The UK government has proposed significant changes to data protection law, including to rules relevant to the use of artificial intelligence (AI) systems in decision-making processes; the use of data for the purposes of scientific research; and new rules aimed at liberalising data held by public sector organisations and businesses alike.
The Bill, in part, represents the latest effort to update data protection laws in the UK post-Brexit, following failed attempts under earlier governments. Some proposals contained in the DPDI Bill have been resurrected in the proposed Data (Use and Access) Bill (DUAB) – but others have been dropped.
Some of the earlier proposals from the previous government’s draft that have not been included in the DUAB include plans to curb organisations’ obligations in relation to creating and maintaining records of personal data processing activities, as well as those pertaining to conducting data protection impact assessments. Proposals that have resurrected include those that envisage a relaxation of some existing restrictions applicable to automated decision-making, which are particularly relevant to organisations using AI systems.
The DUAB also provides for greater flexibility for commercial research and innovation by expanding the concept of ‘scientific research’ to include certain privately funded and commercial research activities.
In tandem with those proposals, the DUAB also provides for a change in the law to reduce the number of complaints reaching the UK’s data protection authority – by requiring complaints to be made first to the data controller, with escalation to the authority only if they are not satisfactorily dealt with.
Further amendments proposed are aimed at strengthening enforcement powers under the Privacy and Electronic Communications Regulations (PECR), which sets out rules on direct e-marketing and on the use of cookies. Under DUAB, GDPR-level fines could be imposed on businesses that breach PECR.
While those changes are in themselves relatively minor, they will involve some cost and administrative resource, particularly for organisations that are subject both to UK and EU GDPR, where it will be necessary to decide whether to have separate documentation for each regime – or to create a combined version. Specific changes to UK
GDPR privacy notices will include the addition of wording to inform data subjects of their right to complain to the controller, with information as to how that right may be exercised.
The DUAB will, if enacted in its current form, also set out a new UK legal framework for initiatives on digital ID, smart data, and the digitising of key public registers and assets. It includes provisions that approximate to aspects of the EU Data Act in terms of access to business and customer data. It also seeks to extend the principles of open banking to other sectors, demonstrating the power of data in the economy in different sectors.
The Bill further addresses data use in the context of healthcare with provisions designed to “ensure that healthcare information – like a patient’s pre-existing conditions, appointments and tests – can easily be accessed in real time across all NHS trusts, GP surgeries and ambulance services, no matter what IT system they are using”.
- Anna Flanagan is a data privacy and cyber lawyer at Pinsent Masons in Belfast, focussing on technology and product development, along with cyber incident response and general privacy compliance