This story has been updated - please see the most recent update below

On October 3, 2024, the Data (Use and Access) Bill was introduced to the UK Parliament, and thereafter passed the first reading in the House of Lords on the same day. The bill proposes several amendments to the UK data protection framework including introducing a list of 'recognized legitimate interests' for processing, and conditions where secondary processing can be considered compatible with the original purpose for which data was collected. The bill also contains new provisions for responding to data subject access requests, cookie consent requirements, and automated decision-making.

Recognized legitimate interests

The bill lists several recognized legitimate interests that can be used as the lawful basis for processing. This includes processing necessary for:

• national security, public security, and defense;
• the purposes of responding to an emergency;
• the purposes of detecting, investigating, or preventing crime; or
• the purpose of safeguarding a vulnerable individual.

Processing to be treated as compatible with the original purpose

Under the bill, processing of personal data for a new purpose is considered compatible with the original purpose for which the data was collected in certain circumstances including when processing is necessary for:

• protecting the vital interests of the data subject or another individual;
• safeguarding a vulnerable individual;
• the assessment or collection of a tax or duty or an imposition of a similar nature; or
• complying with an obligation of the controller under an enactment, a rule of law, or an order of a court or tribunal.

Responding to data subject access requests

Under the bill, controllers must respond to data subject requests within one month of the 'relevant time,' which is defined as the latest of the following:

• when the controller receives the request;
• when the controller receives any further information requested to verify the identity of the data subject; or
• when any fee charged in relation to the request is paid.

The bill provides that a controller may extend the response time by an additional two months if the requests are complex or if the data subject has made multiple requests. In the event the controller extends the response time, they must notify the data subject of the extension within the initial one-month period and provide reasons for the delay.

However, the bill provides that the data subject is only entitled to such confirmation, personal data, and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information.

Automated decision making

Notably, the bill introduces requirements and obligations for decisions that involve the automated processing of personal data. Under the bill, a decision is considered to be based solely on automated processing if there is no meaningful human involvement in making a decision with a legal or similarly significant effect on the data subject.

Under the bill, significant decisions based on the processing of special categories of data cannot be made solely by automated means unless the data subject has given explicit consent or the decision is required or authorized by law. However, the bill provides for certain exemptions for cases where automated decisions are required to avoid obstructing legal inquiries, criminal investigations, public security, or national security.

Additionally, for significant decisions based solely on automated processing, the bill requires controllers to implement safeguards to protect the rights and interests of the data subject. Among other things, these safeguards must:

• provide the data subject with information about the automated decision;
• allow the data subject to make representations about the decision;
• enable the data subject to request human intervention in the decision-making process; and
• allow the data subject to contest the decision.

International data transfers

The bill provides a data protection test that establishes the conditions that must be met to approve transfers of personal data outside of the UK to third countries or international organizations. The bill provides that the test is met if the standard of protection provided to data subjects in the third country or by the international organization is not materially lower than the protection standards in the UK. Among other things, the test requires an assessment of the third country’s or international organization's legal and cultural environment, the enforcement mechanisms in place, and the availability of redress for individuals.

ICO's statement

The Information Commissioner's Office (ICO) published a statement in response to the introduction of the bill in the House of Lords. The Information Commissioner, John Edwards, stated, "We welcome the introduction of the Data Use and Access Bill in the House of Lords and look forward to seeing it progress through parliament to Royal Assent. This is an important piece of legislation which will allow my office to continue to operate as a trusted, fair and independent regulator and provide certainty for all organisations as they innovate and promote the UK economy."

Moreover, Edwards noted that the ICO's response to the bill will be published in due course.

DSIT's statement

The Department for Science, Innovation and Technology (DSIT) issued a press release in response to the introduction of the bill. The DSIT explained that the bill has three core objectives: growing the economy, improving UK public services, and making people's lives easier. The DSIT highlighted that the bill will provide the ICO with a new structure and powers of enforcement to ensure people's personal data will be protected to high standards.

You can read the bill here, track its progress here, read the ICO's statement here, and read the DSIT's statement here.

Update: December 3, 2024

Data (Use and Access) Bill read for second time

On November 19, 2024, the bill was read for the second time by the House of Lords. The bill is expected to proceed to the committee stage on December 3, 2024.

You can read the bill here and track its progress here.