What are the implications of the Information Commissioner's updated response to the Data (Use and Access) (DUA) Bill?

The Data (Use and Access) Bill (DUA), introduced to the UK Parliament on October 24, 2024, has completed its passage through the House of Lords with several amendments following extensive debate. The Bill is viewed positively as it maintains high data protection standards, protects individual rights, provides regulatory certainty for organisations, and fosters economic growth and innovation.

The speaker, representing an independent office (likely the Information Commissioner’s Office, ICO), supports the Bill and has collaborated with the government during its development, offering expert advice as per Article 36(4) of the UK GDPR. The office’s role is to enforce the existing and future data protection frameworks while advising on legislative changes independently of the government.

Key Amendments and Comments:

1. Definition of Scientific Research  

   • The Bill simplifies provisions for research, archiving, and statistics, offering clarity and encouraging responsible use of personal data for societal and economic benefits.

   • An amendment limits scientific research processing to activities "reasonably described as scientific" and "in the public interest," regardless of funding or commercial status. This addresses concerns about AI development without imposing a blanket ban. The ICO plans to provide guidance on the "public interest" aspect.

2. Duties to Protect Children  

   • New duties emphasise protecting children’s data, with the ICO tasked to recognize children’s specific protection needs.

   • An amendment to Article 25 (data protection by design) requires organisations offering information society services likely accessed by children to consider "higher protection matters" (e.g., children’s specific vulnerabilities and developmental needs).

   • While supportive, the speaker seeks clarity on "higher protection matters" and its relation to the Age Appropriate Design Code (AADC), ensuring it doesn’t imply a higher legal standard than for adult data. Further government clarification is requested on its scope and application.

3. Direct Marketing – Soft Opt-In  

   • The Bill extends the "soft opt-in" for email marketing (previously limited to commercial entities) to charities, allowing them to contact supporters or interested individuals with an opt-out option.

   • The ICO supports this but cautions charities to balance their interests with individual rights under UK GDPR, especially in sensitive cases (e.g., crisis services).

4. Codes of Practice  

   • The government will mandate the ICO to create codes on automated decision-making/AI and ed-tech via secondary legislation. The ICO welcomes this and will consult widely to ensure the codes are effective and practical.

5. Automated Decision-Making (ADM)  

   • Debate continues over removing the general restriction on ADM with significant effects, now allowing it under any lawful basis with safeguards like "meaningful human involvement."

   • The ICO finds this balanced but notes stakeholder concerns about risks. It will support organisations in applying the new rules once finalised.

6. Other Provisions  

   • Web Crawlers: A new duty requires the ICO to regulate web crawler transparency to protect copyright. The ICO seeks government consultation on its implications due to lack of prior discussion or impact assessment.

   • Deepfakes: New offenses target non-consensual sexually explicit digital images. The ICO supports this but seeks assurance on its compatibility with the European Convention of Human Rights and UK adequacy status.

   • Technical Amendments: Government changes are seen as ensuring the Bill’s effective operation.

Conclusion

The speaker endorses the Bill as enhancing the UK’s data protection regime while supporting innovation and rights. The ICO will continue providing independent advice as the Bill progresses through Parliament, addressing ambiguities and ensuring practical implementation.