U.K. Government Introduces Data Use and Access Bill

On October 23, 2024, the U.K. Department for Science, Innovation and Technology introduced the Data Use and Access Bill (“DUA Bill”) to Parliament. The legislation seeks to modernize the U.K. General Data Protection Regulation by reforming the way the country uses data for the public’s interest. The Department estimates that doing so will boost the U.K.’s economy by £10 billion GBP.

The DUA Bill’s predecessor, the Data Protection and Digital Information Bill (“DPDI Bill”), failed to make it through Parliament prior to the July general election, despite extensive debate and discussions of the legislation. The DUA Bill takes a different approach from the DPDI Bill in several key respects, including foregoing any attempt to amend the definition of “personal data” and abandoning the dilution of U.K. General Data Protection Regulation accountability requirements for data protection officers, records of processing activities, and data protection impact assessments. In other words, the DUA Bill does not seek to sever U.K. data protection law from an EU framework like many critics viewed the DPDI Bill as doing. The new bill instead aims to build on existing frameworks.

 

The DUA Bill will purportedly “unlock the secure and effective use of data for the public interest” by:

• Establishing a framework to secure the sharing of ‘smart data’ between service providers at a consumer’s request;
• Introducing a regime for secure digital verification services;
• Clarifying and simplifying certain UK data protection principles such as lawfulness of processing, purpose limitation, and automated decision-making techniques;
• Making it easier for broad consent to be obtained when using individual data for scientific research;
• Introducing a specific adequacy test that the Secretary of State will apply when approving third countries for international data transfers;
• Strengthening the regulatory powers of the Information Commissioner’s Office, which will become the “Information Commission;” and
• Providing for the creation and enforcement of adequate IT standards in law enforcement agencies and the National Health Service.

Perhaps one of the DUA Bill’s most significant reforms is in its update to automated decision-making technology under Article 22. The bill’s new proposed structure would explicitly permit and restrict automated decision-making in certain contexts. The bill also introduces a required assessment of the level of human involvement for any automated decision-making and provides a baseline for automated decision-making that relies on profiling. This will allow businesses to have more flexibility while also ensuring individuals retain the right to challenge certain decisions and receive meaningful explanations.

With the rise of artificial intelligence (AI), these changes to automated decision-making are subtle but important. In practice, the reforms would enable businesses to use automated decision-making more widely than under the EU General Data Protection Regulation. Only when special category data is used would companies be subject to additional requirements to show consent or that the processing is required pursuant to a legal contract.

Notably, Part 5 of the DUA Bill clarifies that the U.K. General Data Protection Regulation and the Data Protection Act 2018 remain foundational, and amendments such as the DUA Bill are only intended to refine, rather than replace, current legislation.

While the DUA Bill was only recently introduced to Parliament, considering its similarities to the DPDI Bill, which itself progressed almost to enactment, experts estimate that the DUA Bill will progress fairly quick. To read Parliament’s formal briefing of the DUA Bill, click here.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.