On October 31, 2024, the UK Information Commissioner’s Office (the “ICO”) published its response to the draft Data (Use and Access) Bill (the “Bill”). The Bill was welcomed by the ICO, which considers it a “positive package of reforms” that “maintains high standards of data protection and protects people’s rights and freedoms, whilst also providing greater regulatory certainty for organizations and promoting growth and innovation in the UK economy.” It considers the amendments proposed by the Bill to the UK data protection regime to be “pragmatic and proportionate” but notes there are several points that would “benefit from additional clarity” (as detailed in Annex 1 of the response).
Key takeaways from the response include:
- As regards the “smart data” initiative, the ICO reminds businesses that when operating as a controller, they should consider privacy-by-design and ensure that they identify data protection risks from the outset of processing, allowing them to build mitigations into the programme.
- As regards the changes proposed to automated decision-making, particularly the possibility of relying on legitimate interests as the lawful basis for processing, the ICO believes the proposals strike a good balance between the benefits of automation and maintaining protection for special category data.
- The ICO is of the view that the set of legitimate interests defined in the Bill will provide businesses “more confidence” when seeking to rely on legitimate interests.
- The ICO notes that the proposal to reduce the types of cookies that require consent should “reduce consent fatigue” for users while also allowing businesses to process information for certain purposes more easily.
- The ICO welcomes the proposed increase to fines that can be imposed under the Privacy and Electronic Communications Regulations.
The ICO advises the UK government to revisit certain parts of the Bill (either due to concerns over drafting or the intended purpose of the proposal); these parts include the meaning of research and statistical purposes, purpose limitation, and human involvement in the context of automated decision-making.