The Data (Use and Access) Bill ("DUA Bill") began its parliamentary journey in the House of Lords on 23 October 2024. It resurrects many of changes from the previous government's Data Protection and Digital Information Bill ("DPDI Bill"), which fell away before the general election. This briefing focuses on the package of data protection and e-privacy reforms proposed in the DUA Bill, although the bill's ambit is much wider than data protection, also covering data sharing and digital verification schemes. Overall, its data protection reforms are more limited than previously, and certain controversial measures from the DPDI Bill have been dropped.
What are the key data protection and e-privacy changes proposed under the DUA Bill?
Most of the proposed reforms will be familiar to those who followed the progress of the DPDI Bill, with a few exceptions that we have indicated below.
- Legitimate interests
- Power to add types of "special category data"
- Relaxations for research and clarifications in relation to new purposes
- Automated decision-making (ADM)
- A more risk-based approach to international transfers
- Tweaks in relation to data subject rights (don't get excited, data controllers!)
- e-Privacy
- Reforming the ICO
Legitimate interests
- The DUA Bill sets out a list of "recognised" legitimate interests, as a legal basis for processing, to include various public interest purposes such as national security and defence, responding to emergencies and safeguarding vulnerable people for which no balancing test (i.e. the data controller's legitimate interests versus the rights and interests of the data subject) would be required. These recognised interests will not be relevant to the majority of businesses.
- There is then a list of other types of processing which "may" count as legitimate interests - direct marketing purposes, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems. Many businesses will already be using the legitimate interests basis for processing in these circumstances, so it is unlikely significantly to change the position on the ground.
- The Secretary of State can specify in the future further types of processing which qualify as "legitimate interests".
Power to add types of "special category data"
- A significant addition, not present in the DPDI Bill, is a power for the Secretary of State (subject to the approval of Parliament) to class further types of data as special category data and make changes to the basis of which such data can be processed. This could substantially increase the burden on businesses given the additional protection afforded to special category data.
Relaxations for research and clarifications in relation to new purposes
- The DUA Bill clarifies that the concept of "scientific research" covers commercial as well as non-commercial research and simplifies the rules in relation to data subjects' consents for scientific research where purposes evolve.
- It also provides clarification around the principle that data cannot be processed for further purposes which are incompatible with the original specified purpose(s).
Automated decision-making (ADM)
- The existing restriction from the GDPR which applies to ADM is narrowed so that it only applies to ADM where a "significant decision" made without meaningful human involvement relies on the processing of special category data. The DUA Bill therefore liberalises ADM which relies on "normal" data, whilst bolstering data subject rights around ADM, e.g. for data subjects to make representations, contest the decision and require human intervention. These measures were in the DPDI Bill and are intended to make it easier to deploy AI for additional use cases – with guardrails.
A more risk-based approach to international transfers
- The "data protection test" in relation to international transfers, which is to be used for assessing adequacy in the context of both the Secretary of State making adequacy regulations, and exporters assessing the adequacy of safeguards such as standard contractual clauses, is carried over from the DPDI Bill too. The more flexible test is that the standard of protection in the recipient territory is not "materially lower" than that in the UK.
Tweaks in relation to data subject rights (don't get excited, data controllers!)
- Current ICO guidance, in relation to subject access response times allowing for "stop the clock" where further information is required, and to clarify that searches in response to subject access requests are limited to "reasonable and proportionate" searches, would be put on a statutory footing.
- Data controllers will need to be able to respond to a new right (and processes) for data subjects to complain to the data controller and amend privacy policies to include information about this new right.
e-Privacy
- The DUA Bill removes the consent requirement for specified non-intrusive cookies (and similar technologies), including those used for analytics and recording of preferences, which is helpful.
- Maximum fines under PECR, currently £500,000, are to be aligned with the much larger fines under the UK GDPR.
Reforming the ICO
The ICO will become the Information Commission and have a new corporate structure, along the same lines as the FCA, CMA and Ofcom. The Information Commission will also have additional information gathering and investigatory powers (carried over from the DPDI Bill) which could increase pressure on businesses, particularly in the context of a data breach.
Which DPDI Bill measures have been dropped?
Measures from the DPDI Bill that have been dropped include:
- changes to the definition of "personal data", which set out a subjective test to narrow the scope of data caught by the UK GDPR.
- revising the threshold for refusing or charging for data subject access requests from "manifestly unfounded or excessive" to "vexatious or excessive".
- various measures intended to reduce the administrative burden on businesses, such as limiting record keeping obligations, replacing mandatory Data Protection Officers with "senior responsible individuals", replacing "Data Protection Impact Assessments" and removing the requirement for in-scope entities to appoint a UK representative if they are not established in the UK.
- the controversial requirement for the ICO to take account of the government's strategic priorities, which many feared would impact the independence of the ICO.
What is likely to happen next?
It is early days - the DUA Bill's second reading is scheduled for 19 November 2024. The process could however move more swiftly because the DPDI Bill on which it is based had almost completed its parliamentary journey when it fell away, with few contentious points remaining (and those points look largely to have been scrapped). In any event, a substantial departure from the UK GDPR is unlikely given that the EU Commission's adequacy decision in respect of the UK is due to be reviewed by June 2025 – the risk of the changes currently on the table impacting the UK's adequacy is slim.
It is also unlikely that businesses would have to make any significant changes to their data protection compliance regimes to comply with the DUA Bill if enacted in this form and they may find helpful the softening of requirements in relation to automated decision-making, when rolling out AI initiatives, as well as the flexibility around processing for research purposes. Businesses hoping for a bonfire of red tape, however, or more ways to curb subject access requests, will be disappointed.
The Information Commissioner, John Edwards, has welcomed the DUA Bill as a "positive package of reforms" and provides the view that "the proposed changes in the Bill strike a positive balance and should not present a risk to the UK's adequacy status".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.