The U.K. Department for Science, Innovation and Technology (DSIT) has introduced a new data bill designed to resurrect various initiatives that were previously blocked by the former administration and to modify some contentious post-Brexit adjustments suggested by conservative officials.
The government believes the “Data (Use and Access) Bill” (DUA) could inject £10 billion into the U.K. economy by enhancing efficiency savings in the public sector. This is expected to arise from the simplification of information-sharing protocols within sectors like healthcare and law enforcement.
The proposed legislation also addresses digital identity verification, the expansion of “smart data schemes” similar to open banking, the mapping of underground utilities, the digitization of birth and death registrations, and facilitating access to data kept by online platforms.
“This bill will enable us to utilize data securely and effectively, thereby boosting the U.K. economy, freeing up essential time for frontline workers, and alleviating unnecessary administrative burdens, allowing individuals to focus on their lives,” stated Technology Secretary Peter Kyle.
Data Access and Online Risks
A significant portion of the bill appears to inherit proposals from the former government, including a plan to simplify cookie consent processes by allowing websites to gather user data for analytical purposes without explicit consent. A noteworthy addition mandates that online service providers must preserve data regarding minors’ deaths while using their platforms.
This measure seems to address the issue faced by parents who struggle to access their deceased children’s social media accounts following tragic incidents.
Additionally, a provision is included to grant online safety researchers access to critical data, aligning the U.K. with European Union practices, as the EU’s Digital Services Act requires major platforms to provide researchers with data access.
The U.K. has often trail behind the EU in digital regulatory measures; thus, incorporating a data access dimension into this bill appears to be an effort to catch up and enhance the prospects of the recently passed Online Safety Act.
Focus on Adequacy
Moreover, the new legislation rolls back several contentious amendments proposed by the previous administration regarding the U.K.’s General Data Protection Regulation (GDPR).
Ministers are likely eager to ensure compliance with the EU’s forthcoming review of the adequacy decision made in 2025, which permits the transfer of personal data of EU users to U.K. businesses for processing.
“The European Commission will be pleased that the Bill does not pursue the former government’s plans to limit the application of Records of Processing Activities (ROPA), Data Protection Impact Assessments (DPIAs), and Data Protection Officers (DPOs) or seek to undermine the autonomy of the Information Commissioner’s Office (ICO),” remarked Edward Machin, a senior attorney in Ropes & Gray’s data, privacy, and cybersecurity division.
“The expansion of the GDPR provisions concerning legitimate interests and purpose limitation also won’t likely hinder the forthcoming adequacy review,” he commented further.
Automated Decision Making
The digital rights organization Open Rights Group (ORG) expressed a more critical stance on the bill, stating it “will not safeguard the public against AI-related harms.” ORG highlighted that the bill restricts individuals’ rights concerning automated decisions with significant legal or personal implications solely to special category data (rather than personal data overall).
“This allows organizations to employ automated systems for pivotal decisions—like firing employees, calculating remuneration, or determining visa and benefits eligibility,” ORG noted. “It further provides the Secretary of State the authority to completely exempt such automated systems from data protection measures, regardless of potential public dangers.”
ORG also pointed out new loopholes that could diminish data rights by allowing businesses to complicate the process of responding to data requests by demanding additional information from individuals. Additionally, they cautioned that the bill still permits “data grabs” of personal information under the pretext of ‘research.’
“The Data Use and Access Bill undermines our rights and expands the capabilities of organizations to employ automated decision-making systems. This raises significant concerns in critical areas such as policing, welfare, and immigration, where crucial decisions may be made without human oversight,” stated ORG’s legal and policy officer, Mariano delli Santi.
ICO Perspective
ORG emphasized that the new bill still endows the government with powers that could potentially compromise the independence of the ICO.
However, Richard Cumbley, a partner in Linklaters’ technology, media, and telecommunications practice, noted a change limiting the ICO to a six-month timeframe to complete investigation processes related to fines. This may address the issue of prolonged ICO investigations.
Privacy Notice Revisions
Jon Baines, a senior data protection expert at Mishcon de Reya, also provided initial insights into the new government’s approach to GDPR reforms, particularly regarding changes to privacy notice requirements that might prompt controversy.
“The DUA Bill proposes eliminating the requirement to provide privacy notices to data subjects from whom data is collected directly if doing so is considered ‘impossible or would amount to a disproportionate effort,’” he explained in a blog post. The bill cites factors such as the number of data subjects, the age of the data, and relevant safeguards regarding processing as examples.
“Similar language is suggested for situations where personal data is collected indirectly without the data subject’s direct involvement. If these provisions become law, data controllers’ obligations to inform subjects about data processing will likely diminish significantly. Consequently, these provisions are expected to be highly contentious and subject to parliamentary examination,” he added.
Data Consent Amendments
The bill also aims to modify the Privacy and Electronic Communications Regulations (PECR), which govern marketing communications, including cookie consent requirements.
“Pixel tracking and device fingerprinting are now treated similarly to cookies, closing a loophole that online marketers often exploited to circumvent cookie regulations,” Cumbley remarked.
In his blog, Mishcon de Reya’s Baines pointed out that the prior government’s proposal permitting the use of first-party cookies (and similar tracking technologies) for website analytics without requiring user consent has resurfaced. He also highlighted the revival of a suggestion to raise the potential fines for PECR violations to align with U.K. GDPR levels, reaching up to £17.5 million for severe breaches.
Additionally, Baines mentioned another proposed change that could empower the ICO to confront senders of unsolicited spam more effectively, allowing potential enforcement actions against spam that was never delivered to anyone, thus categorizing it as a violation.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
