In October 2024, the UK government introduced the Data (Use and Access) Bill (the Data Bill) to Parliament. The Data Bill represents a third attempt by UK ministers to bring about reforms to the UK’s data protection and ePrivacy regimes. If enacted, the Data Bill will introduce changes to the existing regime, including by reducing restrictions on automated decision-making and enhancing powers for the UK’s privacy regulator. It will also lay the groundwork for new “Smart Data” schemes, which will in future require companies operating in certain industries to share data with authorized and regulated third parties.

What Is Notable About the Data Bill?

Although much may change before the Data Bill is finally passed into law, some significant points to note are:

• Reduced Restrictions on Automated Decision-Making. The Data Bill proposes to relax the UK GDPR’s current requirements when it comes to the use of automated decision-making (ADM) technologies. Under the Data Bill, ADM based on the processing of personal data would be permitted provided that safeguards are implemented, such as providing a route to contest decisions. ADM will be prohibited when based on the processing of sensitive data if that decision produces legal effects or similarly significant effects on the individual, unless the relevant individual has provided their explicit consent, the decision in question is necessary to enter into a contract or is authorized by law. This would mark a departure from the position under the UK GDPR, which provides the same restriction even when the processing is based on non-sensitive data. This will open the door for businesses operating in the UK to make wider use of ADM technologies.
• More Flexibility for Further Data Processing. The Data Bill clarifies the circumstances in which personal data collected by a controller for a particular purpose can be further processed for a new purpose without the individual’s consent; this includes where processing is carried out for a recognized scientific or historical research purpose. This will bring welcome clarification to businesses operating in the life sciences industry in particular.
• Recognized “Legitimate Interests.” The Data Bill sets out a limited list of recognized “legitimate interests” such as where processing is necessary to safeguard a vulnerable individual or to detect crime. When relying on one of these interests, controllers do not need to conduct a full balancing test against the rights and freedoms of individuals and instead only need to consider whether the proposed processing is necessary for the recognized purpose. The Data Bill also clarifies that processing for the purposes of direct marketing and intra-group data transfers can in principle amount to legitimate interests, however unlike the recognized legitimate interests, these are subject to carrying out the balancing exercise.
• Modest Changes to Data Subject Rights. The Data Bill clarifies how companies should calculate the applicable time period for responding to data subject rights requests. In short, the Data Bill codifies existing guidance stating that the timescale for responding to such requests only begins when the identity of the data subject is confirmed (if such confirmation is necessary in the circumstances). The Data Bill also clarifies that companies are required only to carry out a “reasonable and proportionate” search when responding to data subject rights requests.
• Enhancing the Powers of the Information Commissioner’s Office. The Data Bill proposes to bring the potential penalties for noncompliance with the UK cookie and marketing laws (the Privacy and Electronic Communications (EC Directive) Regulations 2003) in line with the UK GDPR. This would see the maximum potential fine increase from its current level of £500,000 to £17,500,000 or up to four percent of annual worldwide turnover. The ICO would also gain new powers to exercise in the context of investigations, including to issue interview notices
• Amendments to the Online Safety Act 2023. The Data Bill proposes to amend the Online Safety Act 2023 in order to provide Ofcom the power to require online services to retain information about deceased child users. The Data Bill also proposes to allow the Secretary of State to introduce secondary legislation requiring online platforms to provide access to information required for research into online safety issues.
• Smart Data. The Data Bill will provide officials with the ability to introduce new “Smart Data” schemes. These schemes would require in-scope companies to provide consumers with the ability to access and share their data with regulated and authorized third parties. The government aims to build on the Open Banking model and encourage the emergence of similar models across other sectors (such as energy providers).

Next Steps

The Data Bill passed its first formal reading on October 23, 2024, and now awaits its second reading in the House of Commons. It is likely that it will take several months to pass into law. We will continue to report on further developments regarding the Data Bill.

For more information, please contact Nikolaos Theodorakis, Tom Evans, or another member of the firm’s privacy and cybersecurity practice.

Claudia Chan contributed to the preparation of this Wilson Sonsini Alert.