Last updated: 20 Jan 2025 02:00 Posted in:
Big changes to UK data protection laws could take place in 2025, when the compatibility of those laws with equivalent legislation in the EU will be under scrutiny.
Malcolm Dowden, a Senior Practice Development Lawyer at Pinsent Masons, said the multi-faceted Data (Use and Access) Bill (DUA Bill) represents the UK Labour government’s attempt to enable data-related innovation and efficiencies in the economy in the pursuit of growth. The Bill comes after two failed attempts at reforming UK data protection law post-Brexit by the last government.
Dowden said: “The enactment of the DUA Bill, as drafted, would signal some divergence between UK and EU data protection law in some important areas – including in relation to data subjects’ rights and automated decision-making in the age of AI.
“While both the UK government and the data protection authority, the Information Commissioner’s Office (ICO), have expressed confidence that nothing in the DUA Bill risks undermining the UK’s so-called ‘adequacy’, the issue has been the focus of concern during the Bill’s House of Lords committee debates.”
He said the two adequacy decisions issued by the European Commission in respect of the UK are due to expire this summer. The Commission’s decisions, issued in June 2021, recognise the UK’s data protection framework as essentially equivalent to that of the EU and are of vital importance to enabling the free flow of personal data from the EU to the UK – which in turn is pivotal to everyday commercial operations and trade, as well as law enforcement activity.
He said: “Without the adequacy decisions being in place, organisations wishing to transfer personal data from the EU to the UK would face much greater compliance costs, owing to the significant restrictions imposed on the international transfer of personal data under EU data protection law.
“Whether or not the Commission decides to extend the application of its two UK adequacy decisions – issued under the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive, respectively – before they expire on 27 June 2025, is therefore of significant consequence. The content of the DUA Bill is likely to form a core part of the Commission’s assessment of the UK data regime as it decides what to do in the first half of the year.”
Countries do not have to apply EU data protection laws to benefit from an adequacy decision – they must merely be assessed by the Commission as having a data protection framework that is essentially equivalent to that in place in the EU.
“The enactment of the DUA Bill, as drafted, would signal some divergence between UK and EU data protection law in some important areas – including in relation to data subjects’ rights and automated decision-making in the age of AI."
Malcolm Dowden, Senior Practice Development Lawyer at Pinsens Masons