A new law, good or bad? This article is a bit better now. is nowhere near finished, come back later.
Links
- The text of the legislation @ legislation.gov.uk
- The Data Use and Access Act 2025 (DUAA) – what does it mean for organisations by the ICO, published prior to final passage.
- What the House of Commons briefing had to say.
- Briefing: The Data Use and Access Bill (Second Reading) by the Open Rights Group, the had an unfounded fear that the UK might lose its adequacy ruling, because the law planned to weaken protection from automated decision making and for use by AI. It reduces the threshold protecting personal data from law enforcement enquiries. They also argue that it weakens the safeguarding requirements with respect to personal information. They also oppose the introduction of Henry VIII powers. (Much of the criticism is based on a fear that the UK would lose its adequacy ruling, which it did not. See below.) The weakening of the requirement to not automatically process/profile people is a serious criticism which could have been met if they’d wanted to.)
- They also publish the narrower briefings on use for political purposes & DUAB and AI harms
Copyright
The creative industry or at least its superstars kicked off on the issue of AI training and copyright. They lost it seems, this is covered in the article linked below.
UK passes updated data bill without AI copyright provisions by coingeek, who also highlight that there are key updates in the bill include expanding the scope for data processing under ‘Legitimate Interests,’ such as for direct marketing and security processing, reducing interruptive and ineffective cookie consent banners, and provisions to boost market research, product development, and technological innovation. However, one key change the bill doesn’t include is a much-debated amendment to force big tech firms and artificial intelligence (AI) companies to get permission and/or pay for U.K. content, as the government insisted that it was planning to address this topic in future AI and copyright legislation—after the conclusion of a consultation on the topic in February.
Adequacy
The renewal of the UK adequacy decision is documented in the list below, although it is a long process, which has now gone through the first two (of five) stages. 3/11/2025. See
- The European Commission proposes UK adequacy deadline extension by the IAPP, an interim measure to give themselves another 6 months to make their mind up, in light of the UK’s proposed reforms.
- Pinsent Mason report on the Commission’s draft decision to renew the UK’s data protection adequacy
- The Commission’s Adequacy decisions page from the Commission, details the renewal process, does not yet have the most recent decisions to renew/extend the UK’s adequacy decisions. The text of the Commission decisions from the Commission. (I have not read this). The EDPB has given its opinion and asks the Commission to consider aspects of DUAB. These include the Henry VIII powers as they relate to “.. to international transfers, automated decision-making, and the governance of the Information Commissioner’s Office (ICO). The EDPB invites the Commission to address possible risks of divergence by highlighting, in the final adequacy decision,”
On the ICO
- I asked Gemini, Does duaa change the governance of the ICO? It answered yes, I may be most interested in “The ICO will be reformed and replaced by a new corporate body called the Information Commission (IC). This replaces the previous single-Commissioner model (a corporation sole). And the IC will be governed by a board, which will include a mix of executive and non-executive members. This is intended to bring the regulator’s structure more in line with other major UK regulators like the Financial Conduct Authority (FCA).
- The deadline to apply for non-execs has closed. They don’t muck around. The job advert has some interesting statements about role and experience, They want people with regulatory experience. The current IC is the new Chairman of the Board, John Edwards biography.
comment
Monica & Graham seem silent on this
other links
- Data Use and Access Bill will fail to protect public from AI harms | Open Rights Group
on September 2, 2025 at 7:40 pm“The Data Use and Access Bill will fail to protect the public from harmful uses of artificial intelligence, say digital rights campaigners, Open Rights Group. The Bill, published today, rehashes many of the provisions in the previous government’s controversial Data Protection and Digital Information Bill, which was ditched in wash-up prior to the General Election. Annotations: The Data Use and Access Bill weakens our rights and gives companies and organisations more powers to use automated decisions. This is of particular concern in areas of policing, welfare and immigration where life-changing decisions could be made without human review. Tags: technology regulation duab duaa openrightsgroup
- European Commission should rescind UK data adequacy | Computer Weeklyon June 16, 2025 at 2:46 pm
Seven civil society organisations are calling on European Commissioner Michael McGrath to rescind the UK’s data adequacy status, citing major concerns around the country’s ongoing erosion of privacy and data rights. Annotations: Commenting on the DUAB proposals – which “would represent a systematic weakening of privacy and data protection safeguards” – the civil society groups noted the bill will diminish the right not to be subject to automated decision-making; delegate “extensive” legislative power to UK ministers that would allow them to circumvent Parliamentary scrutiny when making decisions around the legality of data processing or transfers; and otherwise grant government and law enforcement agencies “expansive access” to personal data. Tags: politics europeanunion gdpr adequacy article22 duab