250 of the Health and Social Care Act 2012 (and as amended in 2022); See also Impact Assessment - Data Use and Access Bill: open data architecture information standards impact assessment, IA number: DHSCIA9646, Department of Health and Social Care, Oct 23, 2024.
9. See Impact Assessment - Researchers' Access to Data, IA number: DSIT003(FIA)-24-DI, DSIT, Oct 23, 2024.
10. See Part 7, Sec. 125(2)-(5) of the DUA Bill (amending the Counter-Terrorism Act 2008).
11. See Part 3 and Schedule 1 of the DUA Bill.
12. See Impact Assessment - Data (Use and Access) Bill: Legislation to deliver the National Underground Asset Register (NUAR), IA number: DSIT004(FIA)-24-GSC, Geospatial Commission, Oct 23, 2024.
13. Id.
14. See Part 1, Sections 2-5 of the DUA Bill.
15. See Part 5, Ch. 1, sub-sec. 90 of the DUA Bill.
16. See Part 5, Ch. 1, sub-sec.90(3) of the DUA Bill.
17. See Schedule 12 (Collecting information for statistical purposes) of the DUA Bill.
18. See Part 5, Ch. 1, sub-sec. 80(1) of the DUA Bill.
19. See Impact Assessment - Data (Use and Access) Bill: DSIT001(FIA)-24-DTT, Department for Science, Innovation and Technology, Oct 23, 2024.
20. See Schedule 4 to the DUA Bill.
21. See Impact Assessment - Data (Use and Access) Bill: DSIT001(FIA)-24-DTT, Department for Science, Innovation and Technology, Oct 23, 2024.
22. See Part 5, Ch. 1, sub-sec. 75 of the DUA Bill.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.