Data laws rebooted: Data (Use and Access) Bill agreed, as amendments tabled to the EU GDPR

On 11 June, the UK’s Data (Use and Access) Bill (DUA Bill) passed in the House of Lords and is shortly set to become law. This marks the culmination of a multi-year, multi-government effort to introduce the legislative underpinning for new UK ‘smart data’ regimes and updates to UK data protection law, alongside a host of other data related changes (as outlined in our previous blog).

Concerns about the use of copyright works to train generative AI models had led to protracted Parliamentary ping-pong and threatened to derail the DUA Bill. But the two Houses of Parliament finally reached a compromise, with the Government agreeing to publish within 9 months:

• an economic impact assessment of the four policy options put forward in the Government’s consultation on copyright and AI (discussed in this blog); and
• a report on the use of copyright works in the development of AI systems. 

Now the DUA Bill is shortly due to enter the statute books, what does that mean for organisations? 

Smart data 

With the DUA Bill providing the necessary primary legislation, the starting gun has been fired on the development of sector specific data sharing schemes via secondary regulations. The potential impact of these schemes is substantial – the Government’s impact assessment estimates that delivering them will potentially boost UK GDP by £30.5bn a year. The front running scheme is Open Finance, with potential to facilitate data sharing across savings, mortgages, consumer credit, investments and insurance. The Financial Conduct Authority’s 5 year strategy outlines that a roadmap for the roll out of Open Finance will be published within a year and the regulatory foundations of the first scheme are expected to be in place by the end of 2027.

Data protection 

Although there were a small number of amendments to the DUA Bill’s data protection provisions as it passed through Parliament, the most significant changes for commercial organisations have been long anticipated, including:

• An uplift in the maximum fines for marketing/cookie and other tracking technology infringements to UK General Data Protection Regulation (GDPR) levels and increased enforcement tools for the Information Commissioner’s Office (ICO). 
• A relaxation of the cookie rules, so more cookies can be placed without consent (discussed in this article).
• A relaxation of the rules around automated decision making, enabling greater use of legitimate interests where decisions don’t involve special category data. 
• A clarification of the GDPR rules around scientific research, to bolster confidence in the application of these provisions, with potential relevance for AI training. 
• A codification of the Information Commissioner’s pro-innovation stance, with new duties for the Commissioner around the promotion of innovation and competition. 

The Government is working closely with the ICO before determining when the DUA Bill’s data protection changes will come into effect, and it is likely the changes will be brought in on a staggered basis over the next 12 months. The ICO has previously said it will produce guidance once the DUA Bill becomes law to provide businesses with “clarity and certainty” which should help determine what, if any, changes are required to organisations' compliance programmes – for example in relation to the DUA Bill’s new requirements for controllers to have a complaints process. 

What about the EU GDPR changes? 

While the UK’s legislative amendments are passing the finish line, the EU’s are just beginning. On 21 May, the European Commission proposed targeted changes to the EU GDPR’s record keeping obligations and to rules on codes of conduct and certification as part of ‘omnibus’ measures aimed at supporting growth in small and mid-cap enterprises (SMEs) (see here).

The proposed changes aim to ease the burden on SMEs of maintaining records of processing activities (ROPA) by:

• extending the current exemption to organisations with less than 750 employees (from 250 currently); 
• limiting the need for such SMEs to keep ROPAs to where their processing is “high risk” rather than where it poses just “a risk” as currently drafted; and
• clarifying that processing special category data for the purpose of employment, social security or social protection law does not require ROPAs to be maintained by SMEs that would otherwise be exempt. 

Commentary 

Although the DUA Bill’s protracted Parliamentary journey has led to many switching off, now is the time to look again. 

• Organisations subject to the UK GDPR should consider the potential opportunities the DUA Bill presents – in the longer term from new opportunities posed by smart data schemes and more immediately from the data protection changes, particularly for cookies and AI; and
• Small businesses which are subject to the EU GDPR should keep a close watching brief on the progress of the proposed EU GDPR relaxations.