Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
The new Data (Use and Access) Bill is making its way through the parliamentary process, and is expected to be passed in the first half of 2025.
The Bill proposes to amend the UK data privacy regime to make it easier for businesses to comply with the requirements, although the changes are not as significant as previously envisaged.
A watered-down approach – the new government’s proposals
You may remember the previous government first proposed changes to the UK’s data privacy regime under the Data Protection and Digital Information Bill (which we summarised here). These changes were broad in scope and were set to reduce the compliance burden on businesses considerably. This Bill did not make it through parliament before the change of government, however, and was dropped before it was passed.
Although the new Bill largely reflects the previous version, it has been watered down, and the proposed changes are much less significant than previously expected.
Key changes to watch out for
We have outlined below the key changes employers should be looking out for.
- Legitimate interests – UK employers that rely on legitimate interests as a lawful ground for processing ordinary personal data are required to consider whether the interests in processing personal data outweigh the rights of individuals. This “balancing test” can be perceived as complicated and risky for employers, as well as administratively burdensome. The government proposes:
- to introduce an exhaustive list of “recognised legitimate interests” that businesses can rely on by default, without needing to complete this balancing exercise (although the list is limited to security-related interests such as prevention of a crime and national security, so will not be particularly helpful to most employers); and
- to include a non-exhaustive list of examples that may constitute a legitimate interest, which can be updated, to assist businesses when completing this balancing exercise. Helpfully, intra-group transmission of employee data for internal administration has been added to this list, which will assist large businesses in justifying processing of this kind.
However, in most cases this balancing act will still need to be completed, so this change has a fairly limited impact on employers at this stage.
- Automated decision-making – the government proposes to relax the restrictions on automated decision-making, so that the current restrictions apply only in relation to special category data (the list of which may be separately amended by regulation). This will be a significant shift in approach from the EU and perhaps reflects the previous intention for the UK to be “pro-innovation.” Where automated decision-making is used, safeguards will still need to be put in place, including providing information to individuals about the decisions taken and allowing them to contest these decisions.
- Data transfers – the government proposes to relax the test for data transfers to third countries, so that these transfers are permitted where the standard of protection is “not materially lower” than that of the UK. Businesses will need to consider this test when considering appropriate safeguards to put in place before making these transfers.
- Data subject access requests (DSARs) – although the previous government had proposed significant changes to the DSAR regime, none of these have been carried into the new Bill. The new Bill simply clarifies the existing principles in relation to timing, extensions and stopping the clock. One small difference, which may be of some comfort to employers, is that individuals must first send their complaint to the employer and only if they are satisfied with that response can they escalate their complaint to the UK data protection regulator, the ICO.
What about Artificial Intelligence?
The new Bill is relatively silent on AI apart from what is mentioned above in relation to automated decision-making, although we are expecting some regulation of AI under the new government. This month, the government published its AI Opportunities Action Plan, with which it hopes to “position the UK to be an AI maker,” although it is not yet clear what specific actions will come from this plan at this stage. Interestingly, a new consultation has been launched relating to AI and copyright, but this also includes consideration on the regulation of deep fakes, transparency of AI systems and labelling of generative AI outputs. It is possible that further AI regulation in the UK may follow in response to this consultation.
What about the UK’s adequacy status?
The adequacy decision granted to the UK by the EU is set to expire in June 2025, at which point the EU will consider whether it should extend the UK’s adequacy status. The government is keen for an extension of the UK’s status, which may be the reason for this considerably watered-down Bill.
Of course, if the UK’s adequacy status was removed, this would mean transfer documents would be required for transfers of data from Europe to the UK (which could be a considerable additional burden on businesses).
Next steps
As mentioned above, we expect this Bill to be passed in the first half of this year. The changes will make it easier to comply with the UK’s data privacy laws, but in general these changes are not particularly significant. The current GDPR standard will still be compliant under the new regime, and it may be that international businesses will choose to continue to comply with the current GDPR regime to harmonise their approach across the EU.
