The U.K.'s latest proposal to amend the U.K. General Data Protection Regulation marks another try at modernizing approaches to regulate data processing, automated decision-making technology and international data transfers. It's the third attempt at data reform in as many years by the U.K. government as the Labour Party tries its hand at getting updates finalized.
The proposed Data Use and Access Bill, introduced by the U.K. Department for Science, Innovation and Technology, has undergone feedback from the U.K. Information Commissioner's Office and sits with the House of Lords in the committee stage as of 3 Dec. The ICO is receptive to the current proposal and provisions to grant the regulator additional enforcement resources, which will help ensure data breach reporting standards are consistent between the Privacy and Electronic Communications Regulations and the U.K. GDPR.
During a recent IAPP LinkedIn Live, ICO Regulatory Policy Deputy Commissioner Emily Keaney said the agency believes the bill "strikes a really good balance between ensuring that we can process data in ways that deliver a lot of the benefits, benefits that accrue to all of us as people who use businesses, as consumers, but also as citizens," while also maintaining protections around the use of data.
Industry impact
The proposed bill has implications for various critical industries, including the health and financial sectors. DSIT Head of Data Protection Policy Deputy Director Owen Rowland said the bill will "harness the power of data for economic growth" by protecting consumer privacy while supporting effective data sharing.
The reforms grant the secretary of state powers over the use of special categories of personal data such as sensitive data with potential ethical concerns. The provisions enlist additional measures for data sharing in research, to ensure researchers have access to data categorized as special. While the DUA does not broaden provisions involving data sharing regarding research, it makes some "important clarifications" to researchers right to "seek broad consent to related areas of scientific research," Rowland said.
With artificial intelligence development on the rise, organizations' use of automated decision-making technology is also addressed in the bill. The proposal attempts to build on existing regulations within the U.K. GDPR that allow individuals the right to push back against technology that makes decisions about them. Rowland said the proposed changes broaden the legal basis for the use of automated decision-making technology while striking "the right balance between promoting growth and innovation whilst maintaining high data protection standards."
The modernization of rules around ADMT will continue to allow consumers to challenge decisions made about them and ensure consumers' sensitive personal data is safeguarded.
Rowland said promoting innovation while boosting data security efforts to improve public trust is "more important than ever, particularly as we see in relation to the interplay of the data protection regime and the development of AI."
The European Commission is set to review the U.K.'s data protection standards in June 2025 as part of their 2021 adequacy agreement. The DUA bill could bolster consumer protection and address potential privacy concerns, with Rowland noting the approach DSIT believes it is on a "good trajectory" to ensure the U.K.'s adequacy decision is renewed.
ICO enforcement changes
The proposed reforms would involve changes to the ICO's enforcement framework, allowing the regulator to continue its work as an independent agency while taking on a different structure. If the bill is passed, the ICO would move from its corporate structure to a "traditional chair, CEO, and board model," according to the ICO's Keaney. She added, "We think that’s important because it will give us just that additional kind of resilience that we need."
In addition to its work assessing data protection compliance, the ICO would take on secondary duties including technology innovation and public safety while continuing to address children’s privacy concerns. This initiative aims to promote a cohesive regulatory environment with other U.K. regulators to ensure individuals' privacy remains a priority while continuing to adapt to the evolving digital landscape.
The increased powers of the ICO could make it easier for the agency to conduct investigations surrounding organizational compliance with privacy laws and data security incidents. The provisions would secure the ICO the ability to "require an organization to conduct and provide us with a technical report at their expense," Keaney said.
She also indicated while the ICO will continue to work to adapt to growing regulatory challenges, its priorities to protect individuals' data will remain the same.
"Regardless of whether you're thinking about it in the context of AI or you're thinking about it in the context of data breaches, personal data at its heart is the story that all of us have about each of our lives," Keaney said. "It's really important … that the people who get access to that data treat it responsibly and with the kind of care and attention that it requires."
Lexie White is a staff writer for the IAPP.
