The proposals are contained in a new Data Bill (Usage and Access) (DUAB)which was presented to the British parliament on Wednesday. The bill was introduced – albeit under a different name – in the King’s Speech which followed the election of the new Labor government in July.

The bill, in part, represents the latest effort to update the UK’s data protection laws post-Brexit, after two failed attempts to do so under previous governments – the last of which saw a draft of the Data and Digital Information Protection Act (DPDI) fall before it can be adopted. be finalized and enacted, when Parliament broke up for the general election campaign at the end of May. Some proposals contained in the DPDI Bill were similarly resurrected in the DUAB, but others were abandoned.

Previous proposals that have not been included in the DUAB include plans to limit organizations’ obligations to create and maintain records on personal data processing activities as well as those relating to carrying out data protection impact analyses. Another abandoned proposal envisaged replacing data protection officers with more limited obligations to appoint senior managers responsible for “high risk” processing. Plans to remove the need for third-country controllers or processors to appoint a UK representative have also been omitted from DUAB.

Although some procedural changes to the rules for handling data subject access requests are included in the DUAB, more substantive changes that had previously been considered to alleviate cost and resource concerns related to DSARs have also not been made. no longer been reproduced in the DUAB.

Proposals that have been resurrected include those that consider a relaxation of some existing restrictions applicable to automated decision-making, which are particularly relevant to organizations using AI systems.

DUAB would effectively enable automated decision-making in most circumstances, provided that the organization using AI or other relevant technologies implements safeguards, allowing those affected by those decisions to make representations , to obtain meaningful human intervention and to challenge decisions made by solely automated means. .

Restrictive provisions, similar to those currently in force, would continue to apply where an automated decision is “important” because it has legal or equally important effects on an individual and is based in whole or in part on “special category” personal data, such as information concerning health, political opinions, religious or philosophical beliefs, sex life or sexual orientation. The more restrictive provisions would also apply when decisions are based on genetic data or biometric data, such as that collected for facial recognition, when used for the purpose of uniquely identifying an individual. In these cases, decisions made by solely automated means would only be permitted with the explicit consent of the person, or where the decision is necessary to enter into or perform a contract with that person, or where the decision is required or authorized by the law. and there is a “substantial public interest” in the decision made.

DUAB also provides greater flexibility for commercial research and innovation by expanding the concept of “scientific research” to include certain privately funded and commercial research activities, and not just non-commercial research as is the case currently, and seeking to authorize consent. granted by a data subject to the use of their data for scientific research purposes to monitor a project as it evolves for new purposes – provided that the consent complies with generally recognized ethical standards relevant to the field of research and that the data subject has the opportunity to consent to processing only for part of the research.

Other proposals in DUAB aim to provide businesses with more clarity on when they can rely on the so-called “legitimate interests” ground to process personal data under UK data protection law . In this regard, new “recognized legitimate interests” would be specifically provided for in the law – notably for national security and defense purposes, but also to respond to emergency situations and to protect vulnerable people.

The Bill further provides that other purposes of data processing – including necessary processing for direct marketing purposes; certain sharing of data between companies in the same group for internal administrative purposes; and processing necessary for the purposes of ensuring the security of networks and information systems – “may” also be qualified as “legitimate interests” processing.

Limited powers allowing the government to update the list of “recognized legitimate interests” in the future by issuing regulations are provided for in the DUAB. Under the government’s proposals, regulations of this nature could only be adopted if approved by Parliament.

Structural changes have also been proposed to the UK’s data protection authority, with DUAB considering a transfer of functions from the current Information Commissioner – a statutory role where enforcement powers lie with one individual, currently John Edwards – to a new legal entity to be known as the Information Commission. The statutory role of the Information Commissioner is to be abolished as part of this change.

Alongside these proposals, DUAB also plans a change to the law to reduce the number of complaints made to the UK Data Protection Authority – by requiring complaints to be made first to the controller, with a referral to the authority only if they are not handled satisfactorily.

Other proposed changes aim to strengthen enforcement powers under the Privacy and Electronic Communications Regulations (PECR), which sets out rules on direct electronic marketing and the use of cookies. Under DUAB, GDPR-level fines could be imposed on companies that violate the PECR.

Data protection law expert Malcolm Dowden of Pinsent Masons said implementing DUAB as drafted would require organizations to make certain changes to their existing privacy notices, consistent with the UK GDPR .

“While these changes themselves are relatively minor, they will involve costs and administrative resources, particularly for organizations subject to both the UK GDPR and the EU GDPR, where it will be necessary to decide whether to “Have separate documentation for each plan or create a combined version,” Dowden said. “Specific changes to the UK GDPR privacy notices will include the addition of wording informing data subjects of their right to complain to the controller, with information on how this right can be exercised. »

Anna Flanagan, also of Pinsent Masons, added: “DUAB, if passed in its current form, will also establish a new UK legal framework for initiatives on digital ID, smart data and the digitization of records and key public assets. It includes provisions that approximate certain aspects of European data law in terms of access to business and customer data. It also seeks to extend the principles of open banking to other sectors, demonstrating the power of data in the economy of different sectors. The energy sector has been specifically singled out as an important sector in this regard.

The bill further addresses the use of data in the healthcare context with provisions designed to “ensure that health information – such as a patient’s pre-existing conditions, appointments and tests – is easily accessible in real time across all NHS trusts, GP practices and ambulance services. , regardless of the IT system they use,” as the government said in a statement accompanying the publication of the DUAB. This, the government added, “will require IT providers in the health and care sector to ensure their systems meet common standards to enable. sharing data across platforms” and “will free up 140,000 hours of NHS staff time each year, delivering faster patient care and potentially saving lives”.

DUAB has been introduced in the House of Lords but will need to be approved by both the Lords and MPs in the House of Commons to become UK law. A second reading of the bill is not yet planned.