24 octobre 2024
Debbie Heywood, Victoria Hordern and Chris Jeffery provide their initial impressions of the new DUA Bill.
After the Data Protection and Digital Information (DPDI) Bill failed to make it through the last Parliament ahead of the July general election, the new Labour government announced a Digital Information and Smart Data Bill in the July 2024 King's Speech. In the background briefing notes to the speech, the government said the Bill would aim to harness the power of data for economic growth. Among other things, it would establish a framework for trusted digital verification services, a national underground asset register, and smart data schemes which allow secure sharing of customer data with authorised third party providers. It would also preserve many of the reforms to the ICO's governance structure proposed under the DPDI Bill and would include “targeted reforms to some data laws….where there is currently a lack of clarity”.
The Data (Use and Access) Bill – which rejoices in the unusually memorable acronym DUA – was published and received its first reading in the House of Lords on 23 October 2024.
While many expected the government would drop the bulk of the changes to the UK GDPR proposed under the DPDI Bill, the majority, although not all of the DPDI changes remain, some in identical form and others with subtle changes. Gone, for example, are:
Changes which remain in place (although not necessarily in exactly the same way) include:
A significant addition to the data protection reforms is s74 of the DUA Bill which gives powers to the Secretary of State to make changes to the types of data classed as special category data.
The government's own press release plays down the data protection changes and focuses on the other half of the Bill. As with the DPDI Bill, the DUA Bill covers issues similar to those in the EU's Data Act, Data Governance Act (DGA) and European Health Data Space (EHDS), in ambition. Among other things it:
There was some initial disquiet expressed by the EU about the considerable discretion provided to the Secretary of State to introduce new data transfer mechanisms and extend the UK's adequacy network under the DPDI Bill, particularly as it was released prior to the agreement of the EU-US Data Privacy Framework. There were, however, no notable concerns over the general planned changes to the UK's data protection standards. The DUA Bill looks less likely still to set alarm bells ringing ahead of the Commission's review of the UK adequacy decision next year.
Equally, while businesses may welcome the moderate lightening of governance for some legitimate interest processing, additional flexibility for research and adding new adjacent purposes of processing, dropping the ability to reject vexatious data subject requests may disappoint as many businesses see the subject access right as disproportionate and easily abused.
With the rise of AI, the changes to automated decision-making are nuanced but important. In practice they would enable businesses to use automated decision-making more widely than under EU GDPR. Only where special category data is used would companies be subject to additional requirements to show consent or that the processing is required for a contract or legal compliance. Individual rights of objection and to require human intervention are preserved.
Some businesses may cautiously welcome the provisions around data sharing and digital verification while others may be concerned about the reach of access provisions, however, much of the detail will be filled out in secondary legislation so it's too early to assess the full impact. Hopefully the NHS will benefit as much as, if not more than the government intends.
The DUA Bill is in its initial stages but the DPDI Bill on which much of it was based, had progressed nearly all the way to enactment with only a few points of contention remaining before the general election. This suggests that progress should be reasonably rapid.
par Victoria Hordern
par plusieurs auteurs
par Victoria Hordern