/>iThe Data (Use and Access) Bill (“DUA Bill”)[1] had its second reading on 19th November 2024 after being introduced in the House of Lords on 23 October and the Bill is anticipated to enter the Lords’ Committee stage in December. According to the Department for Science, Innovation and Technology, the DUA Bill will harness the power of data to boost the UK economy by an estimated £10 billion, free up thousands of police and NHS staff time and secure the effective use of data for the public interest.[2] The DUA Bill proposes to amend both the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), despite little weight being placed on this in the Government’s initial press release.
How does the DUA Bill differ from the Data Protection and Digital Information Bill?
The Conservative government’s Data Protection and Digital Information Bill (“DPDI Bill”) was not enacted during the ‘wash up period’ prior to the July 2024 general election. Following Labour’s victory, a Digital Information and Smart Data Bill was proposed in briefing notes to the King’s Speech but was not in fact ultimately included in it. Instead, the DUA Bill appears to replace it. As the first major privacy-related legislation introduced by the new Labour government, it shares both similarities and differences when compared with the DPDI Bill.
The DUA Bill, the DPDI Bill and current UK data protection law
In this blog post, we discuss some of the key proposals in the DUA Bill, how these differ from the DPDI Bill, and how they will potentially affect existing legislation, including the GPDR and PECRs.
| Amendments proposed in DPDI Bill/DUA Bill (Links are to sections of the blog below with further detail) | Change proposed in the DPDI Bill? | Change proposed in the DUA Bill? | Will DUA Bill provision directly affect existing UK law? |
| Expanding ‘legitimate interests’ | Yes | Yes | Article 6 UK GDPR. |
| New powers for the Secretary of State to amend the scope of Art 9(1) UK GDPR prohibition on the processing of special categories of personal data | No | Yes | Article 11A UK GDPR (new); Sections 33, 35, 42A, 84, 86, 91A , 206 Data Protection Act 2018 (“DPA 2018”). |
| Clarifies data subjects are entitled only to findings of reasonable and proportionate search and timeline for DSARS | Yes | Yes | Article 12 and 15 UK GDPR. |
| Relaxing the use of automated decision making | Yes | Yes | Articles 22, 22A to 22D (new) UK GDPR. |
| Amending rules on international data transfers | Yes | Yes | Articles 44 to 47, 49A UK GDPR. |
| Permitting implementation of cookies and similar tracking technologies without consent | Yes | Yes | Regulations 6,6A (new) and Schedule A1 (new) PECRs (which modifies Parts 5 to 7 of the DPA 2018). |
| Amending the cap on fines under PECRs | Yes | Yes | Regulations 5, 5A to 5B (new), 31 to 31B and Schedule 1 PECRs; Section 157(2) DPA 2018. |
| Amending Data Protection Officer role | Yes | No | N/A |
| Amending definition of “personal data” | Yes | No | N/A |
| Changing Information Commissioner’s Office to the Information Commission | Yes | Yes | Section 3(8) DPA 2018. |
| Children’s personal data (consideration regarding processing; retention of information following death) | Yes | Yes | Section 120A DPA 2018 (new); Sections 101 to 102 Online Safety Act 2023. |
| Introduces standards for health data to make patient’s data easily transferrable and accessible in real time across the NHS | No | Yes | Section 250 and 251 Health and Social Care Act 2012. |
| Requirement to keep records of processing | Yes | No | N/A |
| Requirement to carry out data protection impact assessments | Yes | No | N/A |
| Commercial data-sharing rules | No | Yes | N/A |
| Enables the electronic registration of births and deaths | Yes | Yes | Section 25 Births and Deaths Registration Act 1953 (new). |
| Legislates on digital verification services | Yes | Yes | N/A |
| Supports the future of open banking and the growth of smart data schemes | Yes | Yes | N/A |
| Puts the National Underground Asset Register on a statutory footing | Yes | Yes | Section 106 New Roads and Street Works Act 1991. |
Note: This table does not cover any changes to existing UK law relating to the processing of personal data by law enforcement or intelligence services.
A summary of key amendments to data protection laws:
1) Legitimate interests
The DUA Bill introduces a number of changes to the UK GDPR with respect to processing based on legitimate interests. [3]
First, and in line with the approach of the DPDI Bill, the DUA Bill provides more certainty for organisations looking to rely on legitimate interests by providing examples of processing that may be considered necessary for the purposes of a legitimate interest. These are processing for the purposes of direct marketing, intra-group transfers for internal administrative purposes and for IT security purposes.
Second, the DUA Bill introduces a list of “recognised legitimate interests” into Annex 1 of the UK GDPR, arguably creating a ‘whitelist‘ of legitimate interests, where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The list is more restrictive than the list proposed in the DPDI Bill but the Secretary of State can add to or vary this list.
2) Special categories of personal data
The DUA Bill grants the Secretary of State the ability to designate new special categories o of personal data and amend the types of processing that would fall under the Article 9(1) UK GDPR prohibition of certain processing activities. These additional powers were not mentioned in the DPDI Bill.[4]
3) Data subject rights requests
The DUA Bill clarifies that data subjects are only entitled to the findings of a “reasonable and proportionate search” in relation to data subject access requests.[5] The Bill clarifies that the one-month timeline to respond to a data subject rights request, referred to as the “applicable time period”, begins at the latest of: the receipt of the request, the receipt of information requested (if any) by the data controller to confirm the identity of the data subject in connection with the request, or the payment of a related fee (if any).[6] Interestingly, the DUA Bill does not retain the DPDI Bill’s proposal to lower the threshold from “manifestly unfounded” to “vexatious” when charging a fee for, or refusing to deal with, such a data subject request.
4) Automated decision-making
The DUA Bill seeks to facilitate the use of automated decision making by relaxing the current prohibition in Article 22 of the UK GDPR, provided that organisations using such automated decision-making implement safeguards. It is likely that this change was implemented to facilitate the increased use of AI.
The Bill initially proposed to only restrict automated decisions which have a “significant effect” [7] and involve the processing of special category data. Such automated decision making would only be permitted if an additional condition is met i.e. explicit consent, being necessary for the performance of a contract, required or authorised by law or for reasons of substantial public interest. The Bill also confirms that significant decisions cannot be taken based on solely automated processing if the processing is reliant on a “recognised legitimate interest”.[8] Additional safeguards are provided for and include the ability for individuals to obtain human intervention.[9] However, despite these proposed safeguards, businesses in the UK are still able to use automated decision making more freely than under the EU GDPR which has raised alarm bells with privacy campaign groups.[10]
To allay these concerns, the House of Lords have proposed to amend the DUA Bill to:
- Clarify that “meaningful human intervention” would be a review performed by a competent person;
- Confirm that automated decision making cannot contravene the Equality Act 2010;
- Widen the scope of the prohibition on automated decision making to apply to all decisions using any personal data, not just special category data; and
- Ensure that appropriate safeguards are in place for the broader scope of decisions based “predominantly” on automated decision making (rather than “solely”), which includes informing the data subjects of the reasons behind the automated decision making.[11]
5) International transfers
In a similar manner to the DPDI Bill, the DUA Bill grants the Secretary of State power to approve third countries or international organisations provided they meet the “data protection test”.[12] The test examines whether the standard of protection provided in third countries or international organisations is “not materially lower” than in the UK, for example, the Secretary of State will have to consider factors such as the respect for the rule of law, the existence of a supervisory authority, and judicial and non-judicial redress mechanisms available for data subjects. This differs from the current “essential equivalence” test and may have a bearing on the European Commission’s upcoming adequacy decision.
6) Cookies and other similar tracking technologies
The DUA Bill provides examples of when storage and/or access of information on an end-user’s device is classed as “strictly necessary”, helping to clarify a previously legal grey area regarding what would satisfy this exception.[13] Examples include ensuring the safety of terminal equipment, preventing or detecting fraud and maintaining a record of the selections made on a website. Changes have also been proposed in the Bill to allow consent to be sought only once for the setting of non-essential cookies[14] and that website operators can rely on users using their own browser settings to set their cookie preferences.[15]
Importantly, the Bill explains that the prohibition on using cookies or other tracking technologies does not apply where the sole purpose of the storage is to collect information for statistical purposes with a view to either making improvements to a service or website.[16] To rely on this exemption, the user must be provided with “clear and comprehensive information” about the storage and/or access of information, “a simple means to object” and the information must not be shared with third parties; however, it is arguable that this may blur the lines and enable the use of first-party analytic cookies without consent.
The House of Lords have since inserted amendments into the Bill to ban cookie paywalls by enabling subscribers or users to signify their consent without having to make a payment.[17]
7) Information Commission
The DUA Bill proposes replacing the Office of the Information Commissioner with a new regulatory body: the Information Commission.[18] However, not all of the DPDI Bill’s proposed changes have made the cut. For example, under the DUA Bill, the Information Commission will not be bound to take into account the Government’s strategic priorities, a previously controversial point.
In addition, the Bill amends the current maximum fine of £500,000 for breaches of the PECRs[19], which means that organisations that breach their obligations related to cookies and direct marketing under PECRs could instead face a fine of up to 4% of their annual turnover.
8) Children’s personal data
The DUA Bill contains the same provisions as the DPDI Bill to amend the Online Safety Act 2023 to require internet service providers to retain information in connection with the death of a child. The Bill also introduces a new provision that places a duty on the Information Commission to have regard to children’s vulnerabilities and their rights in relation to the processing of personal data when the Commission carries out its duties.[20]
The House of Lords have since proposed inserting a new overarching duty on controllers and processors to ensure they are giving consideration to the Age-Appropriate Design Code when children’s personal data is being processed including entitling them to a higher standard of protection than adults.[21]
9) New data sharing framework, IT standards and accreditation
The DUA Bill has been touted as the Labour government’s solution to building an NHS that is fit for the future. The Bill is proposed to free up 140,000 hours of NHS staff time annually by introducing provisions to make patient’s healthcare data accessible in real time across all NHS trusts, regardless of what IT system is used.[22] By enabling the creation of unified medical records, every patient’s medical history can be available on demand, allowing for more efficient care and permitting doctors to spend more face-to-face time with patients. To address concerns surrounding ‘Big Brother’ surveillance, Health and Social Care Secretary Wes Streeting confirmed that data will only be shared with the most relevant staff and strict security protocols will be in place.[23]
Under the Health and Social Care Act 2012, the Secretary of State can publish an “information standard” document setting out standards to follow when processing personal data in health and adult social care IT systems[24]. The DUA Bill adds that these information standards can relate to information technology and IT services (including the design, quality and capabilities of such technology).[25] The Bill empowers the Secretary of State to issue IT providers with a written notice where they have “reasonable grounds” to suspect non-compliance with an information standard, and request compliance within a specified period.[26] The Secretary of State can also publish a public statement setting out the non-compliance to hold IT service providers accountable.[27]
The Bill includes scope for an accreditation scheme to be introduced to regulate the IT and IT service providers used in health and adult social care in England. The scheme would enable an “operator” to be selected to establish the accreditation procedure, set the criteria for accreditation, keep the scheme under review and charge a “reasonable fee” for applications. If implemented, the scheme could further strengthen the protections in place for the processing of health data and would increase transparency within the sector.[28]
Conclusion
Ahead of the EU Commission’s upcoming decision on whether to review the UK’s designation as a jurisdiction with appropriate safeguards for EU personal data, the DUA Bill is expected to move quickly through Parliament. The ICO has welcomed the Bill, describing it as a “positive package of reforms” and indicating that it believes the Bill will “not present a risk to the UK’s adequacy status.[29]
The Labour government’s DUA Bill appears to address some of the previous criticism about the more controversial elements of the Conservatives’ DPDI Bill, which Labour will hope ensures a smooth passage to Royal Assent. In addition, the majority of amendments by the House of Lords in its first and second readings of the Bill have been to (re)widen provisions and/or align them with existing data protection legislation.
Ellie Phillips contributed to this article
[1] Data (Use and Access) Bill [HL] – Parliamentary Bills – UK Parliament
[2] New data laws unveiled to improve public services and boost UK economy by £10 billion – GOV.UK
[3] Data (Use and Access) Bill, s70(2)(b), s70(4) and Schedule 4.
[4] Data (Use and Access) Bill, s74(1).
[5] Data (Use and Access) Bill, s78(1)(a).
[6] Data (Use and Access) Bill, s76(3).
[7] Data (Use and Access) Bill, s80(1) / new 22A.
[8] Data (Use and Access) Bill, s80(1) / new 22B(4).
[9] Data (Use and Access) Bill, s80(1) / new 22C.
[10] Yet another UK government seeks to reform GDPR • The Register
[11] HL Bill 40—Running List 26 November
[12] Data (Use and Access) Bill, Section 84 and Schedule 7.
[13] Data (Use and Access) Bill, Schedule 12 (inserts schedule A1), s4(2)(a)-(e).
[14] Data (Use and Access) Bill, Schedule 12 s2(2).
[15] Data (Use and Access) Bil, Schedule 12 s2(3)a).
[16] Data (Use and Access) Bill, Schedule 12 (inserts schedule A1), s5(1).
[17] HL Bill 40—Running List 26 November
[18] Data (Use and Access) Bill, s116.
[19] Data (Use and Access Bill), Schedule 13 (inserts Schedule 1 s18).
[20] Data (Use and Access) Bill, s90 (inserts s120B).
[21] HL Bill 40—Running List 26 November
[22] New data laws unveiled to improve public services and boost UK economy by £10 billion – GOV.UK
[23] New data laws unveiled to improve public services and boost UK economy by £10 billion – GOV.UK
[24] Health and Social Care Act 2012, section 250.
[25] Data (Use and Access) Bill, Schedule 15 (inserts s250A), s4
[26] Data (Use and Access) Bill, Schedule 15 (inserts s251ZB), s8.
[27] Data (Use and Access) Bill, Schedule 15 (inserts s251ZC), s8.
[28] Data (Use and Access) Bill, Schedule 15 (inserts s.251ZE), s8.
[29] Information Commissioner’s response to the Data (Use and Access) (DUA) Bill | ICO
