Category Archives: Data (Use and Access) Bill

June 20, 2025 · 8:11 am

What the DUAA 2025 will do

Section 1(2) of the Data Protection Act 2018 tells us that

Most processing of personal data is subject to the UK GDPR

Despite the attention given to the progress of the Data (Use and Access) Act 2025 (and I have certainly given it a lot), now that it has passed, its significance for data protection practitioners is essentially only in how it will amend the three core legislative instruments relevant to their practice area: the UK GDPR, the DPA 2018, and PECR.

The DUAA is (in data protection law terms) mostly an amending statute: once its provisions have commenced, their relevance lies in how they amend those three core texts.

How that amending is done in practice is important to note.

When a piece of legislation is amended, Parliament doesn’t reenact it, so the “official” printed version remains. In pre-internet days this meant that practitioners had to read the original instrument, and the amending instrument, side by side, and note what changes applied. This was generally done with the assistance of legal publishers, who might print “consolidated” versions of the original instrument with, effectively, the amendments showing in mark-up.

In the internet age, things actually haven’t changed in substance, but it’s very much easier to read the consolidated versions. If, for example, you go to the legislation.gov.uk website, and look at the DPA 2018, you can view it in “Original (as enacted)” version, and “Latest available” version (in the second image below, for instance, you can see that “GDPR” was amended to “UK GDPR”, with the footnote explaining that this was effected by
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)).

The DUAA has not been published yet (and remember that many of its provisions won’t come into immediate effect, but will require secondary legislation to “commence” them into effect), but once it is, and once the clever people who maintain the legislation website have done their thing, most practitioners won’t need to refer to the DUAA: they should, instead, refer to the newly amended, consolidated versions of the UK GDPR, the DPA 2018 and PECR.

And also remember, “Most processing of personal data is [still] subject to the UK GDPR”.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data (Use and Access) Act, Data (Use and Access) Bill, Data Protection, Legislation, UK GDPR

Tagged as ,

June 3, 2025 · 7:35 am

Could the Data (Use and Access) Bill fall?

[EDIT: in this post I originally said I understood that the current parliamentary session would end when Parliament rises for summer recess. Prompted by Andrew Harvey, on the Jiscmail Data Protection list, I checked this point, and I was wrong: my MP (who, on the two occasions I’ve emailed him, has been impressively responsive), says “With the legislative programme from the King’s Speech barely a quarter of the way through, I would guess this will be at least an 18 month session”). So one of the pressing issues in the post is less pressing, but that still doesn’t get round the issue of the impasse.]

Westminster is at an impasse over the Data (Use and Access) Bill. The Lords have repeatedly introduced amendments, in the form of totally new clauses on AI and copyright which were never intended to be part of the Bill, and the Commons have repeatedly removed them. Yesterday’s reprise of the exercise suggests that ping pong is not stopping any time soon.

This must be of tremendous frustration to the government. In particular, it will be of significant concern to the ministers and civil servants who will be negotiating with the European Commission over the reciprocal data adequacy arrangements which allow free transfer of personal data between the EU and the UK. The Commission had introduced a sunset clause to the original agreement, which was due to expire this month, but this has been extended for a further six months, specially to allow for the passage and enactment of the DUAB (the Commission wants to see what the revised UK data protection scheme will look like).

So what happens now? As the Bill was introduced in the Lords, the Commons cannot invoke its powers to force the Bill through to Royal Assent, under section 2 of the Parliament Act 2011.

The current parliamentary session may well run on for some time yet. Traditionally, all parliamentary business would cease at prorogation, so if a Bill hadn’t passed, it fell. In recent years, however, procedures in both Houses have been developed, whereby, by agreement, a Bill can “carry over” to the next session. This is very unusual, though, with a Bill introduced in the Lords. It is also difficult to see how, or why, there would be agreement to carry over a Bill like the DUAB, over which the two Houses are in actual disagreement.

Maybe the alternative would be to allow the Bill to fall (or withdraw it), and reintroduce it in the Commons, in the next session.

But there would be no winners in such a scenario. The government (and Parliament) would have to go to significant time and cost, and the opponents in the Lords, serried behind Baroness Kidron, would be no closer to getting the artists’ protections from AI models that they seek.

And in the meantime, the extended sunset clause for UK adequacy would be dropping below the horizon.

Is there still time for compromise? The simple answer is yes, but there have been few signs of much movement from either side.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Data (Use and Access) Bill, parliament

Tagged as ,