A new data bill from the U.K. Department for Science, Innovation and Technology (DSIT) aims to revive several measures that failed to pass under the prior government, while rowing back on some controversial post-Brexit reforms proposed by Conservative ministers.
The government reckons the “Data (Use and Access) Bill” (DUA) stands to boost the U.K. economy by £10 billion by unlocking major public sector efficiency savings. These savings would result from streamlining the rules for sharing information across domains such as healthcare and law enforcement.
The legislation also concerns digital identity and verification, expanding “smart data schemes” (akin to open banking), mapping of underground infrastructure, digitizing the birth and death registry, and enabling access to data held by online platforms.
“With laws that help us to use data securely and effectively, this Bill will help us boost the U.K.’s economy, free up vital time for our front-line workers, and relieve people from unnecessary admin so that they can get on with their lives,” technology secretary Peter Kyle said in a statement.
Data access around online risks
Much of the bill seems to have been carried over from the Conservative government’s planned data reforms — such as a plan to simplify cookie consent by letting sites process people’s data for analytics without consent. But one notable addition is a plan to force online service providers to retain information related to the deaths of minors using their services.
This looks to be a response to cases of parents facing lengthy fights to gain access to their children’s social media accounts following suicides.
Also notable is a provision to legislate to allow online safety researchers access to data. Here, the U.K. appears to be copying the European Union, as the bloc’s Digital Services Act mandates major platforms to facilitate researchers’ access to their data.
The U.K. has often lagged behind the EU on digital regulation, so tacking a data access provision on to the data bill looks like an attempt to catch up. It would also bolster the prospects of the Online Safety Act, which U.K. ministers finally passed last fall.
Eye on adequacy
Elsewhere, the new bill rows back on some controversial changes the last government proposed for amending the country’s General Data Protection Regulation (GDPR).
Ministers are likely keen to avoid failing the EU’s upcoming review (in 2025) of its adequacy decision that was granted in 2021. That decision allowed the data of any EU users that U.K. businesses held to continue flowing into the country for processing.
“The European Commission will be relieved that the Bill doesn’t take forward the Conservatives’ proposals to limit the application of ROPAs [record of processing activities], DPIAs [data protection impact assessments] and DPOs [data protection officers] or seek to undercut the independence of the ICO [Information Commissioner’s Office],” said Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice.
“Its expansion of the GDPR’s provisions on legitimate interests and purpose limitation also aren’t likely to trouble the upcoming adequacy renewal process,” he added.
Automated decisions
Digital rights organization Open Rights Group (ORG) had a less positive assessment of the revived bill, warning it “will fail to protect the public from AI harms.” The ORG said the bill limits people’s rights over automated decisions that have a legal or significant effect on them to only special category data (not personal data).
“This means organisations can use automated decisions to make life-changing decisions — such as firing workers, calculating wages, deciding on visa and benefits applications,” ORG said. “It also gives the Secretary of State the right to outright exempt automated decision-making systems from data protection safeguards regardless of the risk they pose to the public.”
ORG also highlighted “new loopholes” that could weaken data rights by allowing companies to spin out responding to data requests by asking individuals for more information. And it warned the revived bill still allows for “data grabs of our personal information under the guise of ‘research’.”
“The Data Use and Access Bill weakens our rights and gives companies and organisations more powers to use automated decisions. This is of particular concern in areas of policing, welfare and immigration, where life-changing decisions could be made without human review,” said ORG’s legal and policy officer, Mariano delli Santi, in a statement.
ICO
ORG stressed that the revived bill still gives powers to the government that could undermine the independence of the ICO.
However, Richard Cumbley, a partner at law firm Linklaters’ technology, media and telecommunications division, flagged a change that would limit the ICO to a six-month period to wrap up fining investigations. That, he suggested, could tackle the problem of ICO probes being drawn out for years.
Privacy notices
Also putting out an early take on the new government’s first bite at GDPR reform, Jon Baines, a senior data protection specialist at law firm Mishcon de Reya, highlighted planned changes to privacy notices that could be controversial.
“The DUA Bill proposes that the obligation to give a privacy notice to data subjects from whom data is directly collected will not apply to the extent that providing it ‘is impossible or would involve a disproportionate effort’,” he said in a blog post. He noted some of the examples given in the bill include “the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.”
“Similar wording is proposed for the Article 14 case where personal data is collected but not directly from the data subject. It seems likely that if these clauses are enacted, the obligation on data controllers to notify data subjects of processing will be greatly reduced. Correspondingly, these clauses are likely to be highly controversial, and subject to parliamentary debate,” he added.
Data consent regulations
The bill also proposes amendments to the Privacy and Electronic Communications Regulations (PECR), which regulates marketing communications and issues like requiring cookie consent.
“Pixel tracking and device finger-printing are clearly brought on to the same footing as cookies, restricting a perceived loophole widely used by online marketers to avoid cookie rules,” Linklater’s Cumbley told TechCrunch.
In his blog post, Mishcon de Reya’s Baines flagged the reappearance of the previous government’s proposal to permit the use of first-party cookies (and similar tracking technology) for website analytics without requiring users’ consent. He also noted the revival of a proposal to increase the potential fine for PECR infringements to U.K. GDPR levels (aka £17.5m for the most serious infringements).
Baines also pointed to another change that could help the ICO crack down on senders of speculative spam. The bill would allow for spam that was not received by anyone to count as potentially offending communications, and therefore would be enforceable against.
