Human resources at a click
Login
0

Update on the Data (Use and Access) Bill

  • HR Article
  • Data Protection
White office with computer and office chair

In our article, Data Use and Access Bill – how will it impact business and their dealings with Data Protection, we set out the changes that the Data (Use and Access) Bill (DUAB) would make to the data protection regime in the UK. The DUAB has now reached the House of Commons Report stage before its third and final reading in the House of Commons, after which it will become legislation. We will highlight in this article what changes have been made to the DUAB since the early stages of the Bill.

Changes by the House of Lords

As the DUAB started as a Bill in the House of Lords, the first major amendments were made by that body and so the  amendments the House of Lords made were as follows:

  • The DUAB created “higher protection matters” for children within the UK General Data Protection Regulation (GDPR). This puts in place greater protections for children’s personal data.
  • It also allowed the charity sector to rely on the soft opt-in for direct market that commercial organisations can currently rely on.
  • The DUAB amended the Sexual Offences Act 2003 and introduced new offences relating to the creation of purported intimate images of an adult (otherwise known as sexually explicit deepfakes).
  • The DUAB also created a requirement on the Information Commissioner’s Office (ICO) to regulate web-crawlers and general-purpose AI models with links to the UK, and for them comply with UK copyright law.  
  • The DUAB placed a requirement on the Secretary of State to make a statement on and lay plans before Parliament on web-crawlers and AI Models which may infringe copyright in creative works. It also set out plans for the creation of machine-readable digital watermark.

Changes by the House of Commons

Once the DUAB reached the House of Commons, several of the above amendments were rejected and in particular, the final two sub-bullet points were completely removed. These clauses were non-government amendments, and it appears the intention behind them was to allow creatives to assert and enforce copyright over their works against web-crawlers and AI.

The DUAB has now reached the House of Commons Report stage before its third and final reading in the House of Commons, after which it will become legislation.

Further key clauses

The House of Commons did not make any further substantial changes to the DUAB and so the Bill largely remains in the same form as passed by the House of Lords. Given the late stage the DUAB is at, it is likely that most of the major clauses will remain unchanged. Therefore, our view is that the key changes which organisations will need to anticipate are:

  • Data subject’s rights:

This changes the extent of the searches that organisations are required to make once they received a data subject access request. Organisations are also allowed further time to define the scope of the search before the relevant time periods are triggered under the GDPR.

  • Automated decision-making:

This gives greater scope for organisations to use AI when processing personal data. The clauses allow organisations to process data with no limitation on the lawful basis to use the data, subject to the required safeguards set out in the DUAB being in place. This indicates a transition to embracing AI as a technology which is more likely to process personal data in the future.

  • Children’s higher protection matters:

This increases the duties in relation to the protection of children’s data. It creates the concept of higher protection matters when an organisation is processing personal data while providing information society services likely to be accessed by children.

These key clauses are in addition to the ones set out in our previous article which briefly were:

  • Smart Data Schemes
  • Digital Verification Services
  • Privacy
  • Information Commissioner

Timeline for implementation

The DUAB is now in its report stage and you can track the progress of the DUAB here Data (Use and Access) Bill [HL] – Parliamentary Bills – UK Parliament.

It is difficult to estimate when the DUAB will become law. However, it is likely the DUAB will come into force in early 2026 and that there will be transitional provisions to give organisations time to implement the necessary changes.

Our data protection team will continue to monitor the DUAB and if you would like any advice on the potential changes proposed in the DUAB, please contact us or check out our Data Protection HR Resources.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.

Melanie_Pimlico
Melanie Pimenta
Associate

Related Articles

View all
White office with computer and office chair
  • Data Protection

Update on the Data (Use and Access) Bill

In our article, Data Use and Access Bill – how will it impact business and their dealings with Data Protection,...

CCTV cameras on a grey wall
  • Data Protection

Can an employer monitor employees at work?

Can an employer lawfully monitor their employee, without their knowledge, if they suspect wrongdoing? Can employers monitor employees? It’s worth...

Recent data breaches and their impact on organisations
  • Data Protection

Recent data breaches and their impact on organisations

Organisations of all sizes are susceptible to data breaches and the damage caused by these breaches, both reputationally and financially,...

Related Resources

View all

Retention of records checklist

Checklist on retention of records. Set and follow standard retention times for categories of information held on the records of...

  • Checklists
  • Data Protection

Social media policy

This social media policy covers the use of all forms of social media by employees for both business and private...

  • Policies
  • Data Protection

The legal principles factsheet

This legal principles factsheet highlights the core principles that Data Controllers and Data Processors must comply with when processing data....

  • Factsheets
  • Data Protection

Not a member? Start your membership today!

Sign up
HR Services
Insights
Employmentbuddy
Contact us
Follow us
Find us
London

5th Floor, Chancery House, 
53-64 Chancery Lane, London
WC2A 1QS

Reading

5th Floor, Thames Tower,
Station Road, Reading
RG1 1LX

Find us
London

41-44 Great Queen Street,
London, WC2B 5AD

Reading

5th Floor, Thames Tower,
Station Road, Reading RG1 1LX

Follow us
Clarkslegal is a limited liability partnership registered in England and Wales. Registered number OC308349. Regulated by the Solicitors Regulation Authority (SRA no. 403601)
Human resources at a click
Login