1. Introduction.
This blog is about the proposals for ‘Smart Data’ legislation in Part 3 of the Data Protection and Digital Information (No. 2) Bill.
It is probably fair to say that the changes to the UK’s data protection regime set out elsewhere in the Bill have rather overshadowed what the Bill proposes for Smart Data. But the new data-sharing framework set out in Part 3 will have a significant effect on consumers, incumbents and new players in affected sectors, if enacted.
Paragraphs 2 and 3 explain the background and policy context for Smart Data and the new proposals. Paragraph 4 looks at who the new rules might affect. The remaining paragraphs consider the impact of leaving the detail to secondary legislation (5); how this squares with developments in the EU (6); and next steps (7).
2. Smart Data – what is it?
The term Smart Data is not used in the Bill. Instead, Part 3 of the Bill is built around two key concepts: “customer data” and “business data” (and we will return to the meaning of each of these in the next paragraph).
The term Smart Data has, however, been used in Government policy documents and parliamentary discussion of the topic for several years. Broadly, Smart Data means “the secure and consented sharing of customer data with authorised third-party providers.”[1]
A number of Smart Data ‘schemes’ exist in the UK, albeit only one is operational. By far the most prominent of these (and the only operational one) is Open Banking, which resulted from an investigation by the CMA, the UK’s competition watchdog, into the UK’s retail banking sector and was spurred by the UK’s implementation of the EU’s Second Payment Services Directive in 2017.
Another is the Pensions Dashboard which, when operational, will give users access to a consolidated online dashboard of their pension savings. The Pensions Dashboard was given a statutory footing in the Pension Schemes Act 2021.
In essence, the Smart Data proposals in Part 3 of the Bill provide a legislative framework for Smart Data schemes to be rolled out in new sectors of the UK economy – beyond Open Banking.
3. The Smart Data proposals in the Bill.
Part 3 of the Bill is built around two core defined terms: “customer data” and “business data”.
Customer data is data relating to the customer of a trader – for example, data about a given customer’s usage patterns of a service or the price the customer has paid for it.
Business data is wider information about the goods, services or digital content provided by a trader – for example, data about the trader’s general tariffs, key contract terms or customer feedback data. The aim is that business data gives context to customer data and helps the customer make better decisions about it. (See clause 61(2) of the Bill for the full definitions.)
Part 3 of the Bill proceeds to create a number of regulation-making powers. The main power (clause 62(1)) allows the Secretary of State or the Treasury to make regulations requiring suppliers of particular types of goods, services and digital content to provide their customers (or their customers’ authorised representatives) with access to their customer data.
As an illustration of how this might work, think of a mobile app which shows users (who have connected their domestic utility accounts) a real-time dashboard of their consumption (customer data) and offers, perhaps as a premium service, a switching feature which ensures the user automatically gets the most competitive tariff available in the market (business data).
Part 3 also contains powers to create an enforcement regime and financial penalties for supplier non-compliance, among other things.
4. Who will be affected?
The plan is that the main beneficiaries of the Smart Data framework will be consumers and businesses (particularly SMEs): once the delegated legislation comes into effect, the Government’s vision is for a vibrant ecosystem of new Smart Data-enabled products and services that will help consumers switch utility providers, get better access to information about their finances, or find a better broadband deal, for example.
It is also hoped that mandating the sharing of Smart Data in sectors beyond retail banking will spur Open Banking-type innovation in new sectors: a boon for startups and competition.
On the other side of the ledger, new Smart Data rules will have a cost implication for the businesses who would be required to comply with new data sharing arrangements. As they stand, the proposals in the Bill are not sector-specific: the Secretary of State and the Treasury would be free to make regulations to cover any sector. But the Government appears to have certain areas in its sights: non-bank financial services, utilities and telecommunications are all called out in the impact assessment for Part 3 of the Bill.[2]
The impact assessment puts forward a cost estimate for a Smart Data scheme in the telecommunications sector and suggests a ‘best estimate’ implementation cost for all providers affected by the scheme of £610m. This is around half the equivalent figure for the implementation of Open Banking (£1.25bn).
5. Why is the detail left to secondary legislation?
Part 3 of the Bill would be ‘enabling’ legislation: it creates the powers necessary for the Government to implement Smart Data schemes, but leaves the detailed technical and policy decisions to secondary legislation (i.e. regulations).
The main reason for this is that Smart Data schemes are likely to be introduced on a sector-by-sector basis in future, and specific rules would be required in each case.
The Bill envisages a significant degree of Parliamentary scrutiny of secondary legislation introducing new Smart Data schemes under Part 3 of the Bill: any regulations introducing a new Smart Data scheme, or making an existing scheme more onerous for data holders, would be subject to the affirmative resolution procedure. This means the regulations would require the active approval of both Houses of Parliament.
6. How does this square with developments in the EU?
The Smart Data proposals at Part 3 of the Bill will be welcomed by those looking to see the UK capitalise on previous success in Open Banking, and make progress on data regulation more generally. The obvious point of comparison is with the rapid developments underway in the EU: the Data Governance Act (applicable in the EU from mid-September 2023) and the draft Data Act and European Health Data Space rules.
In comparison with the EU developments, the Smart Data proposals appear modest: sector-specific Smart Data schemes in the UK versus the radical ‘horizontal’ proposals for data sharing and interoperability in the Data Act. They do, however, seek to build on the proven formula of Open Banking.
7. What’s next?
The Smart Data proposals are part of the larger Bill, so to make their way into law the Bill itself will need to be enacted, and there is no certainty this will happen, either under the current Government or a future one. It is worth noting that, judging from the tone of parliamentary debate, there does appear to be more cross-party support for Part 3 than for other parts of the Bill.
If the Bill is enacted, the next step will be for the Government to make regulations for a Smart Data scheme. Again there are no fixed timelines for this, although an amendment proposed by a Labour MP during the committee stage does seek to require the Secretary of State to “publish a target date for the coming into force of the first regulations” within 6 months of the enactment of the Bill.
If you would like to discuss the legal aspects of Smart Data in more detail, contact Chris Kemp at chris.kemp@kempitlaw.com.
[1] BEIS, ‘Next Steps for Smart Data: Putting consumers and SMEs in control of their data and enabling innovation’ (September 2020), p. 6 <https://tinyurl.com/4pa4rc3b>.
[2] See here, paragraph 10 on p. 10 <https://tinyurl.com/2s4krv7j>.
