What’s the latest on the Data (Use and Access) Bill and when will UK data protection changes come into force?

The UK data protection landscape is on the verge of significant change with the Data (Use and Access) Bill. While UK GDPR continues alongside the Data Protection Act 2018 successive governments have been pushing for changes for quite some time. So, where do things currently stand with the Data (Use and Access) Bill, and when can businesses expect these changes to take effect?

The journey to change UK GDPR: The story so far

The previous Conservative government had introduced the Data Protection and Digital Information Bill (DPDI), which proposed significant alterations to UK data protection rules alongside major reforms to the Information Commissioner’s Office. The bill progressed to the final stages of the legislative process but failed to pass before Parliament was dissolved for the general election last summer. As a result, the legislation was dropped.

Under the current Labour government, a fresh attempt has been made with the Data (Use and Access) Bill, which is now making its way through Parliament. The new bill incorporates many of the ideas from its predecessor but has encountered fresh scrutiny and debate, particularly in the House of Lords.

Does DUAB pose a risk to the UK’s adequacy decision with the EU?

One of the primary concerns with the previous DPDI bill was the potential risk to the UK’s EU adequacy decision, which allows for the free flow of data between the UK and EU. Some voices in the European Parliament had warned that the changes could jeopardise this status. However, since the bill never passed, its actual impact remains unknown.

With the new Data (Use and Access) Bill, such concerns have not been as pronounced. There has been little indication from the EU that this legislation would threaten the UK’s adequacy decision, although the possibility cannot be entirely ruled out. Ultimately, the EU Commission has the final say in adequacy decisions, making this a matter of ongoing political negotiation rather than legal certainty.

Progress in parliament and key areas of debate

The bill has advanced significantly in the legislative process, having started its journey in the House of Lords. This was a strategic move by the government, allowing them to navigate initial scrutiny before facing more intense examination in the Commons. While expectations were that the bill would face minimal opposition, recent debates have proved otherwise.

A key point of contention has been the issue of artificial intelligence (AI), copyright, and intellectual property. At the end of January, the government suffered a rare defeat in the House of Lords when peers voted 145 to 126 in favour of amendments designed to strengthen copyright protections against AI scraping. These amendments, led by Crossbench peer Baroness Kidron, aim to ensure greater transparency in how intellectual property is used in AI training models.

The amendments have gained significant backing from the creative industries, including organisations like the Publishers Association, UK Music, and the Motion Picture Association. High-profile figures such as Sir Elton John and Paul McCartney have also voiced support, arguing that creators should have the ability to track and seek redress when their work is used without consent.

When will DUAB be in force?

Having passed through the Lords with these amendments, the Data (Use and Access) Bill is now at the committee stage in the House of Commons. The government must decide whether to accept the Lords’ amendments, propose a compromise, or attempt to overturn them. If the government chooses the latter route, the bill could be delayed as it is sent back to the Lords for further debate.

Aside from the AI and copyright debate, much of the bill, particularly the changes to data protection rules for businesses, has faced relatively little resistance. If progress continues smoothly, businesses can expect the bill to become law later this year, but the exact timeline will depend on how the government handles the remaining contentious issues.

Nevertheless, organisations affected by DUAB can begin to prepare now for upcoming changes in a wide variety of areas, from legitimate interest, marketing, cookies, subject access request timelines, AI and more.

For the latest on DUAB, listen to our webinar from 26 February 2025 which takes you through all of the changes you should be preparing for.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”