Tag: DP reform

The Data (Use and Access) Bill Ready for the Statute Books 

The Data (Use and Access) Bill has cleared the final hurdle in Parliament and will soon become the Data (Use and Access) Act 2025 following Royal Assent.  

The new Act will amend the UK GDPR as well as PECR and the Data Protection Act 2018. The key changes are summarised in our blog post here. Most of these are not particularly controversial and were in the Data Protection and Digital Information Bill  which failed to make it through Parliamentary “wash up” stage when the General Election was announced last year. 

Much of the delay to the passing of the Bill was caused by amendments proposed by Baroness Kidron in the House of Lords. She wanted more protection for artists whose data is often used to train AI models, especially Generative AI. Her amendment would have required developers to be transparent with copyright owners about using their material to train AI models. 400 British musicians, writers and artists signed a letter saying the Government’s failing to adopt the amendment would mean them “giving away” their work to tech firms. In the end Baroness Kidron, following repeated rejections of her amendment in the House of Commons during the “ping pong” stage, decided to withdraw gracefully. Expect this issue to come up again when the government eventually brings forth AI legislation as mentioned in the King’s Speech. 

We expect most of the substantive provisions to come into force a few months after commencement. Plenty of time for us to update the UK GDPR Handbook

Data protection professionals need to assess the changes to the UK data protection regime. A revised UK GDPR Handbook is now available incorporating the changes made by the DUA Act.

The King’s Speech: What now for AI regulation and Data Protection reform?

The new Labour Government’s legislative programme was outlined in the King’s Speech at the State Opening of Parliament yesterday. Here are the key Bills information governance professionals need to look out for.

An AI Bill?

Despite media reports, the King’s Speech did not include a bill to regulate artificial intelligence(AI). The King said that the government would “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. Expect a government consultation to be announced soon.

However, it is likely that new AI requirements will be introduced in other forthcoming legislation e.g the Product Safety and Metrology Bill. The published summary of this bill states that it aims to “support growth, provide regulatory stability, and deliver greater protection for consumers by addressing new product risks and opportunities, allowing the UK to keep pace with technological advances such as AI.” Managing AI in the context of product safety aligns with certain aspects of the EU AI Act. (see below)

When an AI Bill does finally appear, it is likely to focus on the production of large language models (LLMs), the general-purpose technology that underpins AI products such as OpenAI’s ChatGPT and Microsoft’s Copilot. As the Labour election manifesto says:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

Meanwhile Europe is going full speed ahead on AI regulation. The EU AI Act will be on the EU statute books on 1st August 2024 and then become enforceable in stages. (A useful summary has been produced by lawyers at Stephenson Harwood.)

Cyber Security and Resilience Bill

A new Cyber Security and Resilience Bill will be introduced. It will expand regulation to cover more digital services and supply chains, empower regulators to ensure cyber security measures and mandate increased incident reporting to improve the government’s response to cyber-attacks including where a company has been held to ransom.

The Bill seems to be a response to recent high profile cyber-attacks. In June on Synnovis, the NHS service provider responsible for blood tests, swabs, bowel tests, and other critical services was the target of an attack affecting NHS patients across six London boroughs. Two major London hospital trusts had to cancel all non-emergency operations and blood tests.  It later transpired that, Qilin, a Russian cyber-criminal group, shared almost 400GB of private information on their darknet site.   

Digital Information and Smart Data Bill

No reference was made to data protection reform in the King’s Speech, but a Digital Information and Smart Data Bill was announced. The main provisions of the new Bill are:

  • Scientists will be able to ask for broad consent to use personal data for areas of scientific research, and allow legitimate researchers doing scientific research in commercial settings to make more use of personal data.
  • The Information Commissioner’s Office (ICO) will be transformed into a “more modern regulatory structure”, with a CEO, board and chair. It will also have new stronger powers.
  • The establishing of digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services e.g. to help with things like moving house, pre-employment checks and buying age restricted goods and services. This is not the same as compulsory digital ID cards as some media outlets have reported.
  • The creation of a legal framework for Smart Data. This is the secure sharing of customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only active example of a regime that is comparable to a ‘Smart Data scheme’ – but needs a legislative framework to put it on a permanent footing, from which it can grow and expand.

Most of these proposals are not particularly controversial and were in the Data Protection and Digital Information Bill  which failed to make it through Parliamentary “wash up” stage when the election was announced.

There may be more changes to come. We are told there will be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies”.

There is much to chew over for IG professionals in the King’s Speech. As ever the devil will be in the detail (the Bills when published). Interesting times ahead.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.