The UK data protection reform package is entering into its final stages, and looks set to become law in a matter of weeks. The Data (Use and Access) Bill (DUA Bill) returned to the House of Lords for consideration of Commons amendments in the parliamentary "ping pong" process on May 19, 2025, after Members of the Lords first considered changes made by MPs in the Commons on May 12, 2025. The draft bill will now be passed between the two houses until they both agree to the wording, after which it can gain Royal Assent (approval from the king) and become law. As far as data protection is concerned, the legislation is more of a refinement of existing law than a radical departure. However, the changes are likely to require businesses to revisit their processing activities and policies, paying particular attention to direct marketing practices in light of significantly larger maximum fines for non-compliance.
Background
UK data protection reform has undergone a number of iterations
since its original inception under the previous government.
Following the Labour Party's election victory in July 2024, the
King's speech included a Digital Information and Smart Data
Bill. The bill was subsequently renamed the Data (Use and Access)
Bill and was introduced to the House of Lords on October 23, 2024,
through which it completed its passage and was the subject of
significant debate and amendment. The DUA Bill supersedes the
previous government's failed data protection reform attempts,
the Data Protection and Digital Information Bill, and its successor
and second iteration, the Data Protection and Digital Information
(No. 2) Bill (DPDI Bill), which failed to complete its journey
through Parliament prior to the end of the wash-up period under the
outgoing Conservative government in 2024.
Speaking at the International Association of Privacy Professionals
(IAPP) Data Protection Intensive UK 2025 in London, U.K. Minister
for State for Data Protection and Telecoms Chris Bryant said "The single most
important thing for us is to improve trust in the use of
data," adding "We'll finish this bill by Easter or a
couple weeks after."
Information Commissioner John Edwards has been broadly supportive
of the DUA Bill, stating on the Information Commissioner's
Office (ICO) website:
Overall, the Bill remains one which I support as improving the effectiveness of the data protection regime in the UK, upholding people's rights, providing regulatory certainty and clarity for organizations and improving the way the ICO regulates.
Changes the DUA Bill Would Introduce
The DUA Bill is an evolution of the DPDI Bill, much of which it
retains. The DUA Bill includes proposals in relation to smart meter
schemes, digital verification services, data sharing to improve
public service delivery, retention of biometric data, retention of
information by internet service providers (ISPs) in connection with
a child's death, and trust services.
The DUA Bill is divided into eight parts and 16 schedules. Part 5
makes various changes to the UK General Data Protection Regulation
(UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy
and Electronic Communications Regulations 2003 (PECR). These
changes include the following:
1. Definition of scientific research and changes to the
rules on consent to scientific research
The DUA Bill introduced a new definition of scientific research,
which would bring the substantive provisions of the UK GDPR into
line with the existing recitals and regulatory guidance,
encouraging a broad interpretation of the concept of
"scientific research," as well as streamlining consent
requirements. However, the specific rules around scientific
research have been the subject of much debate in Parliament, and
have yet to be finalized.
2. Changes to lawful bases for processing — examples
of legitimate interests
The DUA Bill introduces a non-exhaustive list of examples of
processing activities that can constitute a legitimate interest of
the controller, for the purposes of Article 6(1)(f) UK GDPR. These
include processing that is necessary for the purposes of direct
marketing; intra-group transmission of client, employee, or other
individuals' personal data for internal administrative
purposes; and ensuring the security of network and information
systems to largely reflect the recitals of the UK GDPR.
A new Article 6(1)(ea) provides for lawful processing for the
purposes of a "recognized legitimate interest" where such
processing meets a condition in Annex 1 of Schedule 4 of the
bill.
The recognized legitimate interests are where the processing is
necessary for:
- Disclosure to a person carrying out a public interest task
- Safeguarding national security
- Protecting public security and defense purposes
- Responding to an emergency defined in the Civil Contingences Act 2004
- Detecting, investigating, or preventing crime or apprehending offenders
- Safeguarding vulnerable individuals
The Secretary of State may add, omit, or vary the list of
recognized legitimate interests, provided certain safeguards are
met.
3. Clarification of the purpose limitation principle (and
exemption to the associated transparency requirements)
The DUA Bill would insert a new Article 8A that sets out the
conditions where further processing is compatible with the original
purpose of processing for which personal data were collected. The
circumstances are listed in Article 8A(3) and include where the
data subject has given fresh consent to the new purpose; where the
processing is for scientific or historical research; where
archiving is in the public interest; or where the processing is for
any of the purposes specified in Annex 2. Purposes specified in
Annex 2 include where the processing is necessary for disclosure to
a person carrying out a public interest task, public security,
crime detection, investigation and prevention, protection of a data
subject's vital interests, and safeguarding vulnerable
individuals. As with the proposed Article 6(1)(ea), the Secretary
of State may add, vary, or omit provisions to Annex 2.
4. Automated decision-making (ADM)
The DUA Bill relaxes some of the current restrictions on the use of
personal data, but not the use of special categories of personal
data such as health data, for the purposes of automated
decision-making. The bill clarifies that a decision based on
automated decision-making is one with no meaningful human
involvement. Controllers must consider the extent to which a
decision has been made on the basis of profiling when establishing
whether or not human involvement has been "meaningful." A
"significant decision" is one that results in legal or
comparably significant effects on a data subject. A significant
decision based wholly or partially on the use of any of the special
categories of personal data is prohibited unless the data subject
has given their consent, the activity is necessary for the purpose
of entering into or performing a contract, or is required by
law.
5. Data subjects' rights
The DUA Bill aligns the subject access provisions of the UK GDPR
with existing ICO guidance. For instance, "stopping the
clock" where the controller cannot proceed with the response
without further information from the data subject or proof of the
data subject's identity. Additionally, the bill clarifies that
controllers need only carry out a "reasonable and
proportionate" search for information and personal data in
response to a subject access request, which reflects current case
law (though does not provide further information on what
constitutes a "reasonable and proportionate" search).
However, the proposal from the DPDI for controllers to be able to
refuse a subject access request on the grounds that it is vexatious
has been dropped. Accordingly, controllers will still have to
demonstrate that a request is manifestly unfounded or excessive in
order to refuse to comply with a request.
6. Data Transfers
The DUA Bill introduces a more flexible, risk-based approach to
data transfers, which aligns with the UK's broader strategy to
diverge from the EU, though not so far as to jeopardize the UK
adequacy finding made by the European Commission. The bill would
replace Chapter V of the UK GDPR and require the Secretary of
State, when assessing adequacy, to consider whether the standard of
data protection in the country under consideration is materially
lower than the UK, and apply a "data protection test,"
which must be considered in relation to the appropriate
safeguards.
7. Changes to PECR
The DUA Bill makes a number of changes to PECR, in particular:
- New exemptions to the requirement for consent to set cookies for collecting statistical information to improve the service; functional purposes (i.e., how an information society service is displayed); personalization cookies (which automatically authenticate a repeat user of digital services or repeat visitor to a website, and maintain a record of settings or preferences); or where the sole purpose is to enable the geographical position of a user to be ascertained in response to an emergency communication
- Permitting charities to rely on the soft opt-in
- Aligning the ICO's enforcement powers with those of the UK GDPR, i.e., maximum fines of the greater of £17.5 million or 4% of the previous year's worldwide annual turnover
Impact on EU-UK adequacy finding
While the DUA Bill retains many of the changes proposed by its
predecessor the DPDI, some of the more controversial proposals have
not been carried over. In particular, the DPDI's proposed
replacement of data protection officers (DPOs); changes to the
definition of personal data; amendments to data protection impact
assessments (DPIAs); extending the requirement to maintain a record
of processing activities (ROPA); and abolishing the requirement to
appoint a UK representative. These more controversial proposals
from the DPDI Bill threatened the UK's adequacy decision made
by the European Commission. The UK adequacy decision, which,
following Brexit, permits the free-flow of personal data from the
EU to the UK was set to expire on June 27, 2025, unless
extended.
On March 18, 2025, the European Commission published the draft
technical extension of the UK adequacy decision, which extends the
UK adequacy decision by a period of six months, expiring on
December 27, 2025, in order to allow the European Commission to
assess the adequacy of the protection of personal data under the UK
data protection regime as amended by the DUA Bill. On May 6, 2025,
the European Data Protection Board (EDPB) announced the adoption of
Opinion 06/2025 regarding the extension of the European Commission
Implementing Decisions under the GDPR and the Law Enforcement
Directive on the adequate protection of personal data in the United
Kingdom (Opinion 06/2025). Opinion 06/2025 provides that until
December 27, 2025, personal data transferred from the European
Economic Area to the UK will continue to benefit from an adequate
level of data protection. After this date, the European Commission
may make a new adequacy decision in favor of the UK, which will
depend on its assessment of the DUA Bill when it becomes law. Given
that the DUA Bill does appear to result in a significant divergence
from the GDPR, such a finding does not seem unlikely.
Implications for businesses
The DUA Bill is in its final stages of parliamentary review and is expected to become law in June 2025. It is an evolution rather than a revolution, and many of its changes are subtle refinements rather than radical shifts. However, businesses will need to revisit their internal policies, especially around research, marketing and AI transparency. Probably the most significant risk the DUA Bill creates for companies arises from the higher fines available to the ICO for breaches of PECR (which align with the maximum fines under the UK GDPR) since historically, the ICO has tended to take more enforcement action for breaches of PECR than for breaches of the UK GDPR. In practice, this means that businesses engaged in direct marketing should revisit their policies before the new law takes effect. In addition, since website cookies are also regulated under PECR rather than the UK GDPR, and the ICO uses automated scanning to detect non-compliant cookies (see our March 2025 Advisory) website owners would be prudent to review their use of cookies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
