The UK Data (Use and Access) Bill (the “DUA Bill”) has been subject to a surprisingly prolonged legislative journey, oscillating between the House of Commons and the House of Lords as it approaches the final stages. This back-and-forth reflects the complexity and controversy surrounding certain of its provisions. Once the DUA Bill is agreed, it is estimated that it will come into effect within approximately 12 months. This article summarises certain of the key changes to UK data protection and privacy legislation proposed by the DUA Bill, considers the impact of such changes on the UK’s existing EU Commission adequacy decision and discusses how businesses should approach compliance.

How the DUA Bill Amends Data Protection and Privacy Legislation

The DUA Bill proposes fundamental changes to the UK’s data protection and privacy legislation, including the UK General Data Protection Regulation (“UK GDPR”). The focus of the UK government is to modernise and streamline existing legislation as part of an effort to bolster data governance in the UK. It addresses key areas of data protection and privacy, such as legitimate interests, international data transfers and automated decision-making (“ADM”), while also covering other data-related areas, including smart data and public registers. It seeks to balance the need for flexibility in data processing with robust safeguards for personal data, reflecting the evolving digital landscape and the increasing importance of data-driven technologies. The UK government believes that the proposed legislative amendments will foster innovation and enhance public trust, while remaining aligned with international standards and the EU General Data Protection Regulation.

AI Models

The key topic which remains under debate between the House of Lords and the House of Commons is whether to include provisions related to AI models. The House of Lords argued for the inclusion of transparency requirements for business data used in relation to AI models and inserted provisions requiring developers of AI models to publish all information used in the pre-training, training, fine-tuning and retrieval-augmented generation of the AI model, and to provide a mechanism for copyright owners to identify any individual works they own that may have been used during such processes. These provisions emerged as the most contentious aspect of the DUA Bill, contributing significantly to its ongoing back-and-forth between the House of Commons and the House of Lords. The House of Commons is of the view that transparency requirements for AI models warrant separate legislative action, arguing that their inclusion in the DUA Bill would complicate the overarching framework and would require additional public funds. As of the time of writing, the transparency provisions for AI models have been removed from the DUA Bill and replaced with provisions requiring the Secretary of State to introduce, amongst other things, draft legislation containing proposals to provide transparency to copyright owners regarding the use of their copyright works as data inputs for AI models. We now wait to see whether this approach will be agreed to between the House of Lords and House of Commons.

Recognised Legitimate Interests and Legitimate Interests

The DUA Bill introduces “recognised legitimate interests” as a new, lawful basis for processing personal data. Building on the existing lawful basis of legitimate interests, this new basis allows businesses to process data for specific purposes defined under the DUA Bill without conducting a traditional legitimate interests assessment (“LIA”). The listed processing activities include national security and defence, and responding to emergencies and safeguarding vulnerable people.

Additionally, the DUA Bill outlines a further list of processing activities which “may” be processed under the existing legitimate interests lawful basis. While such activities are not “recognised legitimate interests” and therefore still require an LIA, the legislative footing allows businesses more surety when seeking to rely on legitimate interests for the activity. The activities include direct marketing, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems.

International Data Transfers

The DUA Bill amends the adequacy decision framework in several ways. The amendments re-work Article 45 of the UK GDPR so the framework comprises “transfers approved by regulations,” as opposed to “transfers on the basis of an adequacy decision.” To approve a country by regulations, the UK Secretary of State must be of the view that the “data protection test” is met, i.e., the standard of protection in the third country is “not materially lower” than that of the UK. Similar to the UK GDPR, the DUA Bill sets out considerations which the UK Secretary of State should take into account when assessing whether the data protection test is met for a third country, including, for example, whether the third country has respect for the rule of law and human rights, and whether the third country has an authority for enforcing data protection. While the amendments initially appear as fairly substantial, they are unlikely to significantly affect international data transfers from the UK as they do not radically reform the existing framework.

Data Subject Access Requests

The DUA Bill seeks to address certain challenges posed by data subject access requests (“DSARs”). The amendments clarify that data subjects are only entitled to information resulting from a “reasonable and proportionate” search by the business, the intention being to reduce the cost and administrative burden on businesses of fulfilling DSARs. The DUA Bill also amends the time limit for responding to a DSAR, enabling businesses to extend the initial one-month period for responding by a further two months where it is deemed necessary by reason of the “complexity” or “number” of requests by a data subject.

Automated Decision-Making

The DUA Bill relaxes restrictions on the use of ADM, enabling ADM without the existing restrictions under Article 22 of the UK GDPR (e.g., procuring consent of the individual) where special category data is not to be processed. Where ADM is conducted without special category data, the DUA Bill still requires safeguards be implemented such as transparency regarding the ADM and allowing individuals to contest decisions and seek human review.

Scientific Research Provisions

The DUA Bill broadens the definition of scientific research to encompass any research “reasonably described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity,” expanding the exemptions for processing of special category data under the UK GDPR to include privately funded and commercial research. The definition also removes the need for a public interest assessment with respect to the processing of scientific research data. Under the new definition, data subjects will be able to consent to the use of their data for scientific research purposes even if such purposes are not yet “possible to identify.”

Purpose Limitation

The DUA Bill clarifies the concept of “further processing.” Amongst other things, it outlines criteria to help assess whether further processing is compatible with the original purpose, such as the link between the new and original purposes, the context in which the data was originally collected and the possible consequences for data subjects of the further processing being contemplated. It also sets out instances when processing for a new purpose would be deemed compatible with the original purpose, for example where the data subject consents or where the processing meets a condition set out in the new Annex 2, for example, where the processing is necessary for the purposes of complying with an obligation of the controller under an enactment, a rule of law or a court order or tribunal.

Children’s Data

Emphasising the protection of children’s data, the DUA Bill introduces the concept of “children’s higher protection matters” to the principle of data protection by design and default in the context of providing an information society service which is likely accessible by a child. This places additional duties on businesses and the Information Commissioner’s Office (the “ICO”) to consider the vulnerability of children when carrying out responsibilities under data protection law in an effort to ensure enhanced safeguards for young individuals.

Cookie Requirements and PECR Fines

The DUA Bill introduces key changes to the rules governing the use of cookies and similar tracking technologies under Privacy and Electronic Communications Regulations (“PECR”), most notably regarding the need for consent. The DUA Bill provides exemptions from the requirement to seek consent for certain non-essential cookies and similar tracking technologies used solely to collect statistical data with a view to improve the appearance or performance of a website, adapt a website to a user’s preferences, or to make improvements to services or a website. It also includes an exhaustive list of purposes for using cookies and similar tracking technologies which can be considered strictly necessary, such as security and fraud detection. The impact of such is that consent is not required to use the cookies and similar tracking technologies, nor are businesses required to offer the ability to opt-out. Additionally, the DUA Bill aligns fines for non-compliance with PECR with the UK GDPR, setting sanctions at up to 4 percent of global turnover or £17.5 million, whichever is higher.

Information Commission

The DUA Bill provides for significant organisational changes to the ICO. For example, the DUA Bill abolishes the ICO and replaces it with the Information Commission and replaces the lead Information Commissioner role with a Chair and executive/non-executive members. It also reforms the process by which data subjects can submit complaints to the ICO by requiring complaints be addressed by the relevant business first. The complaint can only be escalated to the ICO when it has not been dealt with satisfactorily, thereby reducing the number of complaints reaching the ICO.

Other Provisions

Beyond the amendments to data protection regulations, the DUA Bill introduces other provisions that, according to the UK government, seek to promote the growth of the UK economy, improve UK public services and make people’s lives easier, such as:

• Smart Data: The DUA Bill introduces provisions enabling Smart Data Schemes, whereby the Secretary of State can issue regulations governing access to customer and business data. Open Banking is an example of a Smart Data Scheme already existing in the UK. Government consultations will define which businesses can access data and what safeguards apply.
• Digital Verification Services: The DUA Bill establishes a framework for “trusted” providers of digital verification services (“DVS”) by introducing a DVS register with additional certification through a DVS Trust Framework which will be created by the Secretary of State in consultation with the ICO. This initiative aims to enhance trust and security in digital verification processes.
• Healthcare Data: To facilitate data sharing across platforms, the DUA Bill mandates that IT systems in the healthcare system must meet common standards. The Secretary of State will be given the power to publish an information standard on IT services in the healthcare setting, including on technical provisions such as functionality, connectivity, interoperability, portability, storage and data security.

Conclusion

The DUA Bill represents a comprehensive effort to modernise data protection laws in the UK, balancing the need for economic growth and innovation with the imperative to safeguard individual privacy and data security.

The UK government is optimistic that these changes will be well-received by the European Commission when considering the UK’s adequacy decisions. The European Commission recently granted a six-month extension to the UK’s two adequacy decisions to allow the UK additional time to finalise the DUA Bill, after which the European Commission intends to reassess the adequacy of data protection in the UK (see here for more information on the extensions).

As it nears implementation, businesses impacted by the DUA Bill should take proactive measures to review their data processing practices in anticipation of the new requirements set forth by the legislation. This preparation involves not only ensuring compliance with the new obligations but also capitalising on opportunities to enhance data management and security, and to streamline certain processing activities such as the use of ADM and cookies.