The UK government has introduced the Data (Use and Access) (DUA) Bill to Parliament, aiming to enable AI and data-driven public services. This legislation partially revives the previous government’s Data Protection and Digital Information (DPDI) Bill, which sought to reform the UK Data Protection Act (DPA)—the domestic implementation of the EU’s General Data Protection Regulation (GDPR). While the DUA Bill is a step toward GDPR reform, the UK’s post-EU freedoms present an opportunity for bolder change. In particular, it should carry forward two key provisions from the old DPDI Bill that would tighten the definition of personal data and better align the priorities of the government and the Information Commissioner Office (ICO).
The new data bill incorporates several provisions from its predecessor, including:
- Requiring businesses to provide third-party access to data via standardised APIs or other technical interfaces.
- Establishing standards for digital identity verification on online platforms, paving the way for digital IDs.
- Developing a digital map of underground physical assets, such as water pipes, telecom cables, and power lines, to improve security, planning, and maintenance.
- Replacing the ICO, currently led by a single commissioner, with the Information Commission, led by a board.
- Expanding and clarifying personal data processing, streamlining consent, facilitating public authority collaboration, and setting rules for international data transfers—all to facilitate data processing for research.
However, two key provisions from the DPDI Bill are notably missing in the DUA Bill, reducing its potential impact on data processing reform.
First, the DUA Bill does not include the DPDI Bill’s proposed changes to the definition of personal data, which would have introduced a clearer distinction between directly and indirectly identifiable information. The DPDI’s “reasonable means” test would have raised the threshold for what qualifies as personal data by considering the time, effort, and resources of the processor needed for re-identification. Just because data could hypothetically become identifiable does not necessarily mean it is likely or plausible.
For example, a data processor holding only a first and last name would not typically have enough information to identify an individual without additional data, such as an IP address or cookie ID, which might require significant, potentially unreasonable resources to obtain. Narrowing the definition of personal data would reduce compliance burdens while maintaining strong protections and aligning with modern data-processing practices. The DUA Bill presents an opportunity for the new government to implement this important reform.
Second, the new bill excludes a provision that would have given the government a formal mechanism by which to inform the strategic direction of the Commission. This is particularly important as the ICO’s mandate prioritises privacy over innovation.
While the government has recently announced plans to establish a new Regulatory Innovation Office (RIO) “to drive economic growth through regulatory reform that enables innovation,” the RIO alone cannot fix the fundamental differences between regulator and government priorities. The UK needs formal mechanisms to align regulator goals with government missions, similar to the current setup between the government and Ofcom under the Online Safety Act 2023.
Without such a provision, the government’s long-term economic growth plans will face significant obstacles, and under-resourced regulators will struggle to adopt innovative practices to enhance their efficiency.
The final piece of the puzzle is adequacy—a legal framework found in Article 45 of GDPR that allows for the free flow of personal data between the European Economic Area and third countries. To retain adequacy, the UK’s personal data protection rules must be equivalent to EU GDPR.
Incorporating the missing provisions from the DPDI Bill is unlikely to jeopardise the UK’s adequacy status. The UK’s data protection principles, grounded in EU standards, and its oversight body, the Information Commission, remain intact.
However, the new government should not be afraid to leverage its position and considerable soft power in the technology space to make bolder decisions. If adequacy poses a barrier to a more efficient, data-driven economy, the UK should take the leap to forge its own path. This approach would enable the UK to outpace the EU in the data economy.
Countries like the United States and Singapore use bilateral agreements to maintain EU data flows. There is no reason the UK could not adopt a similar strategy or utilise multilateral initiatives such as the Global Cross-Border Privacy Rules.
Six years after the introduction of GDPR and DPA, people have grappled with its complexities and constraints, with varying degrees of success. Now, in a post-Brexit world, the Labour government has the freedom to revitalise UK data laws to reflect modern practices and understanding of rights-respecting data innovation.
* Ayesha Bhatti is a policy analyst at the Center for Data Innovation. Prior to joining, she worked as a data scientist at a technology consulting firm in London. She has an LLB from the University of Nottingham, and an MSc in Computer Science from Birkbeck, University of London. She is also a licensed attorney in the state of New York.
Source: Center for Data Innovation