The UK's Data (Use and Access) Bill (DUA) was published on 23 October 2024, replacing the previous government's failed Data Protection and Digital Information (DPDI) Bill. The DUA Bill reforms the UK's data protection regime but much of the Bill is focused on data sharing of both personal and non-personal data more widely – an area which has also been a recent focus for the EU.
The DUA Bill gives the government the ability to pass secondary legislation to implement very broad principles relating to data sharing by businesses. The government intends to use the powers to implement smart data schemes along the line of Open Banking in other consumer and business sectors, with the aim of enabling innovation and competition. The idea is that businesses servicing consumers and businesses hold data about the service provided which gives them an inbuilt advantage in keeping customers and innovating in relation to new services.
The EU has a similar policy objective of unlocking data held by incumbent providers to encourage competition and innovation (for example, the Data Act, most of which comes into effect in September 2025, and the Financial Data Access Regulation). In this article we will compare the UK and EU developments).
In the UK, the success of the Open Banking initiative led to plans for similar smart data schemes in other regulated sectors:
- Open Finance – possible expansion of Open Banking to other financial services: mortgages, savings, investments etc
- "midata" scheme in the consumer energy sector (currently on hold)
- Open Communications in telecoms on which OFCOM has consulted
- Pensions Dashboard – which the Labour government has indicated it supports – which will aim to allow consumers to see their pension pots in a single portal.
All these proposals had the objectives of allowing easier switching between services and unlocking data so innovative add-on services can be provided.
Other than the pensions dashboard, it is not clear whether the above initiatives will be continued or changed as the Labour government has not announced its intentions. However, it seems likely that at least some of these sectors will be in scope for the detail of the implementing data sharing legislation when available. In the energy sector, for instance, rules encouraging the sharing of consumption data with trusted third parties could be used to offer recommendations on more energy-efficient use of data, which aligns with the government's climate change ambitions, as well as enabling easier switching between providers.
What does the Bill actually say about data sharing?
The DUA Bill confers very wide powers on the Treasury and the Secretary of State to require data sharing by businesses supplying goods, services or digital content in respect of two categories of data: "customer data" and "business data".
Customer data is data relating to a customer's relationship with a trader, including:
- what goods, services or digital content have been supplied
- prices and other terms of supply
- how products have been used
- their performance or quality
- information about how data is provided under the data sharing provisions.
The Bill enables the later legislation to:
- allow customers to obtain from a "data holder" the customer data – and have it given to the customer direct or to a third party selected by the customer
- oblige data holders to produce, collect or retain customer data - no doubt so that data which is desirable for a smart data scheme is actually available for sharing in the first place
- use dashboard or other online services or application programming interfaces (APIs), to facilitate data access and use.
Note the customer can be a consumer or a business and the data holder is the trader providing the goods, services or content or another organisation processing customer data.
"Business data" is defined in a similar way to customer data, but includes feedback on the goods, services or content supplied and relates to the goods, services and content generally, not in respect of a specific customer.
The obligations on data holders are similar to those relating to customer data, with the addition of the possible appointment of third parties, who may be a public authority, to make business data available to customers to whom it relates or to another category of recipients, as subsequent legislation may specify.
Note also that there is no restriction of these powers to specific sectors where proposals for smart data schemes were consulted on under the previous government, nor is the term 'smart data' used anywhere in the legislation. The DUA BIll permits much broader data sharing initiatives than that, but the government factsheet accompanying the Bill indicates that it is the policy intent to create new data schemes (although no specific sector is mentioned).
How does the UK's approach compare to the EU's?
There are three main elements of the EU's push for more open data although it’s also worth noting the creation of Common European Data Spaces which enable cross-border and more local data sharing within the EU in specified sectors, for example health data:
- The Data Act mainly applies as of 12 September 2025, and requires suppliers of IoT devices and related services to make data available to users and third parties nominated by them.
- The Data Governance Act is already in effect - this aims to create a framework for data sharing and governance across sectors. More specifically, it requires the wider re-use of non-personal data held by public sector bodies, aims to improve the sharing of data through new "data intermediaries" and encourages data sharing by companies and others for altruistic purposes.
- The Financial Data Access Regulation is still in discussion within the EU, and aims to build on the Payment Services Directive and require wide data sharing at a customer's request of data relating to a broad range of financial services.
As the Financial Data Access regulation is not yet law, and the Data Governance Act impacts public sector data, we will focus here on a comparison with the Data Act.
With the DUA Bill, we have a broad framework the government can use to implement almost any variation of mandatory data sharing. The expectation is that that they will use it to put new data schemes along the lines of Open Banking on a statutory footing.
With the EU Data Act, we know what we are getting: the detail is already in the legislation itself, albeit with some grey areas to be fleshed out in guidance and case law. It is also a Regulation, so not dependent on Member States passing national legislation to implement.
The Data Act does not focus on smart data schemes in specific sectors, instead its data sharing elements are focused on "connected devices" and "related services" regardless of sector or intended use with some data export rights included in its under-reported cloud-switching provisions, which impact all cloud-based services (B2C and B2B). In other words, it impacts IoT and cloud providers specifically.
It governs how data is accessed and shared in B2C, B2B and B2G (business to government) scenarios. Its requirements impact the design of connected products, data sharing, and terms designed to ensure the interoperability of and facilitate switching between cloud services.
The Data Act requires data holders (typically the product manufacturer, seller or lessor in the case of products such as machines or devices) to provide and a right for users (whether consumer or business) to access, free of charge, the product data and related service data generated through use. Data holders must also provide pre-contractual information regarding data access.
The Data Act also creates a right for users to transfer data from connected devices and related services to third parties. The transfer of data to third parties can be charged for ("adequate compensation" is permitted) and otherwise must be carried out on fair, reasonable and non-discriminatory terms and in a transparent manner.
The legislative hope is similar – that the availability of data relating to and generated by a customer in their use of IoT devices will lead to more competition in aftersales services. Maintenance services, spare parts and consumables (like ink for printers) are key areas where manufacturers often make more attractive margins than on the sale or leasing of the product itself, and so the Data Act does represent a threat for them and an opportunity for companies wanting to enter those markets.
It is possible that manufacturers of connected devices will be caught in the EU by the Data Act and in the UK by subsequent legislation implementing the data sharing elements of the DUA Bill. For instance, if the UK government introduces a smart data scheme in the energy sector impacting the manufacturers and providers of smart meters, they would also, as of September 2025, be subject to data sharing under the Data Act for sales into the EU market. While you would expect some overlap in the design, process and documentation obligation between the EU and the UK, there is likely be enough divergence to represent material cost implications for businesses.
What to expect in the UK
The UK legislation is technically in its early stages but its predecessor, the DPDI Bill, was almost finalised before failing due to the timing of the general election. As a result, we do not expect it to change significantly prior to enactment, however, this will not greatly help businesses expecting to be impacted by data sharing requirements given that the detail will be provided under secondary legislation with little to no indication from the UK government as to what it will cover and when it will be published.