What is the Data (Use and Access) Bill?

The Data (Use and Access) Bill (the Bill) was introduced in October 2024; it follows the lapse of the Data Protection and Digital Information Bill introduced by the previous government.

The Bill focuses on customer data, enforcement, and the financial services sector in particular. This aligns with the Government’s approach of themes and missions, and depending on how you look it there are up to seven themes: (i) promoting competition, (ii) clarifying digital ID and verification, (iii) data innovation, (iv) improving personal data protections, (v) clearer rights to personal data for law enforcement/regulation, (vi) changes to cookies and trackers, and (vii) aiding improved public service delivery.

Digital verification and amendments related to the GDPR are covered by two entire Parts, adding a meaning for research and statistical purposes, and a section on special category data as well as automated decision making. Chapter 2 updates the Privacy and Electronic Communications regulations and increases the fines. This means it will impact many businesses and it’s worth thinking about how you use data, and if this Bill might affect you.

There will be a consistent new focus on children in the law, with Part 5 on privacy specifically mentioning children. The Bill provides that the Secretary of State, when making regulations, must keep in mind that children can be less aware of risks to their privacy and of their rights, and the Information Commission will have a similar obligation to think about children in the functions of their role and the Commission’s work.

Key highlights of the Bill

EU Adequacy – The EU has an upcoming review of the UK adequacy decision, which is due by June 2025. The Bill dropped a proposed change to the definition of personal data contained in the previous government’s Bill, which would have narrowed the meaning of the term and possibly been a source of concern for the EU in reviewing the UK’s adequacy. Another previously proposed was to limit the need for controllers to keep Records of Processing Activities for all personal data and instead limit those to high-risk operations but it was dropped.

• Changes to the structure and governance of the Information Commissioners Office (ICO) – Enforcement powers will be expanded in relation to the use of cookies and electronic marketing, with GDPR level fines of up to 4% of annual turnover or £17M. There will now be a board and chief executive in place of the Commissioner.
• An adjustment to the current law on international transfers – It is hoped this will lead to improved clarity via minor changes that do not concern the EU when assessing the UK’s adequacy. The Secretary of State will have a new test to deem which other jurisdictions are adequate: no longer a requirement to be equivalent to the GDPR, but rather to provide a standard of protection which is not materially lower than in the UK. This could mean a shift away from EU standard.
• Data Subject Access Requests (DSARs) – It will be clearer that the time within which to reply stops once you ask for clarifications. The previous Bill sought to introduce the right for the controller to refuse to comply with a request if it was ‘vexatious or excessive’, but this has not made it into the Bill. The law will also make clear that the level of search required is ‘reasonable and proportionate’; not a change in the law but a codification, as case law and guidance already said this.
• Data subjects need to address any complaint with the data controller before going to the ICO – There is to be a new right of complaint, but little is known about how that will work, and what it means in practical terms.
• Automated decision making – The rules on this are being amended. We expect the detail to come sometime later in the form of regulations.
• Cookie policy and the use of pop-ups – The Bill proposes changes to cookie consent rules, which may mean wider enforcement options for the ICO against online publishers and ad tech vendors. There will also be some new exemptions to obtaining consent for cookies where they are ‘low risk’ such as solely for website analytics.
• Legitimate Interests are being clarified – In future, legitimate interests can be used as a lawful basis for more direct marketing and intra group transfers. Generally, the aim is to provide clarity on legitimate interests, but also a reduction in the number of assessments you need to make. The Bill amends the lawful basis (article 6 UK GDPR) to permit controllers to rely on recognised legitimate interests that appear in an Annex in Schedule 4 of the Bill. Where you can rely on one of these recognised legitimate interests for your processing, you are not expected to carry out a balancing exercise under a legitimate interest assessment.
• Non-profits – The change in the law to allow non-profits the same right to process data and conduct direct marketing as for-profits was lost from the old bill. There is a campaign to bring it back, under the unhelpful term ‘soft opt in’.

The ICO has called for additional clarity on automated decision making, legitimate interests and transfers of personal data to third countries, so in the passage of the Bill there may be more changes.

It is hoped that the Bill will encourage better use of personal data. The smart data scheme is the same as was proposed in the last bill, but it goes beyond banking to include telecoms, and this greater portability of data could be useful. Under the smart data schemes, the UK Treasury can require data on customers to be collected, shared via specific APIs, and regulations on data portability are expected. Wider permission to research using customer data is expected and this could be beneficial for many businesses.

The Government believes the new law will also help with compliance and anti-fraud measures by removing barriers to sharing personal data with law enforcement on a legitimate interest basis, for example.

If you have questions or concerns about the Bill, please contact James Tumbridge and Robert Peake.