On 24 October 2024, the UK Department for Science Innovation and Technology announced new legislation to modernise the UK’s use of data and boost the UK economy.

The focus of the new Data Use and Access Bill (the “new Bill”) is not just on data protection – it covers wider topics, such as the rules for digital identity verification, minor amendments to the Online Safety Act, the National Underground Asset Registers, technical standards for IT services in health care, and others.

The data protection section is covered in part 5 and it contains some of the  changes to the data protection requirements proposed by the previous government in the Data Protection and Digital Information Bill (the “previous Bill”), which failed to pass before the general election. Please see a table showing what changes were kept from the previous Bill below. The new Bill also introduced new additions, such as the following:

  • Data Portability: The Secretary of State will be empowered to introduce provisions requiring data holders to provide customer data to a customer or third party at the customer’s request, reinforcing the data portability right afforded under the UK GDPR.
  • International transfers: the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime was called out as the basis for transfers in reliance on international law. It is between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America.
  • Automated decision-making: there are further restrictions on automated decision-making involving sensitive processing. Such processing should be allowed only with explicit consent and the decision-making must be authorised or required by law.

The reforms should not pose any risk to the UK’s adequacy decision from the EU, which is due to be reconsidered in 2025. We expect the reforms to pass through the legislative process quickly. Businesses should monitor the Bill’s progress so that they are ready to comply with the reforms.