The new UK data law is good, but could be much better – Center for Data Innovation

The UK government has introduced the Data (Use and Access) (DUA) Bill to Parliament, which aims to enable AI and data-driven public services. This legislation partially revives the previous government’s Data Protection and Digital Information Bill (DPDI), which sought to reform the UK’s Data Protection Act (DPA) – the domestic implementation of the EU’s General Data Protection Regulation (GDPR). While the DUA Act represents a step towards GDPR reform, the UK’s post-EU freedoms offer an opportunity for bolder change. In particular, two key provisions of the old DPDI Act should be adopted, which would tighten the definition of personal data and better align the priorities of the government and the Information Commissioner Office (ICO).

The new data law incorporates several provisions of its predecessor, including:

1. Companies are required to grant third parties access to data via standardized APIs or other technical interfaces.
2. Setting standards for digital identity verification on online platforms to pave the way for digital IDs.
3. Develop a digital map of underground physical assets such as water pipes, telecommunications cables and power lines to improve safety, planning and maintenance.
4. Replacing the ICO, currently led by a single commissioner, with the Information Commission, led by a board.
5. Expanding and clarifying the processing of personal data, streamlining consent, facilitating cooperation between authorities and setting rules for international data transfers – all to make data processing for research easier.

However, two key provisions of the DPDI Law are notably missing from the DUA Law, reducing its potential impact on data processing reform.

First, the DUA bill does not contain the changes to the definition of personal data proposed in the DPDI bill, which would have introduced a clearer distinction between directly and indirectly identifiable information. The DPDI “reasonable means” test would have raised the threshold for what counts as personal data by taking into account the processor’s time, effort and resources required for re-identification. Just because data could hypothetically be identifiable does not necessarily mean that it is likely or plausible.

For example, a data processor that only stores a first and last name will typically not have enough information to identify an individual without additional data such as an IP address or cookie ID, which may require significant, possibly disproportionate, resources to obtain . A narrower definition of personal data would reduce compliance burdens while maintaining strong protections and adapting to modern data processing practices. The DUA bill provides the new government with an opportunity to implement this important reform.

Secondly, the new bill excludes a provision that would have given the government a formal mechanism to inform the Commission’s strategic direction. This is particularly important as the ICO’s mandate prioritizes data protection over innovation.

While the government recently announced plans to establish a new Regulatory Innovation Office (RIO) “to drive economic growth through regulatory reforms that enable innovation,” the RIO alone cannot address the fundamental differences between the priorities of the regulator and the government. The UK needs formal mechanisms to align the regulator’s objectives with the government’s remit, similar to the current agreement between the government and Ofcom under the Online Safety Act 2023.

Without such a provision, the government’s long-term economic growth plans will face significant obstacles, and underfunded regulators will struggle to adopt innovative practices to increase their efficiency.

The final piece of the puzzle is adequacy – a legal framework under Article 45 of the GDPR that allows the free movement of personal data between the European Economic Area and third countries. To ensure adequacy, UK personal data protection rules must comply with the EU GDPR.

The inclusion of the missing provisions of the DPDI Act is unlikely to jeopardize the UK’s adequacy status. The UK’s data protection principles, based on EU standards, and its regulator, the Information Commission, remain intact.

However, the new government should not be afraid to use its position and significant soft power in the technology sector to make bolder decisions. If adequacy is a barrier to a more efficient, data-driven economy, the UK should step up and go its own way. This approach would allow the UK to overtake the EU in the data economy.

Countries such as the United States and Singapore use bilateral agreements to maintain EU data flows. There is no reason why the UK cannot pursue a similar strategy or take advantage of multilateral initiatives such as the Global Cross-Border Privacy Rules.

Six years after the introduction of GDPR and DPA, people have grappled with their complexities and constraints with varying degrees of success. Now, in a post-Brexit world, the Labor government has the freedom to reinvigorate UK data laws to reflect modern practices and understanding of data innovation that respects rights.

What does a renewed UK data economy look like? The government needs to clarify this, but incorporating the missing provisions from the DPDI Act would be a big step forward.

Photo credit: Justin Tallis/AFP/Getty Images