On 23 October 2024 the House of Lords began (again…) the legislative process for UK data reform with the first reading of the Data (Use and Access) Bill (the “Bill”) (see UK Government commentary here).

As the Bill progresses through the various legislative stages we will produce more in depth commentary including a practical analysis of what the impact could be but for now key points to note are as follows:

  • EU Adequacy has (as with the previous bill) been at the forefront of Government thinking – this should not be a Bill that causes any problems with the EU’s upcoming review of EU<>UK adequacy which must be completed by 27 June 2025.  The standard line that for all intents and purposes UK GDPR and the EU GDPR are still broadly aligned will still ring true even with the passing of the Bill. 
  • The Bill makes significant changes to the structure and governance of the ICO, and grants the ICO new enforcement powers.  The changes to the ICO in the previous bill were a significant bone of contention in some EU/privacy activist circles, but the new Bill arguably strengthens the UK data regulator's position and powers. 
  • Extra UK data transfers will be brought into a more “common law” model and rather than both exporters and the UK Government having to address if an importer country has “adequate” data laws the test will be whether the standards of protection will be “materially lower” than those applicable in the UK. This should make it easier for both data exporters and the UK Government to decide if transfers are valid or not. 
  • The Bill includes a new power for secondary legislation to list new classes of special category data.  Might we see children’s data or data relating to gender transition listed as special category data?  The idea that this might be done with less scrutiny via secondary legislation is likely to be criticised through the passage of the Bill. 
  • Re data rights:
    • The new Bill gives legislative footing to certain elements of ICO guidance re responding to SARs, e.g. the Bill makes clear the “clock is stopped” when a controller asks for clarity of the scope of a SAR and that any search only has to be “reasonable and proportionate”.  
    • There is a new privacy right, the “right to complain” to controllers generally about UK GDPR compliance.  We will have to watch this space to see what this really means but privacy notices (and similar) will have to be updated.
    • As with the old bill, elements of automated decision making are both clarified and liberalised, e.g. more colour is given to what a “solely” automated decision means (essentially no human involvement at all). 
  • Re e-Privacy – some good news, some bad news:
    • As with the old bill, the new Bill brings e-privacy fines into line with UK GDPR fines, so the current maximum of £500,000 will rise to UK GDPR levels, i.e. the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year. 
    • Again as with the old bill, the new Bill also amends cookie consent rules to extend to anyone who “instigates” the storage or access to stored data. This change means the ICO could potentially enforce actions against website publishers, not just the ad tech vendors with whom they work.
    • On the plus side again as with the old bill, the new Bill also introduces exemptions from cookie consent where the deployment and use of such cookies pose a low risk to user privacy (e.g. certain analytics usage).
  • Finally as with the old bill, the Bill gives examples of where legitimate interests can be used as a lawful basis for processing (e.g. direct marketing in some cases, intra group transfers etc.).  This means that in these stipulated cases there will be no need to undertake a Legitimate Interests Assessment.

On 31 October 2024, the ICO published its response to the new Bill. While the Bill was welcomed as a “positive package of reforms”, the ICO called for additional clarity in certain areas, e.g. automated decision making, legitimate interests and transfers of personal data to third countries, and has provided all their technical drafting comments in Annex One to their response. The ICO concludes the proposed changes are “pragmatic and proportionate amendments to the UK regulatory landscape” so that's a thumbs up from the ICO!

The Bill will now move through the various UK legislative stages, with the Second Reading scheduled for 19 November 2024. Hopefully it is third time lucky and we will see the Bill pass in some form or another in due course.

If you are interested in knowing more about the Data (Use and Access) Bill please contact our wonderful events team here to sign up for our In House Data Club event in early 2025.