UK Enacts Data Use and Access Regulation Bill

A new data privacy law has been enacted in the United Kingdom, updating the European data protection regulations previously adopted before the country exited the EU in 2020. This legislation marks a significant shift for the UK’s stance on data privacy while navigating its relationship with the European Union.

The Data Use and Access Bill received royal assent after extensive deliberation in Parliament over several years. This bill adjusts the General Data Protection Regulation (GDPR), which has been widely regarded as complicated. The UK government claims that the new framework will inject £10 billion into the economy over the next decade, facilitating improvements in infrastructure and fostering innovation in technology and scientific research.

Introduced by the Labour government under Prime Minister Keir Starmer in 2024, this bill aims to establish clearer guidelines on data processing for national security, criminal activity, and emergency situations. Notably, it allows these operations to occur without the need for organizations to perform assessments to validate compliance with data protection laws.

In a significant update, the legislation further enables the use of AI-driven automated decision-making processes, all while increasing penalties for non-compliance with direct marketing regulations from £500,000 to up to £17.5 million or 4% of global annual revenue, whichever is greater. Furthermore, the revised law modifies the responsibilities of the Information Commissioner’s Office (ICO) now rebranded as the Information Commission, mandating that business customers address privacy queries before they escalate concerns to the regulatory body.

Information Commissioner John Edwards previously noted that the bill would not only encourage innovation but also support businesses that rely on data across various sectors. The agency will maintain its independent status, alleviating worries that the new regulations could compromise its authority.

This regulatory change attempts to balance modernizing data laws while preserving the EU’s “adequacy” status for British data practices. The EU mandates that data handlers outside its borders provide equivalent data protection, identifying countries whose legislation meets these standards. The UK remains one of the select nations exempt from additional contractual requirements for handling European data, thus facilitating smoother transfers.

However, uncertainty lingers regarding how the EU will perceive the amendments introduced through the Data Use and Access Bill. The complexity of compliance could lead to increased operational expenses for companies, even as they seek to align with the GDPR’s fundamental tenets, suggesting potential challenges ahead in maintaining favorable EU relations.