The ICO's Response to the UK Data (Use and Access) Bill

The ICO’s endorsement of the Data (Use and Access) Bill represents a pivotal moment for the future of data privacy and digital governance in the UK. This bill, with its emphasis on smart data, digital verification, and health standards, signals a forward-thinking approach to modernising data regulation. However, its real strength lies in its focus on a “Privacy-by-Design” philosophy, underscoring the critical need for organisations to integrate privacy as a foundational element—not an afterthought.

One of the most noteworthy aspects of the ICO’s response is its backing for the bill’s reforms around legitimate interests in data processing, particularly for commercial uses. Under the current GDPR framework, the ambiguity around legitimate interests has posed a challenge for organisations, often resulting in lengthy impact assessments. The ICO’s support for clarified lawful purposes—such as crime prevention—provides a pragmatic path forward, reducing red tape and empowering organisations to pursue innovation responsibly.

Automated decision-making (ADM) provisions also stand out, as they reflect an increasingly nuanced understanding of ADM’s role in today’s data-driven economy. The bill’s safeguards will allow organisations to leverage ADM where it adds genuine value, balancing efficiency with the necessary protections for personal data. This approach aligns with the findings of a recent report by McKinsey, which estimates that AI-driven ADM could generate ￡130 billion in economic value for the UK by 2030. Ensuring that such innovation is grounded in robust privacy practices is crucial for sustainable growth.

Equally progressive is the bill’s provision to streamline cookie consent, addressing the prevalent issue of ‘consent fatigue’. According to a survey by the European Commission, 70% of internet users express frustration with frequent consent prompts, often opting to click through hastily. By reducing consent requirements for low-risk cookies, the bill not only improves user experience but also increases the likelihood of genuine, informed consent for higher-risk data processing—an approach that reinforces trust in the digital ecosystem.

International data transfers have long been a thorny issue in data privacy, particularly post-Brexit. The ICO’s support for smoother international data flows is essential for keeping UK businesses competitive on the global stage. The Information Technology and Innovation Foundation recently noted that restrictive data localisation laws could cost the global economy ￡132 billion annually by hindering data flows. The bill’s provisions allow UK organisations to collaborate internationally with less friction, provided partner nations uphold comparable data protections—a vital step to enabling global competitiveness.

Moreover, the ICO’s expanded enforcement powers and the strengthening of its governance model are timely and necessary. In 2022, the ICO issued ￡13.5 million in fines, yet challenges persist in ensuring compliance across all sectors. Enhanced regulatory independence and increased fines under the bill position the ICO to act decisively against infringements, creating a level playing field and encouraging a culture of accountability.

In summary, the ICO’s response to the DUA Bill embodies a balanced approach to innovation and privacy. As organisations face new responsibilities, a proactive embrace of Privacy-by-Design, legitimate interest clarifications, and regulatory compliance is crucial to build trust and future-proof their operations. The DUA Bill, if enacted with these provisions, could set a precedent not only within the UK but also as a model for global regulatory frameworks—a testament to the UK’s commitment to ethical data governance and a crucial step forward for the digital economy.