Since its introduction on 23 October 2024, the Data (Use and Access) Bill (the Bill) continues to evolve as it progresses through Parliament. Reminiscent of the incomplete Data Protection and Digital Information Bill, it has been introduced by the new Labour government to "harness the power of data for economic growth, support modern digital government, and improve people's lives." The Bill's core aims are to grow the economy, improve UK public services and make people's lives easier. It has been positioned as "a positive package" that "provides greater regulatory certainty for organisations and promotes growth and innovation in the UK economy."
Presently, it is expected that the Bill will become law later this year. This blog post outlines the key changes that are being introduced under the Bill and recommends how businesses can respond to best harness the anticipated innovation and growth.
Key Changes
- Legitimate Interests—The Bill will provide a list of new "recognised legitimate interests," which businesses can rely on as a lawful basis when processing data.
- International Transfers—Businesses will need to ensure that data protection standards in recipient countries are "not materially lower" to those in the United Kingdom, as opposed to equivalent.
- Non-Compliance With Privacy and Electronic Communications Regulations (PECR)—The maximum fine for non-compliance with PECR will be either (i) £17.5m, or (ii) 4% of annual worldwide turnover in the previous financial year, whichever is greater.
- Automated Decision Making—The Bill seeks to narrow the restrictions on automated decision making so that it applies only to the processing of special category data, so long as safeguards are in place.
- Subject Access Requests (SARs)—The month deadlines for businesses to respond to data SARs will run from the "relevant time." The relevant time will be considered the latest of the date the (i) request is received; (ii) business confirms the data subject's identity; or (iii) business receives any fee charged for the SAR.
House of Commons Rejects House of Lords' Copyright and Artificial Intelligence (AI) Related Amendments to the Bill
Interestingly, the House of Commons rejected the House of Lords' 12 May 2025 proposals for amendments to the Bill relating to copyright and AI.
These rejected proposed changes included new clauses to require UK AI developers and holders of their data to:
- Provide owners of copyright with information in relation to the data and text utilised in the pretraining, training, retrieval-augmented generation and fine-tuning of their AI models, or any alternative data input to their AI models, and to prepare a mechanism that enables copyright holders to recognise individual works used for these purposes.
- Provide detailed information about the identity of any bots utilised to make AI models accessible, including their names, the legally responsible parties, and the purposes for which they have been employed. Bots are software applications designed to gather data from websites.
The rejection of such a proposal could be said to infer that the UK government wants to avoid hampering the United Kingdom's competitiveness as a key player in the global AI race.
What is Next?
Although it is unlikely that businesses will require a complete overhaul of their current processes, they should consider how they might need to update their internal procedures to implement key changes under the Bill.
Businesses should be proactive to ensure compliance with the Bill, particularly in areas such as data processing, automated decision making, and data subject rights. This will be crucial in avoiding potentially hefty fines, whilst leveraging the opportunity for innovation and growth.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
