However, plans to amend the PDPO have been put on hold given concerns over the immense economic pressure it may exert on small or nano businesses to comply with the new regulations. The Government could alternatively consider introducing the amendments in a ‘piecemeal approach’ to reduce the impact on local businesses. For now, the Government has no definitive timeline on when the amendments to the PDPO will be introduced and will only provide updates upon developing more concrete proposals. In the meantime, we will continue to monitor for any further details in relation to the Government’s plans to update the PDPO.

The new Labour government first announced plans for a bill in the King’s speech in July. In a notable shift of emphasis from the DPDI Bill, the term ‘data protection’ has been dropped from the title of the Bill.  Reform to the data protection and e-privacy regime is still an important part of the Bill, but arguably secondary to emphasis within the bill on wider data related policy initiatives, focussed on facilitating digital identities and securing access to ‘smart’ or ‘open’ data sets. This is reflected in the Government’s introduction that the new Bill will “harness the enormous power of data to boost the UK economy by £10 billion” and “unlock the secure and effective use of data for the public interest, without adding pressures to the country’s finances“.

Key data protection law changes

The Bill proposes very limited changes to the UK data protection regime. These are targeted and incremental and unlikely to have a material impact on day-to-day compliance for most businesses operating in the UK.

The specific areas of reform proposed include:

• Scientific research definition and broad ‘consent to research’: The DUAB creates a statutory definition of scientific research to help clarify how the various provisions in the UK GDPR which refer to ‘research’ are intended to be applied. The intention is to clarify that ‘scientific research’ can extend to cover research “carried out for commercial or non-commercial activity” and includes any research that “can reasonably be described as scientific”. This replicates similar proposals in the DPDI Bill, which effectively bring into the UK GDPR references that appear in the recitals to the GDPR, that suggest a broad interpretation of “scientific research” should be applied. The DUAB also clarifies that an individual may be able to give consent to their data being used for more than one type of scientific research, even if at the time consent is provided, it is not possible to identify all of those research purposes.
  
• Recognised legitimate interests: The DUAB helpfully introduces the concept of ‘recognised legitimate interests’ to provide a presumption of legitimacy to certain processing activities that a controller may wish to carry out under Article 6(1)(f) (legitimate interests). Again this is a helpful carry over from the DPDI Bill. The DUAB also introduces a new provision requiring any new recognised legitimate interest to be necessary to safeguard an objective listed in Article 23(1) UK GDPR (i.e. public security, the prevention, investigation, detection or prosecution of crime, public health, data subject rights etc.).
  
• Automated Decision Making: The DUAB will remove the requirement to establish a qualifying lawful basis before conducting automated decision making (the requirement currently at Article 21(2) UK GDPR), except where special category data is used. This change is particularly relevant to organisations using AI systems, potentially allowing those organisations to use ADM more widely than under EU GDPR. However, data subjects will still benefit from rights of objection and human intervention, and organisations will still need to carefully assess their use of ADM. 
  
• Special category personal data: The DUAB grants the Secretary of State the authority to designate new special categories of personal data and additional processing activities that fall under the prohibition of processing special category data in Article 9(1) of the UK GDPR. This potentially extends the scope of additional protections afforded by Article 9, beyond the current prescribed list of categories of special category data in the UK GDPR. It is unclear whether the Government anticipates including any additional categories of data under this mechanism in the near term.

• Cookies: The DPDI Bill included a number of reforms to the rules on cookie consent. These have been retained in the DUAB. Businesses will likely find these changes helpful, as they have the effect of easing the consent requirements in some cases and provide greater clarity as to what falls within the “strictly necessary” exemption. One of the more challenging proposals by the previous government – that would have required cookie consent platforms to be centralised (e.g. into browsers) – has been withdrawn.
  
• PECR Enforcement Regime:  The Bill fully aligns the UK GDPR / DPA and PECR enforcement regimes. This effectively increases regulatory exposure under the PECR to potential fines equivalent to the UK GDPR.
  
• International Data Transfers – The DUAB introduces amendments that are designed to clarify the UK’s approach to the transfer of personal data internationally and the UK’s approach to conduct of adequacy assessments. These are technical changes, but notably the EU approach to adequacy anticipates a third country has a regime that is ‘essentially equivalent’ to the EU standard; the DUAB moves away from that to a new threshold that the third country offers safeguards that are ‘not materially lower than’ the UK.
  
• ICO: The DUAB retains the majority of the reforms to the ICO, including the name change to an Information Commission, rather than a Commissioner, introducing a formal Board structure with an appointed CEO. The DUAB also aims to reduce the number of complaints reaching the ICO – by requiring complaints to be made first to the controller, with escalation to the authority only if they are not satisfactorily dealt with.

Which proposed changes have been dropped?

Many of the other reforms to UK data protection law proposed in the DPDI Bill have been dropped.  Notably, the following provisions did not make their way into the new bill:

• The DPDI Bill proposed an expanded definition of ‘personal data’ which would have provided further clarification as to when data is related to an identified or identifiable individual and when it should be considered anonymous. That has been dropped.
  
• The DPDI Bill amended the accountability provisions within the UK GDPR, reducing the burden on smaller businesses to maintain records of processing, or carry out Data Protection Impact Assessments. Those changes have not be carried across. The role of the Data Protection Officer will also remain as is, with the previous proposal to replace the DPO with the concept of a ‘senior responsible individual’ dropped.
  
• The proposal in the DPDI Bill to exempt “vexatious” data subject access requests (in line with the terminology used in freedom of information law) has been discarded. Instead, the existing exemption of “manifestly unfounded or excessive” requests will continue to apply. Helpfully though the DUAB does incorporate a new provision allowing controllers to limit themselves to ‘reasonable and proportionate’ efforts in responding to access requests, a codification of ICO guidance and case law in this area.
  
• The proposal to remove a requirement on non-UK businesses to appoint a representative under Article 27 UK GDPR has been scrapped – the role of the representative in the UK remains for now.
  
• Some of the reform to the ICO has not survived, including the requirement for the ICO to take into account the government’s strategic priorities and some of the changes to the ICO’s enforcement powers.

Smart data schemes and digital identity verification

As noted above, data protection is no longer the main focus of the Bill, with large sections of the Bill set aside to deal with wider digital policy matters, including smart data schemes and certification for digital identity service providers “the Bill will create the right conditions to support the future of open banking and the growth of new smart data schemes” (HM Government).

• Smart data schemes – The DUAB gives the Secretary of State broad powers to make data regulations addressing access to business data and customer data, with sector specific ‘smart data’ regimes. Secondary legislation will follow that sets out much of the important detail here, but the essence of these provisions is to require data holders to provide or otherwise make available datasets, as well as give businesses and individuals the right to request access to those datasets. This is similar to elements of the EU Data Act and EU Data Governance Act at EU level, but goes further as it is not limited to IoT or public sector data. There is also a strong overlap with the European Health Data Space Regulation and the EU FIDA Regulation: promoting access to data for secondary uses and breaking down the barriers that exist between data holders and those persons, whether individuals or businesses, that would like access to data for certain, as yet undefined, purposes.
  
• Digital identity verification – The DUAB will separately establish a framework to facilitate the development of digital verification services. This framework aims to certify organisations that offer identity verification tools in accordance with the government’s trust framework standards. New provisions in the bill grant the Secretary of State the authority to deny certification on national security grounds and mandate that it consults with the Information Commissioner regarding relevant regulations.

What next?

Although the DUAB comes with some bold statements from the Government that it will “unlock the power of data to grow the economy and improve people’s lives“, the proposals represent incremental reform, rather than radical change. There are arguably no big surprises (and perhaps some missed opportunities) with much of the drafting a lighter version of what we saw in earlier drafts of the DPDI Bill, with some of the more innovative elements (around smart data access and use) still unclear as we await the detail of secondary legislation.

We will keep a close eye on the DUAB as it makes its way through Parliament. We expect a relatively smooth passage, given so much has already been through earlier legislative processes , so extensive debate seems unlikely.

Overview

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its long-anticipated “Personal Financial Data Rights” rule (and Executive Summary) – more commonly known as the “Open Banking” rule – under Section 1033 of the Dodd-Frank Act. This landmark regulation aims to empower consumers by granting them greater control over their personal financial data, enabling them to access and share this information with third-party providers securely and without charge. According to the CFPB, the rule is designed to foster competition and innovation in the financial services industry by making it easier for consumers to switch financial providers and for new companies to offer innovative products and services.

The final rule requires covered entities – including banks, credit card issuers, digital wallet providers, and other financial institutions – to provide consumers and authorized third parties with access to specified consumer financial data upon request. It also establishes privacy and security protections, limiting third parties use of the data they receive to the purposes expressly authorized by the consumer. While the rule has been lauded for promoting consumer choice and competition, it has also faced criticism and legal challenges from industry stakeholders concerned about data security, compliance burdens, and statutory authority.

What Does the CFPB Open Banking Rule Entail?

The CFPB’s Open Banking rule mandates that covered data providers make available to consumers, or to third parties authorized by consumers, certain data related to covered consumer financial products or services free of charge.

• Covered data – data providers must make available:

• Account Balance and Transaction Information: At least 24 months of transaction history, including amounts, dates, payment types, merchant names, rewards credits, and fees or finance charges.
• Payment Initiation Information: Data necessary to initiate payments from accounts, facilitating services like “pay-by-bank.”
• Terms and Conditions: Details such as fee schedules, interest rates, credit limits, rewards program terms, and whether the consumer has entered into an arbitration agreement.
• Upcoming Bill Information: Information on upcoming payments due, including scheduled payments to third parties.
• Basic Account Verification Information: Names, addresses, email addresses, and phone numbers associated with the accounts.
• Exceptions – data providers do not have to make available:
  • Confidential commercial information.
  • Information collected for the sole purpose of preventing fraud/money laundering.
  • Information required to be kept confidential by law.
  • Information the data provider cannot retrieve in the ordinary course of business.

Entities that are “data providers” under the Rule?

The rule applies to a broad range of financial service providers, referred to as “covered data providers.” This includes:

• Regulation E financial institutions: Banks, saving associations, and credit unions holding consumer asset accounts.
• Regulation Z card issuers.
• Payment Facilitators: “Any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person.” This includes companies that enable transactions from consumer accounts, including digital wallet providers.

Notably, the final rule exempts depository institutions that hold assets of $850 million or less (i.e., equal to or less than the Small Business Administration size standard for such institutions), aiming to alleviate the compliance burden on smaller banks and credit unions.

Consumer and Developer Interfaces

Under the rule, data providers are required to establish and maintain two separate interfaces for accessing covered data: a consumer interface (e.g., online banking portals to allow consumers to access their data directly) and a developer interface for authorized third parties (e.g., APIs, though the rule is technology neutral) to facilitate secure and standardized access to covered data. Data providers must also provide certain information to consumers and authorized third parties, including: (i) its legal name and any assumed names; (ii) a link to its website; (iii) its Legal Entity Identifier (LEI) that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information for consumers or third parties to ask questions about accessing covered data. Data providers may not charge fees to either consumers or authorized third parties for accessing covered data. The developer interface must meet certain minimum performance standards and may not unreasonably restrict the frequency with which it receives or responses to requests from an authorized third party.

Data providers can deny access to their interfaces to third parties under certain limited circumstances, such as if the third party does not provide sufficient evidence that its security practices are adequate. Data providers may deny access to their developer interface if a third party does not present evidence that its information security practices are adequate to protect covered data or if the third party does not provide: (i) Its legal name (and any assumed names); (ii) a link to its website; (iii) its LEI that is issued by a utility endorsed by the LEI Regulatory Oversight Committee or the Global LEI Foundation; and (iv) contact information a data provider may use to inquire about the third party’s information security and compliance practices.

Like the proposed rule, the final rule does not explicitly prohibit authorized third parties screen scraping; however, the final rule seeks to curtail screen scraping by prohibiting authorized third parties from accessing a data provider’s developer interface by using any credentials that a consumer uses to access the consumer interface.

What Are the Privacy and Security Protections and Restrictions on Third Parties?

To safeguard consumer data, the rule imposes several privacy and security requirements on third parties:

• Purpose Limitation: When a consumer authorizes a third party to access the consumer’s financial data from a data provider, the third party can only use the data for the specific product or service requested by the consumer. Practices like selling the data or using the data for targeted advertising or cross-selling the third party’s other products/services, are prohibited (unless the consumer expressly consents to these purposes).
• Consent and Authorization: Third parties must obtain express consent from consumers through clear authorization disclosures, outlining the data to be accessed and the purpose.
• Limited Duration of Authorization. The authorization from a consumer is valid for one year, after which the third party must obtain new authorization from the consumer. If an authorization expires, the third party may no longer collect covered data and may no longer use or retain covered data collected under the expired or revoked authorization.
• Revocation Rights: Consumers have the right to revoke a third party’s access at any time, and third parties must (1) make revocation easy, (2) cease data collection and delete data unless retention is necessary to provide the requested service, and (3) notify the data provider if it receives a revocation request from the consumer.
• Data Security Programs: Third parties must implement data security measures in line with the Gramm-Leach-Bliley Act (GLBA), or, if not subject to the GLBA, the FTC Standards for Safeguarding Customer Information (i.e., Safeguards Rule).
• Policies and Procedure: Third parties would need to maintain their own internal written policies on procedures to comply with the rule and the rule’s record retention requirements.

What Are the Compliance Deadlines?

Compliance with the rule will be implemented in phases as follows:

Key Takeaways

This significant regulatory development carries several implications for businesses in the financial sector:

• Prepare for Compliance: Covered entities, both data providers and third parties, should begin assessing their data infrastructure, security protocols, compliance procedures, and obtain required LEI identifiers to meet the new requirements within the specified timelines.
• Review Data Sharing Practices: Companies seeking to access covered data must evaluate their data collection, use, and retention policies to ensure they align with the purpose limitations and consent requirements of the rule.
• Enhance Privacy and Security Measures: Robust data security programs compliant with GLBA and other regulations must be implemented to protect consumer data during access and transfer. This is particularly important for third party recipients who may not be as familiar with these requirements (as noted above, if the third party is not subject to the GLBA already, the third party must follow the FTC Safeguards Rule, which sets out detailed security requirements for protecting consumers’ financial information).
• Monitor Legal Developments: Ongoing legal challenges could impact the implementation and enforcement of the rule. Companies should follow these proceedings and be prepared to adapt accordingly.
• Engage with Industry Standards: Participation in recognized standard-setting bodies may aid in compliance and contribute to the development of interoperable systems that benefit the industry as a whole (the CFPB finalized its rule regarding standard-setting bodies earlier this summer).

For more information about these developments and how they may affect your organization, contact your DLA relationship partner, the authors of this blog post, or any member of DLA’s Data Protection, Privacy, and Security team.

But in the UK, we are not alone in recognising cyber as one of the most significant threats of our age. In the recitals to NIS2, the EU Commission notes that the “number, magnitude, sophistication, frequency and impact of incidents are increasing and present a major threat to the functioning of network and information systems” with the result that they “impede the pursuit of economic activities in the internal market, generate financial loss, undermine user confidence and cause major damage to the Union’s economy and society“. The EU’s response was to enact a bolstered NIS2 which significantly expands the number of entities directly in scope; includes a focus on supply chains; enhances the powers of enforcement and supervision available to local authorities; steps up incident reporting obligations; and imposes ultimate responsibility for compliance at a senior management level. With DORA, the EU adds another layer of regulation, trumping the requirements of NIS2 for the financial services sector.

So how will the UK’s new Bill compare? Our article looking at the initial indications released by Government to try and answer that question is available here.