Category: Data Protection

This blog is the continuation from Part 1 published last Tuesday.  In summary, the draft Adequacy Agreement (“the Agreement”) published by the Commission does not accurately describe the UK’s Data Protection regime and the impact of the Data (Use and Access) Act 2025 (“DUAA”). This blog explores the error surrounding: Research International Transfers National Security- In Part 1 of the analysis, the blog considered errors relating to: Annex 1 – lawful basis Special category of personal data Annex 2 – incompatibility

The draft Adequacy Agreement (the “Agreement”) published by the European Commission last month contains seven basic errors of analysis which calls into question whether the Agreement accurately reflects the current state of UK data protection law.  This is important because the European Parliament is likely to OK this Agreement on the back of a very deficient analysis. This blog (and the next one) explores the main errors.  In summary, these errors involve: Annex 1 – lawful basis Special category of personal

I have just realised that the Data (Access and Use) Bill (DAUB), which returns for its Commons Report stage today,  degrades two Data Protection Principles in Article 5 of the UK_GDPR; namely the Principles dealing with lawfulness and incompatibility [A.5(1)(a) and A.5(1)(b)]. Indeed, the revised wording of the Purpose Limitation Principle [A.5(1)(b)] does not meet the requirements set 45 years ago in the Council of Europe Convention No 108, in 1981.  This blog goes into this new wording in detail.

This is the second instalment of my list of nineteen areas where the Data Use and Access Bill (DUAB) provisions act to the detriment of data subjects. In Part 1 (blog of 25 Feb 2025), I listed a summary of the issues that would cause problems with renewing the Adequacy Agreement with the European Commission. This blog gives more details of the problems associated with the regulator (the ICO and the replacement Information Commission). The summary points concerning DUAB are:

The following is a summary list of nineteen Data Use and Access Bill (DUAB) provisions which act to the detriment of data subjects. Because of its length, I have split these issues in two blogs.  Part 2 of this set will be published on Thursday. All these issues have been raised in my evidence to the Public Bill Committee which is considering DUAB;  you can access this evidence (see references).  The Committee stages start on Tuesday  March 4, and are

The Prime Minister and the Chancellor of the Exchequer have gone "all in" with Artificial Intelligence (AI) in the expectation that it generates economic growth.  It has told the main UK Regulators, including the ICO, to ease-off on general enforcement if such enforcement creates a serious risk to that growth. To ensure Regulators fall obediently in line, the chair of UK's competition Regulator was removed by the government in late January, to be replaced by someone more “amenable” to the

This blog is the promised second instalment that deals with the powers in the Data (Use and Access) Bill (DUAB  “Bill”).  These powers give Ministers the ability to sweep aside key elements of the UK_GDPR that protects data subjects from function creep in the public sector. In evidence in support the above statement, this blog explains details of: the two powers that give Ministers the ability to specify any voluntary data sharing with any public body as lawful and not incompatible

This blog considers how the Data (Use and Access) Bill (the “Bill”) impacts on the lawful bases used in the context of voluntary data sharing with public bodies. In summary, the Bill creates an infrastructure of Ministerial powers that ensures voluntary data sharing to the public sector has a lawful basis;  that such data sharing is not incompatible with the purpose of obtaining, and that such data sharing is, in practice, exempt from the right to object. These powers have