What you need to know about the UK’s Data Use & Access Bill

What is the Data Use & Access Bill?

Prior to the Data Access & Use Bill, the Conservative government proposed the Data Protection and Digital Information Bill (DPDI), which never went into effect. Now, the Labour government has proposed the Data Access & Use Bill, which in many ways resembles the DPDI. The new Bill aims to make better use of data to drive economic growth and reduce administrative burdens in essential public services like healthcare and law enforcement. As stated by Technology Secretary Peter Kyle:

“This Bill will help us boost the UK’s economy, free up vital time for our front-line workers, and relieve people from unnecessary admin so that they can get on with their lives.”

Key changes under the DUAB

The DUAB proposes several changes. Below are the main changes relevant to data protection:

1. Relaxation of data processing in certain areas: The DUAB introduces a seventh lawful basis for processing personal data, which relaxes areas that currently have stricter rules for handling of data. For instance direct marketing, allowing businesses to engage in marketing with fewer compliance hurdles.
   
   
2. There will be fewer restrictions on automated decision-making: Businesses will be able to rely more on automation, making it easier to introduce for instance AI.
   
   
3. More freedom to repurpose data: The Bill expands what is called secondary data processing, giving businesses more freedom to repurpose data for different use without it being seen as misuse of data.
   
   
4. Flexible international data transfers: The DUAB appears to introduce a different, slightly lower, standard for making international transfers than under the UK GDPR, by introducing a new ‘data protection test’ for international transfers.
   
   
5. Fines and penalties: The cap on fines under the PECRs, which govern cookies and electronic direct marketing, has been raised to match UK GDPR levels, significantly increasing potential penalties for non-compliance.
   
   
6. DPIAs and ROPA remain in place: Despite the increased flexibility, businesses must still conduct Data Protection Impact Assessments (DPIAs) and maintain a Record of Processing Activities (ROPA), ensuring ongoing transparency and accountability in data handling.

Currently the UK GDPR largely follows the EU’s GDPR, but as listed above the DUAB moves away from some of the stricter rules in the EU framework. The Bill provides businesses with greater freedom in how they use data, aiming to make it easier to innovate while still focusing on privacy protection.

What happens next?

‍The Bill has now passed through the House of Lords and is currently under review in the House of Commons. While it’s expected to pass quickly, it may undergo some changes along the way. During the House of Lords stage, the Bill was for instance amended to include further duties when it comes to children’s data.

Another key point will be the EU’s review of whether the UK is still an adequate third country. This will be up for renewal during the first half of 2025.

‍