Across the Pond: On UK Data Protection Reforms

David Reeves, Ross Webster

5 min read
Across the Pond: On UK Data Protection Reforms

100 days into the UK’s new Labour government reign, and the Data (Use and Access) (DUA) Bill has been introduced to Parliament. It is expected to receive Royal Assent in mid-2025.

The DUA is, in part, the government’s response to the previous Conservative government’s Data Protection & Digital Information (DPDI) Bill, which was considered in the last Parliament, but didn’t survive due to the July 4th election.

While reform of the data protection regime is included in the bill, some of the more interesting parts of the legislation relate to proposals on smart and open data, enhanced public service data sharing, and interoperable identity verification - all of which are designed to open up opportunities for the private and public sector to find efficiencies, and crucially to boost UK growth. 

The politics of reform

Like much of the Western world, the UK finds itself in a very difficult fiscal and political reality. Public services haven’t fared well for at least a couple of decades, productivity is low, voters are increasingly frustrated, and yet (as Theresa May famously put it) - there remains no ‘magic money tree’ capable of solving the underlying issues.

Interestingly, unlike the rest of the world, the Labour Party’s victory puts its left of center, progressive, state-investment focused politics increasingly at odds with the growing hegemony of the new populist orthodoxy and its low tax and deregulatory economic bedfellows. For this new Labour project to work, Chancellor Rachael Reeves is gambling on one thing - growth. The DUA bill is best viewed through this pro-growth prism. 

Broadly, the Bill feels pragmatic and pro-business. According to the government, the Bill aims to boost the UK economy by £10 billion through public sector efficiency savings and through opportunities for innovations in the open data and smart data sector.  These models allow consumers and businesses to share information with authorized third parties, to generate personalized market comparisons and financial advice. Tech innovators should think hard about the opportunities on offer here - the third party consumer-centered open banking solutions that have proliferated over recent years may well soon be joined by similar solutions in adjacent sectors, for example consumer energy. 

EU Alignment, with Relief

The failed DPDI reform was of course also an attempt at ‘pro-business’ reform, but it always felt hamstrung by its need to prove a point on Brexit. The DPDI was, in the main, largely about diverging from the bureaucratic EU GDPR - as was the guiding philosophy of the previous government; the sense that divergence from Europe was an innate positive and was innately pro growth. That approach was always risky - change for the sake of change, conflating ideas of ‘freedom’ with growth, new complexities for pan-European business, and most crucially, reform that pushed the envelope on a key cornerstone of the UK economy - the sacred free flow of data with Europe. 

The DUA appears designed to better balance business efficiency and pro growth reform with maintaining international data flows with the EU. Rather than the ‘Brexit-y’ DPDI, the DUA is a sensible attempt to balance post-Brexit independence with international data flow requirements, and let's not forget - actual individual’s privacy protections. It certainly indicates the importance of maintaining cross-border data flows whilst also pursuing regulatory independence.  

UK privacy professionals are probably all breathing a collective sigh of relief - key tools of the data protection trade are all back from the dead - the broad and accepted lexicon of the privacy programme is no longer changing in the UK, and this is also important for adequacy. As Edward Machin from Ropes & Gray commented:

"The European Commission will be relieved that the Bill doesn't take forward the Conservatives' proposals to limit the application of ROPAs, DPIAs and DPOs." 

Balancing the Need for Innovation with Protection  

The Bill aims to streamline business operations and drive digital innovation whilst still maintaining basic privacy protections.

Key reforms include:

  • Analytics & Tracking:  Simplifies cookie consent by allowing first-party cookies for analytics without explicit user consent.  However, Pixel tracking and device fingerprinting would now be explicitly regulated like cookies. The IAB UK has noted that cookie exemptions don’t currently include advertisement or audience measurement.  However, the Department for Science, Innovation and Technology plans to launch a pre-consultation exercise on any additional potential exemptions. It would be somewhat surprising if ad-tech tracking tech is ultimately permitted without consent. 
  • Administrative Efficiency: Reduces burden of privacy notices when providing them would involve "disproportionate effort."  As well as setting a six-month limit on ICO investigations to prevent lengthy regulatory probes.
  • AI and Automation: The Bill allows greater automated decision-making for significant decisions (hiring/firing, wages, visa applications).  Establishing limits only for special category data, not all personal data.

ICO Changes

The Bill makes changes to the Information Commissioner’s Office (ICO), which will become the Information Commission.

The Information Commissioner will have new duties to have regard to promoting innovation and competition.  There is a new duty to consult with relevant regulators and others about how the Information Commission’s work may affect economic growth, innovation and competition.

This is a key change from the DPDI which sought initially to tie the ICO more closely to the government - threatening the independence of the regulator, a key tenet of EU adequacy. The new proposal treads the middle ground, maintaining ICO independence whilst asking it to have regard to UK political and economic priorities.

In a statement responding to the Bill, Information Commissioner John Edwards said:

"We welcome the introduction of the Data Use and Access Bill in the House of Lords and look forward to seeing it progress through parliament to Royal Assent. This is an important piece of legislation which will allow my office to continue to operate as a trusted, fair and independent regulator and provide certainty for all organisations as they innovate and promote the UK economy." 

Other Key Updates

  • A new definition has been established for “scientific research”, clarifying what constitutes research in a legal context. Alongside this, a new test has been introduced to determine the compatibility of further processing of personal data, helping organizations assess when additional uses of data are permissible.
  • A significant update involves the introduction of a new set of “recognized legitimate interests.” This now confirms the validity of the legitimate interest for certain data processing activities under specific conditions, such as disclosing personal data to public authorities, protecting national security, responding to emergencies, detecting or preventing crime, and safeguarding vulnerable individuals.
  • Clarifications have been made regarding the timeline for fulfilling data subject requests. To ease compliance burdens, there is now a requirement that controllers conduct only a “reasonable and proportionate” search for personal data when responding to subject access requests.
  • Penalties for violating Privacy and Electronic Communications Regulations (PECR) have also been revised to align with the maximum fines under the UK GDPR, although some exceptions may apply in specific cases.
  • The charity and NGO sector will be disappointed that proposals to broaden the soft opt-in to include non-profits had been dropped. 

Privacy Advocate Concerns

Even with the recalibrations skeptics remain. The Open Rights Group (ORG) has expressed concerns that certain changes, particularly around automated decision-making, could weaken individual privacy rights. 

In a detailed assessment, ORG claims that the Bill will fail to protect the public from harmful uses of artificial intelligence (AI). However, the government had made manifesto commitments to regulate AI and as such we must await further information on plans in this area. And this perhaps is the overarching break from the prior reform project - Labour is seeking input and balance where it can.

Sign up for more like this.