Smart Data in Digital Markets: UK Call for Evidence

Following the passage of the Data (Use and Access) Act 2025, the UK's Department for Science, Innovation and Technology (DSIT) has wasted no time pursuing the opportunities of opening up the digital sector. The Act will now usher in Smart Data schemes in different sectors, with DSIT pursuing a proposal to launch a scheme for the digital sector. They describe Smart Data schemes as intending to provide "enhanced data portability rights beyond the right to data portability in Article 20 of the UK GDPR", recognising that the GDPR does not "guarantee provision of customer data in 'real time' or in a useful format, nor covers wider contextual data."

Smart Data will expand on previous user-consented data sharing schemes like Open Banking to new sectors. Users will be able to port their personal and business data to authorised and accredited third parties. Similar to data sharing obligations under the European Digital Markets Act, data portability must be immediate and continuous, based on accepted secure data formats and Application Program Interfaces (APIs).

At present, data subjects often perceive themselves as having no control over their data. For data subjects to exercise their rights, the processes are tedious and lengthy, if they work at all. If the process is made difficult, with data portability options tucked away in difficult-to-find corners of their settings, to then being delivered a bundle of technical files that they cannot read, users cannot easily act on the right to access their data. However, when made simple through a consent flow within an app, for example, users are much more likely to be able to act on their data rights. However, such easier consent flows only work when APIs are deployed by data holders, and if they are mandated to provide real-time and continuous access to data. While it would not be reasonable to place heavy technical burdens on smaller businesses, large businesses which hold vast amounts of data on subjects should be mandated to provide more sophisticated data portability tools. Smart Data Schemes could see the biggest data holders forced to provide infrastructure to finally get user-consented data portability working.

CODE has previously campaigned for Smart Data in digital markets, and we intend to continue to support its development. We see this as an opportunity to promote user data rights, expand user choice, and increase competition in digital markets.

What comes next?

DSIT has launched a call for evidence on Smart Data in digital markets to help build the scheme. Beyond questions about use cases and data that access seekers would find most useful, other important questions have been raised regarding how the scheme would be governed, what regulatory oversight might be required, as well as what data standards might be needed and whether the digital markets scheme should be interoperable with other sector schemes.

Considerations in designing Smart Data for Digital Markets

Which digital businesses should fall under the scheme? Open Banking mandated that the 9 largest banks cooperate in creating and implementing technical standards to open up financial services, after the Competition and Markets Authority found the financial sector to be overly concentrated. The digital sector is equally as concentrated, with one company currently holding over 90% market share for online search and one company owning the top 4 social media platforms in the UK. Will Smart Data for digital markets follow the same blueprint? For legal certainty, a threshold could be set as to which firms should be designated as data holders obliged to comply with the Smart Data scheme. DSIT could use the turnover threshold set by the Digital Markets, Competition and Consumers Act, or similarly look at the European Digital Markets Act, both of which set a high threshold to ensure only the largest companies are caught under the regime. While the Smart Data scheme should allow for wide user-consented portability, it should also be ensured that the more stringent technical requirements are proportionately put onto larger businesses.

APIs: Data holders would need to ensure they provide APIs based on common open standards, ensuring consistency. We may also need to agree on what data can be accessed through these APIs to ensure access seekers can use the data effectively while also ensuring data minimisation. For example, data access seekers should be able to select granular data to choose only the scopes and time ranges of data needed. There will need to be consideration of metadata and rate limits to ensure data is usable and scalable.

Accreditation: We would need an independent accreditation body to verify and accredit trusted data access seekers, and maintain oversight of compliance. Like in Open Banking, data holders would be legally obliged to grant data access requests, taking the power out of incumbents' hands. Do we need a new body or can an existing regulator take on this role? 

User Security: While data porting will occur through user consent, security is still a top priority. At the time of the first user data porting request, users should go through a layer of security such as two-factor authentication, as a prevention against fraud or hacking. There will not be a need for excessive security warning screens, however, as data access seekers will already be accredited.

Read/write requests: CODE has previously submitted that accredited data access seekers could be given ‘read’ and/or ‘write’ access to user data held by large online platforms. Providing ‘read’ access would enable third-party providers to port the user’s data to their service on a real-time and continuous basis for a time period specified by the user, but with a maximum period of 12 months before consent must be repeated. Providing ‘write’ access would allow third parties to make changes externally, giving the user greater control of their data from a centralised service. For example, users could submit a data deletion request from a third-party provider, which would be pushed out to the original data holder platform to act on accordingly.

The call for evidence closes on 15 September 2025. We hope CODE members will contribute their thoughts on designing a potentially groundbreaking new Smart Data Scheme.