What is it and what will it do?
The Data Use and Access Bill was recently introduced into the House of Lords. This means it is not yet law, but it could become a law. The Data Use and Access Bill follows on from the now-expired Data Protection and Digital Information Bill, which unsuccessfully attempted to pass through UK’s Parliament during tumultuous times for the lobbying of data protection laws in the UK.
The purpose of the Data Use and Access Bill is to amend parts of the UK GDPR and the UK Data Protection Act 2018. More than anything else, the amendments set out more specific guidance of existing principles. Notwithstanding that the changes are often not transformative of the substantive laws, it still marks a divergence with Continental Europe.
This new Bill codifies existing principles and jurisprudence from the European Court of Justice. As such, unlike the previous Data Protection and Digital Information Bill, there are now no concerns that the amendments to the UK GDPR will cause the UK to lose its adequacy status.
Here are a few amendments that we see in the Data Use and Access Bill:
- Purpose limitation – Personal data may only be processed for a new purpose if that new purpose is consistent with the existing purpose. The Bill provides further guidance to assist whether a further use for processing personal data is consistent with the original use. It helpfully provides a few examples.
- Legitimate interests – The Bill provides several examples of what are valid legitimate interests, including direct marketing, intra-group transmission of data for internal administrative purposes, security of network and information systems.
- International transfers – As is already the case, the Secretary of State can designate countries that have adequate data protection regulations, which means it is easier for organizations to transfer personal data to those countries (thus being able to avoid the need to implement Standard Contractual Clauses). The general principles around Standard Contractual Clauses and Binding Corporate Rules remain more or less a they currently are.
- Automated decision making – When a decision affecting a person’s rights is made completely by an automated decision process, there must be safeguards in place. The Bill specifies some practical guidance as to the minimums of the safeguards, such as providing information to the data subject, enable representations to be made by the data subject, and allow the ability for the decision to be contested.
- Subject Access Requests – The Bill essentially embodies existing principles.
- UK Government’s “Trust Framework” – The Bill sets out a regime for Digital Verification Services. There will be a register of DVS services, and there is likely to be a Trust Mark to designate the DVS services that are properly registered. The Secretary of State will set this regime out in greater detail in Regulations.
Get in contact with us if you would like to know more about the Data Use and Access Bill, of you want to know about any other data protection regulations. We can help you ensure compliance or design your data protection program.