The Data (Use and Access) Bill (“DUA Bill”) has embarked on its legislative journey, promising to bring significant changes to the UK’s data protection and e-privacy landscape. Initiated in the House of Lords on October 23, 2024, this bill revives several proposals from the previously discontinued Data Protection and Digital Information Bill (“DPDI Bill”). While the DUA Bill encompasses a broader scope, including data sharing and digital verification schemes, this article focuses on its data protection and e-privacy reforms. Despite its potential implications, the data protection reforms within the DUA Bill are more constrained compared to the DPDI Bill, with several controversial measures having been omitted.
Key Data Protection and E-Privacy Changes
Legitimate Interests
The DUA Bill introduces a list of “recognized” legitimate interests as a legal basis for data processing without necessitating a balancing test between the data controller’s interests and the data subject’s rights. These recognized interests include purposes related to national security, defense, emergency response, and safeguarding vulnerable individuals. However, these interests are unlikely to affect most businesses directly.
Additionally, the Bill outlines other types of processing that may be considered legitimate interests, such as direct marketing, intra-group data sharing for internal administration, and ensuring the security of network and information systems. Many businesses already use legitimate interests for these purposes, so little change is expected in practice. The Secretary of State has further authority to specify additional types of processing as legitimate interests in the future.
Special Category Data
A notable addition absent from the DPDI Bill is the provision granting the Secretary of State the power, subject to parliamentary approval, to classify further types of data as special category data. This would also allow changes to the conditions under which such data can be processed, potentially increasing the regulatory burden on businesses due to the enhanced protections for special category data.
This change could mean that businesses will need to stay vigilant and adapt to new classifications and processing conditions, ensuring compliance with the enhanced protections for special category data. The potential for increased regulatory oversight may require businesses to invest more in their data protection frameworks.
Research Relaxations and Clarifications
The DUA Bill clarifies that “scientific research” encompasses both commercial and non-commercial research. It simplifies the rules around data subjects’ consent for scientific research when research objectives evolve. This clarification is crucial for researchers who often face challenges when their research goals shift during the course of a study.
Additionally, the Bill provides some clarification to the principle that data cannot be processed for new purposes incompatible with the original specified purposes. This ensures that researchers can continue their work without unnecessary legal hurdles, fostering innovation and progress in various fields.
Automated Decision-Making (ADM)
The DUA Bill narrows the existing GDPR restrictions on ADM to apply only when significant decisions made without meaningful human involvement depend on special category data processing. Consequently, it permits more liberal use of ADM involving “normal” data while bolstering rights for data subjects, such as the ability to make representations, contest decisions, and require human intervention.
These measures, carried over from the DPDI Bill, aim to facilitate the deployment of AI for a broader range of applications while maintaining certain protections. Businesses can leverage ADM more freely, potentially enhancing efficiency and innovation, while still ensuring that data subjects’ rights are protected.
International Data Transfers
The DUA Bill carries forward the “data protection test” for international transfers from the DPDI Bill, which is used for assessing adequacy in adequacy regulations by the Secretary of State and for exporters evaluating standard contractual clauses’ adequacy. The flexible test mandates that the protection standard in the recipient territory should not be “materially lower” than that in the UK.
This provision ensures that international data transfers remain secure and compliant with UK standards, providing businesses with a clear framework for evaluating the adequacy of data protection measures in other territories. It also helps maintain the UK’s standing in the global data protection landscape.
Data Subject Rights
Current guidance from the Information Commissioner’s Office (ICO) relating to subject access request response times, which include provisions for “stopping the clock” when further information is required, and defining searches as “reasonable and proportionate,” will be established in law. Data controllers will also need to accommodate a new right for data subjects, enabling them to complain directly to the data controller, and adjust privacy policies to include this information.
These changes aim to streamline the process for data subjects to exercise their rights, ensuring that their concerns are addressed promptly and effectively. Businesses will need to update their privacy policies and procedures to comply with these new requirements.
E-Privacy Reforms
The DUA Bill eliminates the consent requirement for specific non-intrusive cookies, including those for analytics and preference recording. This change simplifies compliance for businesses that rely on these types of cookies, reducing the administrative burden associated with obtaining consent.
Additionally, the maximum fines under the Privacy and Electronic Communications Regulations (PECR), presently capped at £500,000, will align with the higher fines under the UK GDPR, reflecting a tougher stance on compliance breaches while ensuring consistency across regulatory frameworks.
Dropped Measures from the DPDI Bill
Definition and Scope Changes
The DUA Bill omits several measures from the DPDI Bill, including changes to the definition of “personal data” that aimed to narrow its scope by introducing a subjective test. This exclusion means that businesses will continue to operate under the existing broader definition, which can encompass a wide range of identifiable information.
This aspect’s omission indicates a continuation of the status quo rather than a fundamental shift in data protection interpretation. Businesses must therefore remain diligent in their categorization and protection of personal data, despite calls from some sectors for a more confined scope to reduce compliance burdens.
Thresholds and Administrative Burdens
The DUA Bill also refrains from lowering the threshold for refusing or charging for data subject access requests from “manifestly unfounded or excessive” to “vexatious or excessive.” Maintaining the higher threshold arguably keeps an equitable balance between data subjects’ rights and data controllers’ obligations, avoiding potential misuse of access rights while ensuring fair access to personal data.
Furthermore, measures intended to reduce the administrative burden on businesses, such as limiting record-keeping obligations, replacing mandatory Data Protection Officers with “senior responsible individuals,” and removing the requirement for in-scope entities to appoint a UK representative if they are not based in the UK, have been dropped. The continuation of these requirements under the current framework suggests an adherence to established compliance standards, without the anticipated relief that some businesses sought.
ICO Independence
One of the most notable dropped measures is the controversial requirement for the ICO to factor in the government’s strategic priorities, which had raised concerns about the regulator’s independence. By omitting this measure, the DUA Bill appears to reinforce the ICO’s autonomy, allowing it to operate without potential government influence that could compromise its oversight integrity. This decision underscores the importance of maintaining a robust and impartial regulatory environment for data protection in the UK.
Likely Next Steps
The DUA Bill’s second reading is slated for November 19, 2024. Given that the DPDI Bill had nearly completed its parliamentary journey before it fell away and few contentious points remain, the process could advance quickly. A significant departure from the UK GDPR remains unlikely, as the EU Commission’s adequacy decision regarding the UK is up for review by June 2025. Significant changes to businesses’ data protection compliance regimes are not anticipated, although the DUA Bill’s provisions on automated decision-making and research processing could offer more flexibility.
Businesses seeking substantial reductions in regulatory burden or additional means to curtail subject access requests will likely be disappointed. The Information Commissioner, John Edwards, has welcomed the DUA Bill as a “positive package of reforms,” believing it maintains a beneficial balance without jeopardizing the UK’s adequacy status.
Conclusion
The Data (Use and Access) Bill (“DUA Bill”) has commenced its legislative journey, with significant implications for the UK’s landscape of data protection and e-privacy. This bill was introduced in the House of Lords on October 23, 2024, and revives several ideas from the previously halted Data Protection and Digital Information Bill (“DPDI Bill”). The DUA Bill covers a wider range of topics, including data sharing and digital verification schemes. However, this article zeroes in on the bill’s reforms related to data protection and e-privacy.
While the DUA Bill is set to make noteworthy changes, the data protection reforms it proposes are more limited compared to those under the DPDI Bill. Importantly, a number of the more controversial elements from the DPDI Bill have been omitted in the DUA Bill. These omissions suggest a more measured approach, reflecting potentially broader consensus and aiming to address fewer contentious issues.
Despite these constraints, the DUA Bill remains a crucial piece of legislation as it seeks to overhaul how data is managed and protected in the UK. If passed, it will have a lasting impact on both individual privacy and organizational data responsibilities. The focus on balancing robust data protection with the need for data sharing and digital innovation highlights the bill’s aim to be both protective and progressive, readying the UK for future developments in digital data usage.
