The Data (Use and Access) Bill has passed its Second Reading in the House of Lords, marking the latest step as the landmark piece of legislation makes its way to become law.

The Bill is the successor to the Data Protection and Digital Information Bill (“DPDI”) (on which we have commented previously here) which failed to be carried over into the current parliamentary session following the general election earlier this year.

Like its predecessor, the Bill is an attempt to update the UK’s data protection regime following Brexit. However, its provisions depart from the DPBI in some important ways. For example, the previous proposal to replace the role of Data Protection Officers with so-called ‘Senior Responsible Individuals’ has been scrapped, as have proposals that represented a relaxing of obligations in relation to carrying out Data Protection Impact Assessments, responding to data subject access requests, and maintaining records of personal data processing. The new Bill also removes measures in the DPDI which envisaged the Secretary of State playing a more interventionist role in setting codes of practice and setting binding ‘strategic priorities’ for the Information Commissioner.

In terms of what the new Bill contains, the proposed measures are considerable (there are 138 sections) and many provisions from the DPDI do still remain. For example, the introduction of the concept of ‘recognised legitimate interests’ – specific purposes, set out in the legislation, on which controllers can rely and thereby forgo the requirement to conduct a full Legitimate Interests Assessment – is still present. The ‘recognised legitimate interests’ are set out in Schedule 4 to the Bill and include, for example, safeguarding national security, responding to an emergency, safeguarding vulnerable individuals, and detecting, investigation, or preventing crime. Similarly, the new Bill largely retains the DPDI’s approach to automated decision-making, meaning that organisations will ordinarily be permitted to use automatic decision-making so long as they implement appropriate safeguards as set out in the legislation, such as allowing the data subject to make representations about, and to contest, decisions. Further restrictions are imposed, however, in scenarios where sensitive processing is involved, requiring either that the data subject has given explicit consent, or that the decision is required or authorised by law.

In addition, the new Bill builds on the DPBI by introducing measures which, in the words of the Government, are “innovative uses of data” which will boost the economy. These include (1) “establishing a trust framework for digital verification services”; (2) “placing the national underground asset register on a statutory footing”; and (3) “creat[ing] the right conditions to support the future of open banking and the growth of new smart data schemes, models which allow consumers and businesses who want to safely share information about them with regulated and authorised third parties, to generate personalised market comparisons and financial advice to cut costs”.

Responding to the Bill, the Information Commissioner, John Edwards, commented that “the data protection changes proposed in the Bill are pragmatic and proportionate amendments to the UK regulatory landscape. They align well with the ICO’s enduring objectives and provide sufficient flexibility for us to respond effectively to the regulatory challenges and opportunities posed by the rapidly-evolving, data-driven environment we oversee.”. He also stated that in his view the proposed changes “strike a positive balance and should not present a risk to the UK’s adequacy status.”

The Bill moves on to Committee Stage on 3 December 2024.

To read more, click here.