On 19 June, the Data (Use and Access) Act finally received royal assent. This was the latest and perhaps most significant moment in a long and sometimes tortuous journey to bring about changes to the UK’s data protection laws. In many ways, that journey is more interesting than the reforms themselves, which are likely to have relatively minor impacts for most organisations.
In fact, proposals to amend the UK’s data protection laws have been discussed for almost a decade, predating the implementation of the last major set of reforms.
Think back to the spring of 2016. At an EU level, the General Data Protection Regulation (GDPR) had recently been agreed, with a two-year implementation period, meaning it would take effect in May 2018. And then the Brexit referendum was called.
Data protection had a relatively high-profile during the referendum. Leave campaigners cited the GDPR as a topical example of ‘costly Brussels red tape’, that could be slashed if the UK were to leave the EU, saving UK businesses billions.
Making wholesale changes to the GDPR remained an aspiration for the Brexit governments that followed. Following a white paper published in 2021, Boris Johnson’s government brought forward detailed proposals in a new Data Protection and Digital Information Bill. This was withdrawn and then reintroduced in a slightly different form in 2023 under Rishi Sunak. The Bill had passed the House of Commons and was making its way through the House of Lords when the 2024 general election was unexpectedly called. The dissolution of Parliament meant that the Bill never became law.
Not to be deterred, the incoming Labour government announced its own proposals for reform in the King’s speech in July 2024. The new bill, which was to eventually become the Data (Use and Access) Act, was introduced in October 2024. The data protection reforms contained within it were much less ambitious than its predecessors, involving a series of minor changes to the existing rules, some of which were lifted directly from the previous unsuccessful bills.
Given the huge Labour majority and the relatively subtle nature of the changes being proposed, most commentators expected the bill to pass without controversy. However, the House of Lords had other ideas.
The bill became a convenient vehicle for the Lords to articulate their concerns relating to the growth of artificial intelligence, repeatedly inserting amendments into the bill to protect copyright works and the creative industries. Without denying the importance of the issue, the government argued that the bill was not the appropriate place to include such provisions. A parliamentary stand off ensued, delaying the bill by some months. There was even speculation that the bill might fall. But on 11 June, the Lords backed down, allowing the bill to proceed to royal assent.
So what changes to data protection law can we expect to see from the Data (Use and Access) Act?
The Act works by amending the three existing instruments that make up the UK’s data protection laws; the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations. It includes a series of changes, many of which are technical in nature and likely to only have only minor effects for most organisations. This certainly isn’t the major reform Leave campaigners had in mind in 2016, or even the slightly more nuanced proposals introduced by the Johnson and Sunak governments.
That’s not to say that the reforms aren’t important. Organisations that process personal data will need to be aware of the changes and prepare accordingly.
One potentially helpful change that will apply to most organisations is the insertion of a new lawful basis of ‘recognised legitimate interests’ into Article 6 of the UK GDPR. This new lawful basis will apply where processing of personal data is necessary for one or more of the circumstances listed in a new Annex to the UK GDPR, contained in Schedule 4 of the Act. These include national security, crime prevention/detection and the safeguarding of vulnerable individuals. This should make such processing slightly more straightforward, although organisations will still need to consider whether the processing is ‘necessary’.
There are also changes to the rules around automated decision making, intended to make it easier for organisations to employ such decision making, likely in the context of AI, while retaining some safeguards. We’ll have to wait and see what difference, if any, these changes are likely to make in practice.
Other changes are likely to have a greater impact in some sectors than others. For instance, organisations carrying out scientific research using personal data have had to navigate complex rules. The Act consolidates and simplifies some of these rules and is likely to reduce, but certainly not eliminate, the compliance burden on scientific research activity.
Likewise, amendments to the Privacy and Electronic Communications Regulations extend the circumstances where charities can carry out campaigning and fundraising activities without having first obtained the recipient’s consent. This won’t mean a free-for-all, but should prompt charities to review how they currently use personal data of supporters. And unscrupulous companies already operating in breach of the Regulations should be aware that the Information Commissioner’s enforcement powers will be brought into line with those under the UK GDPR, potentially meaning significantly higher fines for wrongdoing.
The Act also writes into law some elements that were previously in the recitals of the UK GDPR or developed by case law, and clarifies other elements. Whilst these are useful ‘tidying up’ of the law, they are likely to have limited impact.
But just as significant is what isn’t changing. The data protection principles, lawful bases and individual rights remain largely unchanged. And, unlike previous proposals, there are no major changes to the accountability obligations on controllers and processors. For most organisations, the impact of the Data (Use and Access) Act will be distinctly underwhelming.
