Some parts of the Data (Use and Access) Act (DUAA) take effect today! This is our first chance to see how the Act is actually going to operate in practice. In this video, I'll talk you through the relevant provisions.

Many of these provisions are quite technical. So to make sense of them, Rob breaks them down into three categories: 

• New powers for government and regulators 

• Institutional reforms

• Amendments to existing data protection and privacy law

With these changes, we see new powers to support smart data and AI oversight, a modernised regulator with a new governance framework, and a series of updates to data protection law (some important, some... not so much).

If you need help understanding today's changes or any other aspect of UK data protection law, get in touch! Privacy Partnership knows this law inside out.

The Online Safety Act is why you might have been asked for your driver's licence on Reddit, X, and some... other websites. In this video, I explain how the OSA works and how it raises tensions with the UK GDPR.

The OSA applies to "user-to-user" and search services with "links to the UK". This covers websites from social media giants to tiny online message boards.

Through a series of risk assessments, in-scope services must identify and mitigate risks around illegal content and harms to children.

To ensure services enforce their terms and keep kids away from inappropriate stuff, the law requires Ofcom to recommend that they use "proactive technologies", which can include "user profiling technologies".

The ICO released guidance on how to implement these profiling tools last week. For me, the guidance highlights why the OSA puts some service providers in a tricky spot. 

The OSA and Ofcom expect profiling technologies to be highly effective. The law's stated aims involve cleaning up the web and keeping kids safe.

The UK GDPR and the ICO expect profiling technologies to be minimally intrusive. Profiling is a high-risk, and can involve very sensitive personal data.

I don't think these goals are contradictory, but OSA-covered services will need to think carefully about meeting their obligations under both regimes.

Highly effective profiling technology might not *need* to be intrusive, but services will always need to find the least intrusive option to meet their aims. This adds an extra layer of complication to an already complicated compliance framework.

Watch this episode of the Privacy Partnership podcast for a quick primer on the OSA and the data protection issues the law raises.

Are you using an in-house tool powered by an AI model from OpenAI, Google, or Meta to produce marketing copy? You might soon be responsible for watermarking your AI-generated content.

In this episode of the Privacy Partnership Podcast, Rob explores a common scenario, where a company fine-tunes a general-purpose AI model and builds a simple internal tool for staff to generate copy in its own brand voice. 

While the company might think it is simply a "deployer" of OpenAI's general-purpose AI model, it could actually be the provider of an AI system under the AI Act.

This matters because Article 50 of the AI Act introduces a wide-ranging transparency requirement: The provider of an AI system that generates synthetic text, video, images, or audio must ensure the output is detectable as AI-generated.

While there are widely adopted image and video watermarking techniques, reliably watermarking text is more difficult. 

This legal obligation kicks in from 2 August 2026. And importantly, the AI Act’s grandfathering clauses don’t appear to cover Article 50 systems. So the requirement may apply retroactively to systems already in use by that date.

The AI Office is supposed to issue codes of practice in this area, but there’s been no obvious progress on this task so far. 

These obligations appear to have been designed with "big tech" in mind, but they can apply to much smaller organisations too.

Watch the video for a breakdown of how an organisation can easily become a "provider" under the AI Act, how "models" differ from "systems", and why many companies might end in-scope of Article 50.

Let me know if you need help navigating these or other AI Act requirements.

Last week, the ICO fined Scottish charity Birthlink £18,000 for destroying around 4,800 adoption records. In this video, Rob explains why this is such an interesting case.

Birthlink is an Edinburgh-based charity that maintains the Adoption Contact Register for Scotland. It provides specialised support for people involved in adoptions.

At the heart of this case are the "linked records": Manual paper files created when a successful link had been made between individuals on the adoption contact register. 

The linked records included original birth certificates, handwritten letters from birth parents to their children, photographs of babies, and other very sensitive personal data.

In April 2021, a decision was made to create more space in the filing cabinets. Birthlink destroyed the linked records in question. 

This allegedly happened with no formal board approval, no data retention or destruction policies in place, no data protection training for the staff that made the decision, and no records kept of exactly which files were destroyed.

The ICO shaved down a £45,000 fine (from the notice of intent) to £36,750 and then £17,000. 

Confusingly, the monetary penalty notice suggests the Commissioner approached the fine calculation in the same way as it would when enforcing a public body, but the ICO has since said it did not apply its controversial "public sector approach" (as it did against the YMCA last year).

Either way, there are some important lessons here, particularly on accountability, data integrity, and the "storage limitation" principle.

Get in touch: [email protected]

I spoke to Boris Wojtan, Senior Privacy Counsel at Privacy Partnership Law, about "Access to Customer and Business Data" under Part 1 of the UK's Data (Use and Access) Act.

This has been on my "get to grips with this" list for absolutely ages.

Like me, you're probably familiar with the DUAA's amendments to the UK GDPR, the DPA 2018, and PECR.

But that's just one part of the legislation, and the other parts could have an even greater impact on a huge range of organisations.

In this episode, Boris and I discuss how the law will require businesses to share personal AND NON-personal data with their customers and third parties.

Having worked for organisations like the ICO, the GSMA, and BT, Boris knows this stuff inside-out.

Boris explains what this part of the law aims to achieve and offers some great advice on how to get ahead of upcoming government regulations.

Once these provisions take effect, there will be new obligations on businesses to share in a way *should* stimulate the economy and benefit consumers.

If you collect data about how people interact with your services, you might be required to process or share that data in new ways.