Spotlight: The UK Data Use and Access Bill and the UK General Data Protection Regulation

I review numerous “Outside Counsel Guidelines” and vendor agreements daily to ensure my organization’s compliance with global data privacy and global data protection cross-border data transfer requirements. It operates in ten different jurisdictions globally. I work closely with my organization’s Data Protection Officer, other attorneys, business owners, clients, and vendors to draft the appropriate cross-border data processing agreements that accompany these agreements. I am constantly reviewing amended and new data protection laws and regulations to remain apprised of new compliance requirements.

I am paying particular attention to the proposed United Kingdom’s (UK) Data Access and Use Bill (UK DUA Bill) to determine how it might impact cross-border transfers from the UK to the US (in addition to the EU-US Data Privacy Framework (DPF) and the UK Extension to the EU-US DPF). The proposed UK DUA Bill replaces its predecessor, the “Data Protection and Digital Information No. 2 Bill.” The UK DUA introduces reforms to the existing UK General Data Protection Regulation (UK GDPR), aligning it closely with the UK’s post-Brexit objectives to tailor the UK data protection framework to domestic needs while retaining high data protection standards. Below is a comparison of the UK DUA Bill and the current UK GDPR (also see Appendix 1):

1. Scope and Objectives

• UK GDPR: Focuses on comprehensive data protection for individuals, providing strong privacy rights and ensuring the free flow of data across sectors, modeled closely on the EU GDPR framework.

• UK DUA Bill: Broadens its focus to facilitate innovation and economic growth. It prioritizes enabling safe data sharing and better access, especially in the public sector and regulated markets like healthcare and energy.

  
  

2. Individual Freedoms and Rights

• UK GDPR: Grants rights such as access, rectification, erasure, data portability, and the right to object to processing.

• UK DUA Bill: Retains these rights but introduces specific provisions for digital identity verification and Smart Data initiatives, allowing consumers greater control and secure sharing of their personal data across service providers.

  
  

3. Data Processing Principles

• UK GDPR: Mandates strict adherence to principles like data minimization, purpose limitation, and accountability.

• UK DUA Bill: Maintains these principles but emphasizes proportionality in compliance. For example, smaller organizations may benefit from lighter obligations, reducing administrative burdens while maintaining high protection standards.

  
  

4. Enforcement and Regulation

• UK GDPR: The Information Commissioner’s Office (ICO) enforces compliance, with substantial fines for violations (up to £17.5 million or 4% of annual global turnover).

• UK DUA Bill: Proposes reforms to the ICO, granting it greater flexibility in enforcement, including tailored sanctions and incentives to encourage best practices. Additionally, it seeks to streamline its structure to oversee cases more efficiently.

  
  

5. Data Sharing

• UK GDPR: Restricts data sharing to specific purposes, with robust safeguards to prevent misuse.

• UK DUA Bill: Introduces provisions to facilitate public sector data sharing, enhancing efficiency in public services while embedding safeguards to protect individual freedoms and freedoms. This includes sharing sensitive medical and energy usage data for innovation and research purposes.

  
  

6. Innovation and Technology

• UK GDPR: Encourages data protection by design and default but lacks specific frameworks for emerging technologies like digital identities or Smart Data.

• UK DUA Bill: Establishes a statutory framework for Digital Identity Verification Services (DVS) and expands Smart Data schemes, enabling consumers to securely transfer their data between competing service providers.

  
  

7. International Data Transfers

• UK GDPR: Maintains adequacy agreements with the EU and restricts data transfers to countries without equivalent protections.

• UK DUA Bill: Aims to balance the UK’s ability to strike new data adequacy agreements independently while maintaining its adequacy status with the EU.

  
  

8. Impact on Businesses

• UK GDPR: Imposes significant compliance requirements, particularly for SMEs.

• UK DUA Bill: Proposes streamlined compliance measures for SMEs to reduce burdens, fostering innovation while retaining fundamental protections.

  
  

9. Summary: While the UK GDPR emphasizes strict data protection modeled after the EU GDPR, the proposed UK DUA Bill seeks to enhance flexibility and innovation. It retains the core privacy rights of UK GDPR, while introducing proposed reforms to improve data sharing, to facilitate technological advancement, and to reduce regulatory burdens on UK businesses. The challenge lies in ensuring these changes do not dilute UK data protection compliance requirements, particularly in maintaining its adequacy designation with the EU.

10. Questions:

· How might the proposed UK DUA Bill strengthen individual freedoms and rights by balancing innovative data use with enhanced data protections, and what specific new rights or mechanisms will be introduced for UK data subjects?

· In what ways might the proposed UK DUA Bill enable UK businesses to engage more effectively in global trade while ensuring compliance with global data protection laws and frameworks?

· How might the proposed UK DUA Bill’s reforms influence the EU Commission’s 2025 review of the UK’s adequacy status, and what steps can the UK take to preserve its adequacy designation?