After a tumultuous passage between the two chambers of the UK's Parliament, the Government has now passed the Data (Use and Access) Bill. Royal assent is to be given on a date yet to be confirmed.  Progress has been delayed by attempts to use the Data Bill as a vehicle to regulate the use of copyright works by AI developers, with the House of Lords driving amendments which would have required AI companies to disclose which copyright material they have used to train their AI models and would have given the Information Commissioner’s Office (ICO) enforcement powers to allow copyright holders to pursue legal action against AI companies who have used their copyright material without consent (discussed in our recent insight here). This amendment went beyond the original proposal in the Bill that copyright holders should be able to prevent their works from being used to train AI models by ‘opting out’ (also now removed).

Having received 11,500 consultation responses on the issue of AI and copyright, the Government has indicated it wants time to consider these in detail (including whether there is a need to prepare a specific legislative response), without allowing the AI amendments to obscure or overshadow the important changes being made to the UK’s data protection legislation.  It has therefore elected to defer legislating on the AI/copyright issues in the Bill.  The Secretary of State for Science, Innovation and Technology instead agreed to lay a progress statement before Parliament within six months of the Bill’s enactment, outlining its progress on its report into the use of copyright works in the development of AI systems.   

The data protection changes proposed in the Bill are pragmatic and proportionate amendments to the UK regulatory landscape. They align well with the ICO’s enduring objectives and provide sufficient flexibility for us to respond effectively to the regulatory challenges and opportunities posed by the rapidly-evolving, data-driven environment we oversee (The Information Commissioner, October 2024)

 A reminder – what are the key changes to the UK’s data protection landscape?

Of most interest to businesses are the following changes, discussed in our earlier insight:

1. A wider category of legitimate interests recognised as a basis for the processing of personal data, with the Bill introducing a new right for the Secretary of State to amend the conditions for which processing of personal data for a legitimate interest may take place. The current balancing test which has to be performed (weighing legitimate interests against individual rights before organisations can disclose personal data) has been removed;
2. The relaxation of some of the rules around automated decision-making, clarifying that a decision will be solely based on automated processing if there is ‘no meaningful human involvement’ in the decision-making process.  However, the use of automated decision-making is still subject to conditions where it relies on special category personal data and is a ‘significant’ decision;   
3. The more flexible test for transfer of personal data to third countries, where the threshold for a permitted transfer will be met where protections afforded to data subjects are ‘not materially lower’ than those in the UK. We expect this area to be the most closely scrutinised by the EU when evaluating whether to extend the UK’s adequacy decision, as it represents a departure from the EU’s test requiring third country standards to be ‘essentially equivalent’; 
4. The additional safeguards required to be put in place for children’s personal data (given their vulnerability, especially when using online services). These will mean businesses offering information society services need to consider what additional measures need to be put in place for children’s personal data, to ensure they are protected and supported when using such services. And these changes also need to be seen in the context of the UK’s Online Safety Act which also mandates specific requirements for those offering online services to children;   
5. Changes to the process for responding to DSARs, to permit extensions to the deadline for requests where an access request is complex as well as limiting information to be provided in response to a data subject access request to that which can be found through a ‘reasonable and proportionate’ search; and
6. Changes to the rules around cookies which will require greater transparency when cookies are deployed, and, subject to various conditions, cookies for user security, analytics and user improvement purposes can be deployed without consent. 

Businesses also need to be mindful of the higher levels of fines now available to the ICO for breaches of the Privacy of Electronic Communications Regulations (which now align with the maximum turnover-based fines capable of being levied under the UK GDPR, for both breaches of the direct marketing rules and the rules on cookies). Those conducting direct marketing should therefore re-evaluate their policies to ensure that they will not fall foul of the PECR rules, given the ICO’s continued focus on penalties for direct marketing and its interest in challenging poor practices in this area.

 Situating the UK’s reforms within the wider data protection ecosystem

As the UK’s legislative timetable for the Bill slipped, the EU acted to extend the UK’s adequacy decision, which was originally set to expire in June 2025. By extending it to 27 December 2025, the EU will now take time to consider the impact of the Bill and whether it will affect the UK's status as an ‘adequate’ country for the transfer of personal data.