What does the Data (Use and Access Bill) mean for organisations?

On 23 October 2024, the Data (Use and Access) Bill (the Data Bill) was introduced to Parliament. The Data Bill aims to harness the power of data for economic growth, support a modern digital government, and improve people’s lives.

Its proposals have been welcomed by some, including the ICO, whilst others have raised concerns that it could undermine individuals’ rights and could impact the UK’s adequacy status under EU law. In this article we examine several of the key data protection changes outlined in the Data Bill, considering their implications for the development and deployment of Artificial Intelligence (AI) systems and the UK’s adequacy status.

Key changes to current data protection legislation

New “recognised legitimate interests” lawful basis: The Data Bill amends the UK GDPR to add a new “recognised legitimate interests” lawful basis for processing, with a list of what would qualify as a recognised legitimate interest.

In contrast to the current legitimate interests lawful basis for processing, there will be no need to balance the rights and freedoms of individuals against the legitimate interests of the controller when relying on a recognised legitimate interest. The Secretary of State may, subject to certain conditions, add to, vary or omit provisions from the list of recognised legitimate interests via secondary legislation.

Organisations should keep up to date with the new legitimate interests lawful bases and ensure that documentation such as privacy notices and Records of Processing reflects the relevant lawful bases relied upon.

Clarification on the existing “legitimate interests” lawful basis for processing: The Data Bill provides for a statutory list of examples of processing activities that will fall within the current legitimate interests lawful basis for processing under the UK GDPR. This list includes processing necessary for the purposes of direct marketing and intra-group transfers of personal data for internal administrative purposes.

This clarification will assist organisations when determining and documenting their lawful bases for processing in these contexts.

Automated decision-making: The Data Bill provides for the relaxation of certain restrictions on automated decision-making. In particular, the current prohibition and exemptions would apply only to automated decision-making involving special category data such as health data, although safeguards will still apply when other types of personal data are used.

PECR: changes and enforcement: The Data Bill will align the enforcement regimes under the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR), meaning there will be a dramatic increase in the fines that may be imposed for breaches of PECR. Organisations should ensure that they are complying with PECR’s requirements in areas such as cookie use and direct marketing.

The Data Bill also provides for the removal of the consent requirement under PECR in respect of cookies placed for certain specified purposes, e.g. to collect information for statistical purposes to make improvements to the service, provided that the user is provided with information about the purpose for placing these cookies. This change should lessen the burden on organisations in relation to cookie requirements.

International transfers: The Data Bill introduces a “data protection test” to be considered in the context of international transfers. Controllers will need to ensure that data protection standards in the recipient country are not materially lower than in the UK. The Secretary of State may make regulations approving international transfers and will – in addition to the data protection test – consider the wider context of data flows between the UK and another country and how the transfers may benefit the UK. These proposed changes mean that the UK’s approach to international transfers could diverge from the EU’s approach, which requires an essentially equivalent level of protection to be given to the personal data following an international transfer.

The Data Bill also introduces a range of other changes, including:

• Codification of the ICO’s guidance on “reasonable and proportionate” search requirements for data requested under a subject access request.
• reforms to the ICO’s structure.
• a legislative framework for digital verification services.
• smart data schemes which facilitate the secure sharing of customer data (e.g. data held by a communications provider or financial services provider) upon the customer’s request, with authorised third-party providers.
• the expansion of existing research provisions and the relaxation of associated consent requirements, including in a commercial context; and
• clarification on when a new processing purpose will be considered compatible with the original purpose for which data was collected.

Implications for the development and deployment of AI systems

By making it easier for organisations to access data for research purposes and relaxing restrictions on automated decision-making, the Data Bill will facilitate the development and deployment of AI models in the UK. This is of particular importance to the UK Government, as highlighted in its AI Opportunities Action Plan.

In its response to the Data Bill, the ICO has highlighted the benefits that automated decision-making with proper protections can bring for people and organisations, including increased efficiency.  

When using data in an AI context, it will be important for organisations to avoid data protection risks already highlighted by the ICO such as the creation of biased and discriminatory AI systems and the misuse of personal data when training AI systems.

Implications of the Data Bill for the UK’s adequacy status under EU law

The UK’s adequacy status under EU law depends on the European Commission’s assessment that the level of protection given to personal data in the UK is essentially equivalent to that in the EU. Securing the renewal of the EU's data adequacy decision in respect of the UK by the deadline of 27 June 2025 is a key priority for the UK Government and, in November 2024, the Department for Science, Innovation and Technology (DSIT) confirmed its confidence that the proposed Data Bill will allow the UK to preserve its adequacy status.

Nevertheless, concerns have been raised that if the Data Bill is seen by the European Commission as weakening privacy standards in the UK, this could mean that the EU adequacy decision is revoked. The Local Government Association, whilst referring to the Data Bill as “less compromising to EU data protection frameworks than previous iterations of the bill”, has also highlighted several concerns and emphasises the need to ensure that the Data Bill does not negatively impact the UK’s EU adequacy decision and therefore the ability of councils and other organisations to access data stored in the EU.

If the UK loses its adequacy status under EU law, organisations will need to implement additional data transfer mechanisms such as standard contractual clauses or binding corporate rules, incurring significant time and financial costs.  

Comment

Overall, the Data Bill has the potential to bring about significant positive reforms for organisations and individuals, in particular by improving access to data. Encouraging the growth of AI in the UK is a key priority for the UK Government and the provisions set out in the current draft of the Data Bill are intended to assist with this. Nevertheless, to retain the UK’s adequacy status under EU law, the UK Government will need to ensure that the impact of the Data Bill and other related measures promote innovation without undermining individual rights under data protection law.

The third reading of the House of Lords, a chance for members of the Lords to “tidy up” the bill was scheduled for Wednesday 5 February.