Update on the Data (Use and Access) Bill

In our article, Data Use and Access Bill – how will it impact business and their dealings with Data Protection, we set out the changes that the Data (Use and Access) Bill (DUAB) would make to the data protection regime in the UK. The DUAB has now reached the House of Commons Report stage before its third and final reading in the House of Commons, after which it will become legislation. We will highlight in this article what changes have been made to the DUAB since the early stages of the Bill.

Changes by the House of Lords

As the DUAB started as a Bill in the House of Lords, the first major amendments were made by that body and so the  amendments the House of Lords made were as follows:

• The DUAB created “higher protection matters” for children within the UK General Data Protection Regulation (GDPR). This puts in place greater protections for children’s personal data.
• It also allowed the charity sector to rely on the soft opt-in for direct market that commercial organisations can currently rely on.
• The DUAB amended the Sexual Offences Act 2003 and introduced new offences relating to the creation of purported intimate images of an adult (otherwise known as sexually explicit deepfakes).
• The DUAB also created a requirement on the Information Commissioner’s Office (ICO) to regulate web-crawlers and general-purpose AI models with links to the UK, and for them comply with UK copyright law.
• The DUAB placed a requirement on the Secretary of State to make a statement on and lay plans before Parliament on web-crawlers and AI Models which may infringe copyright in creative works. It also set out plans for the creation of machine-readable digital watermark.

Changes by the House of Commons

Once the DUAB reached the House of Commons, several of the above amendments were rejected and in particular, the final two sub-bullet points were completely removed. These clauses were non-government amendments, and it appears the intention behind them was to allow creatives to assert and enforce copyright over their works against web-crawlers and AI.

Further key clauses

The House of Commons did not make any further substantial changes to the DUAB and so the Bill largely remains in the same form as passed by the House of Lords. Given the late stage the DUAB is at, it is likely that most of the major clauses will remain unchanged. Therefore, our view is that the key changes which organisations will need to anticipate are:

Data subject’s rights:

This changes the extent of the searches that organisations are required to make once they received a data subject access request. Organisations are also allowed further time to define the scope of the search before the relevant time periods are triggered under the GDPR.

Automated decision-making:

This gives greater scope for organisations to use AI when processing personal data. The clauses allow organisations to process data with no limitation on the lawful basis to use the data, subject to the required safeguards set out in the DUAB being in place. This indicates a transition to embracing AI as a technology which is more likely to process personal data in the future.

Children’s higher protection matters:

This increases the duties in relation to the protection of children’s data. It creates the concept of higher protection matters when an organisation is processing personal data while providing information society services likely to be accessed by children.

These key clauses are in addition to the ones set out in our previous article which briefly were:

• Smart Data Schemes
• Digital Verification Services
• Privacy
• Information Commissioner

Timeline for implementation

The DUAB is now in its report stage and you can track the progress of the DUAB here Data (Use and Access) Bill [HL] – Parliamentary Bills – UK Parliament.

It is difficult to estimate when the DUAB will become law. However, it is likely the DUAB will come into force in early 2026 and that there will be transitional provisions to give organisations time to implement the necessary changes.

Our data protection team will continue to monitor the DUAB and if you would like any advice on the potential changes proposed in the DUAB, please do not hesitate to contact our data privacy lawyers.