Digital Information and Smart Data Bill and the Cyber Security and Resilience Bill
Insight
The previous government’s Data Protection and Digital Information Bill (DPDI Bill) was a notable casualty from the election. Whilst there was speculation that the Labour Government would carry the bill through parliament, it was dropped in favour of a new Digital Information and Smart Data Bill, recently renamed as the Data (Use and Access) Bill (DUA Bill) which aims to “harness the power of data for economic growth, to support a modern digital government and to improve people’s lives.” The DUA Bill was introduced to Parliament on 23 October 2024.
The DUA Bill covers some similar ground to the DPDI Bill, including “targeted reform” to data protection laws such as:
- reducing restrictions on organisations’ use of automated decision making (with the use of AI systems clearly in mind);
- for subject access requests, giving a statutory basis to ICO guidance with respect in particular to the obligation on the controller to conduct a "reasonable and proportionate search" and the right for organisations to pause the timeline for responding if they need to clarify the request with the data subject;
- identifying certain processing activities as "recognised legitimate interests"; and
- removing the consent requirement to use first party tracking technologies on websites for analytical purposes.
However, the DUA Bill differs from the DPDI Bill by not relaxing obligations on data controllers to: maintain records of processing; conduct data protection impact assessments; and appoint data protection officers and (for overseas organisations) appoint UK representatives. Furthermore, the planned extension of the "soft opt-in" in the DPDI Bill, which would have allowed political parties and charities to send direct marketing without the recipient’s consent, will not be enacted.
Other key points from the DUA Bill include:
- additional obligations on controllers to implement complaints handling procedures, including providing a complaints form and responding to complaints within 30 days;
- an increase in the maximum fine for PECR breaches (relevant in respect of compliance breaches concerning cookie consent and electronic direct marketing) which will rise from £500k to the same levels permitted by UK GDPR (the greater of £17.5m or 4% of a company's annual worldwide turnover); and
- the creation of the "Information Commission" which aims to modernise and strengthen the ICO by replacing it with a structure more aligned with other national regulatory bodies. The new body would have more powers to request documents (as well as information) and interview people.
The DUA Bill also seeks to encourage innovative uses of data to boost investment and production. One of these measures is the proposed establishment of "Digital Verification Services" which will involve the introduction of a statutory framework for certified providers to supply digital identity products that will assist the checks involved when buying age-restricted goods and services.
The King’s Speech also referred to a new Cyber Security and Resilience Bill to “ensure that more essential digital services than ever before are protected”. It’s currently unclear what new services will be covered by the regulations but recent attacks on the NHS were heavily cited in the King’s Speech. The current Network and Information Systems (NIS) Regulations 2018 (which is retained EU law) has been replaced in the EU by the NIS2 Directive and accompanied by the Cyber Resilience Act which regulates the security of products with a digital element. Any updates to UK legislation are likely to reflect these EU standards.
We will keep you updated on progress as the DUA Bill makes its way through parliament.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2025