The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data (Use and Access) Bill – a happy medium?

29 October 2024

The Government has introduced the Data (Use and Access) Bill into the House of Lords. This reintroduces many – though not all – of the provisions of the Data Protection and Digital Information Bill advanced by the last Government, which fell with the dissolution of Parliament prior to the General Election in July.

The draft Bill is obviously not in its final form. A number of its provisions are sensible and technical tidying up exercises that probably should have happened sooner after introduction of the GDPR and Data Protection Act in 2018 – for example, the introduction of a legal professional privilege exemption to data subject access requests under Part 3 DPA, the possibility of joint controller arrangements between competent authorities and intelligence services that span Part 3 and Part 4 processing, and clarifications relating to the meaning of scientific research.

Other elements are more wide-ranging. There will be statutory guidance on what ‘compatible’ means for the purpose limitation principle in Art 5(1)(b). Article 6 UK GDPR is going to be amended to provide more guidance on what can constitute a legitimate interest. Much of what is usual practice in responding to DSARs will be put on a statutory footing – such as delaying the period to respond until the requester has confirmed their identity, limiting searches to what is reasonable and proportionate, and permitting a court dealing with a claim about a DSAR to look at withheld material without it having to be disclosed to the requester (a return to the statute books for the approach set out s.15(2) Data Protection Act 1998, but which had to be inferred from the original 2018 Act’s provisions: see X v The Transcription Service [2023] EWHC 1092 (KB)). There would also be more scope for controllers to require requesters to specify which information or processing activities a DSAR relates to, rather than simply requesting ‘all personal data’.

But many of the more controversial elements of the DPDI Bill have been dropped, such as abolition (for some data controllers) of the requirement to have a DPO, to conduct DPIAs and to maintain records of processing.

Any change to the data protection legislation seems inevitably to attract enormous amounts of attention, both from those concerned that privacy rights are being diluted, and those concerned that more red tape is being festooned around business, charities and public bodies. The upcoming review of the EU’s adequacy decision as regards the UK’s data protection regime in 2025 is likely to turbo-charge that debate. We look forward to returning to this Bill in future editions as it passes through Parliament, and delving into some of the technical detail. But, on balance and at first glance, this seems to be a sensible compromise – some of the eyebrow-raising elements of the DPDI Bill jettisoned, but a lot of the necessary tweaks and adjustments to the 2018 Act and UK GDPR retained. Sticking our necks out, it seems unlikely that this Bill is going to upset the horses as regards EU adequacy, certainly as compared to the risk that the DPDI Bill would have done.

Further reading: text of Data Use & Access Bill

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Affiliations

 

Affiliations

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)