LONDON – The UK’s Data Bill (DUAB) has passed through Parliament after much debate, especially around AI and copyright. While these discussions drew headlines, the real significance of the data bill is in how it changes the way businesses across all sectors can use and share data.
The DUAB sets up a framework that could spark faster adoption of smart data and AI in the UK. It gives researchers more freedom, should help reduce disruption from construction, makes digital verification simpler and increases the pressure on businesses to handle cookies and direct marketing correctly.
Opening Up the Data Bill
Sharing customer data between businesses to create better products and drive competition is not a new idea. Open banking brought this to UK finance, requiring big banks to let third parties access certain account data with customer approval. This led to a wave of new fintech and payment apps.
The DUAB takes this further with ‘open finance’. Data holders in areas like pensions, insurance and investments will be required to provide access to approved third parties, under strict rules. The government will be able to expand these data-sharing rules to other sectors, such as energy and telecoms.
Much like the EU Data Act, these rules mean firms in certain industries must meet clear standards and may need to work with intermediaries to support individuals’ rights to switch or move their data.
AI and Automated Decisions
Right now, UK data law generally gives people the right not to be subject to significant decisions made only by automated systems, unless they consent. The DUAB now allows automated decision-making in more situations, as long as the company using AI has safeguards. This includes letting people affected get a human review, appeal decisions, and make their case.
Tougher rules will still apply to decisions that have a big impact and involve sensitive data, such as health or biometric data. These rules, set out in UK GDPR Article 9, cover information like genetics or political views.
The Information Commissioner’s Office (ICO) has announced it will release new guidance on AI and automated decisions within the next year.
Helping Researchers
Traditionally, UK law says people must be told exactly how their data will be used and give consent for that specific purpose. This can hold back scientific research, as projects often change and researchers have to keep going back for new consent.
The DUAB introduces more flexible consent for research. Researchers can carry out projects that change direction over time without always needing to get new approval. There was some worry in Parliament that this could give AI developers too much freedom, but the bill clarifies that ‘scientific research’ includes technology development or demonstration, as long as the activities are genuinely scientific.
Changes to Data Access Requests
People have the right to ask for copies of their data from organisations. Handling these data subject access requests (DSARs) can be costly and time-consuming for businesses.
A useful change in the DUAB is the ‘stop the clock’ rule. Now, organisations can pause the response time while they check the requester’s identity, without this delay eating into the legal time limit for responding.
Another update, effective from 1 January 2024, is that businesses only need to carry out a ‘reasonable and proportionate’ search when responding to DSARs. This follows a court case involving Mike Ashley, where a judge ruled that a government department’s search for data was too narrow.
Streamlining Digital Verification
The DUAB sets out a new legal framework for digital verification services. These are often run by third parties to help companies confirm someone’s identity or background, like when checking a job applicant’s work history.
Some confusion has surrounded the legal basis for accessing data in these services. The DUAB’s new ‘trust framework’ is designed to clear up this uncertainty.
A Register for Underground Infrastructure
The DUAB includes plans for a national register of underground assets in England, Northern Ireland and Wales. This register will show where pipes, cables and other infrastructure are buried, helping to plan road and construction work with less disruption and lower risk of accidental damage.
Details on which businesses need to submit data, what they must share and how access will work will be set out in future rules. There are concerns about this register being used by bad actors, but work on the project continues.
Tougher Rules on Cookies and Direct Marketing
Currently, breaches of UK data protection law can bring fines up to £17.5 million or 4% of global turnover, whichever is higher. But for breaking other privacy rules, like those under the Privacy and Electronic Communications Regulations (PECR)—covering cookies and direct marketing—the maximum fine is only £500,000.
The DUAB raises the ICO’s enforcement powers on cookies and marketing to match its data protection powers. This comes at a time when the ICO has expanded its checks on cookie banners and is issuing more fines for rule breaches.
The ICO also says PECR applies to all tracking technologies, not just cookies, but also beacons and device fingerprinting.
Charities will benefit as the “soft opt-in” for marketing is extended to them. Until now, only commercial firms could contact existing customers or interested people with marketing, if they followed certain rules. The extension means charities can do the same, provided they offer clear opt-out options.
The DUAB also confirms that, for UK GDPR, direct marketing counts as a “legitimate interest” when deciding if there’s a lawful reason to use personal data.
Although penalties will increase, there are still exceptions. For example, storing data on a device is allowed if it’s needed for things like security, automatic logins or emergency help, such as in connected vehicles. There is also an exception for data gathered just for statistical analysis, or to improve a service or app.
Another change gives electronic communication providers more time to report any personal data breach to the ICO. Instead of just 24 hours, they now have up to 72 hours, matching the UK GDPR standard.
When Will DUAB Take Effect?
The DUAB is expected to become law soon and will then be called the Data (Use and Access) Act. Most changes need a formal start date before taking effect. The next “common commencement date” is 1 October 2025, but some parts could start sooner.
Impact on Data Flows with the EU
The DUAB’s changes will be closely watched by EU authorities. The EU decides if the UK’s data protection standards are strong enough to allow data to be sent from the EU without extra safeguards. These so-called “adequacy decisions” are set to expire later this year, so UK businesses need to keep an eye on any updates.
Related Post
