On October 23, 2024, the UK government resurrected previous attempts to reform UK data protection law and introduced the draft Data (Use and Access) Bill (DUA Bill) into the House of Lords. Although published under a new name, many of the reforms previously proposed under the Data Protection and Digital Information Bill (DPDI Bill) can be found in the latest DUA Bill. However, there are some significant changes.
The DUA Bill has shifted in tone from its predecessor. Instead of a strong focus on reforming the UK’s data protection framework to ease the compliance burden on businesses, the new DUA Bill seeks to promote enabling the greater use of data to grow the economy, improve public services, and make people’s lives easier. According to the UK government, the DUA Bill is largely focused on making better use of data across many sectors of the UK’s economy and improving public sector services.
The strong commitment to the reforms and the removal of some of the more controversial elements, means it is likely the DUA Bill will, at some point, become law. There are, however, certain procedural steps before it can complete its legislative journey with the committee stage due to commence in December 2024.
Below is a summary of the DUA Bill, detailing areas that are new (i.e., not previously included in the DPDI Bill); areas that are similar to or the same as certain of those in the DPDI Bill; and elements of the DPDI Bill which have not been retained.
New Elements of the Data (Use and Access) Bill
The DUA Bill includes new reform proposals not previously found in the DPDI Bill, such as:
- Special Category Data: The Secretary of State will be given the power to expand the list of special categories of personal data and define additional processing activities that would be subject to the prohibition of its processing.
- Children’s Data: The DUA Bill expresses the importance of protecting children by placing an additional duty on the UK Information Commissioner’s Office (ICO) to consider the vulnerability of children in relation to data processing, when carrying out its responsibilities under data protection law.
- Complaints by Data Subjects: The DUA Bill reforms the way that data subjects can submit requests to the ICO by first requiring a data subject complaint be addressed to the relevant controller. The complaint can only be escalated to the ICO when it has not been dealt with satisfactorily, thereby reducing the number of complaints reaching the ICO.
- Online Safety Research: The DUA Bill proposes to amend the Online Safety Act (the OSA) to enable the Secretary of State to issue regulations requiring providers (regulated under the OSA) to give researchers access to online safety-related information, as long as this does not involve processing personal data in violation of data protection laws. Before making such regulations, the Secretary of State must consult both Ofcom (the UK regulator which oversees the OSA) and the ICO.
Elements Retained from the Data Protection and Digital Information Bill
The DUA Bill contains provisions which are the same or similar to certain provisions of the DPDI Bill, including:
- Legitimate Interests: The DUA Bill maintains the introduction of “recognised legitimate interests” as a new legal basis for processing data for certain processing activities. Organizations relying on this new legal basis will not have to conduct the balancing exercise required by the legitimate interests legal basis. The listed processing activities include national security and defence, responding to emergencies and safeguarding vulnerable people. This list can also be expanded by the Secretary of State to cover additional public interest objectives.
The DUA Bill also contains a further list of processing activities which “may” be processed under legitimate interests. These include direct marketing purposes, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems.
Safeguards have been created for any future change of the list. The Secretary of State must show that the additional case is necessary for a specified objective under public security, crime prevention, public health, judicial proceedings, regulatory functions, or protecting individual rights.
- Automated Decision-making: The DUA Bill maintains the same restrictions under the UK GDPR on automated decision-making for special category data. However, the DUA Bill also includes certain safeguards for automated decision making which does not include special category.
- Research: The DUA Bill also expands the “scientific research” exemption to include privately funded and commercial research.
- International Data Transfers: As with the DPDI Bill, the Secretary of State can approve transfers of personal data to third countries and international organizations, based on a “data protection test,” which assesses whether the third country or international organization has a standard of data protection that is not “materially lower” than that in the UK.
Additionally, the DUA Bill limits the Secretary of State’s ability to modify existing transfer safeguards, any such changes will require secondary legislation in order to be effective.
- Healthcare Data: IT systems in the healthcare sector will have to meet common standards to enable data sharing across platforms. The Secretary of State will now have the power to publish an information standard on IT services in the healthcare setting, including on technical provisions such as functionality, connectivity, interoperability, portability, storage, and data security.
- Purpose Limitation: The DUA Bill clarifies “further processing” in line with the GDPR recitals, outlining criteria to help assess whether such processing is compatible with the original purpose. The Bill also lists certain compatible purposes, including disclosures for public interest tasks, crime prevention, emergency response, and compliance with legal obligations.
- Smart Data: The DUA Bill retains the provisions enabling Smart Data Schemes, whereby the Secretary of State can issue regulations governing access to customer and business data. These regulations are likely to be sector-specific and will provide details of how the schemes work in practice.
- Privacy Notices: The DUA Bill similarly amends existing transparency rules, exempting controllers from notifying data subjects about further processing for scientific, historical, or statistical research if notification is impossible or requires disproportionate effort. A non-exhaustive list of what might constitute disproportionate effort is provided.
- Privacy and Electronic Communications Regulations (PECR) - Enforcement: The DUA Bill strengthens PECR enforcement powers, aligning penalties with the UK GDPR to allow fines of up to 4% of global turnover or £17.5 million, whichever is the higher.
- PECR – Cookies: The DUA Bill maintains the proposed exemption from obtaining consent for cookies where they pose a low risk to the user. These include circumstances where cookies are deposited solely for analytics and where they are strictly necessary to ensure security and to prevent or detect fraud.
- Digital Verification Services (DVS): The DUA Bill builds on the DPDI Bill's digital identification provisions and establishes a framework for “trusted” providers of digital verification services by introducing a DVS register. It also provides a certification where such services are in accordance with the DVS Trust Framework.
- Information Commissioner’s Office: The DUA Bill maintains many of the changes to the ICO, including changing the name to the “Information Commission,” abolishing the lead Information Commissioner role and replacing it with a Chair and executive/non-executive members but some of the more controversial changes have been dropped. Importantly, the DUA Bill removes the requirement for the ICO to have regard for the UK Government’s “strategic priorities.” Additionally, the proposed Information Commission will no longer need to submit a code of practice to the Secretary of State for review and recommendations.
Elements of the Data Protection and Digital Information Bill Which Have Not Been Retained
Several provisions of the DPDI Bill have not been replicated in the DUA Bill. Notably, most of these provisions are those that were intended to reduce the compliance burden on businesses. For example:
- Definition of Personal Data: The DPDI Bill’s proposed change to the definition of personal data, i.e., to include where the individual is identifiable “by reasonable means,” has been dropped.
- Data Subject Access Requests: The DPBI Bill proposed to allow controllers to refuse to comply with a data subject access request when they were “vexatious or excessive.” The DUA Bill retains the existing test of “manifestly unfounded or excessive.”
- Data Protection Officer: The proposed replacement of the Data Protection Officer role with a “senior responsible person” has been dropped.
- Data Protection Impact Assessments: The proposed rebranding of Data Protection Impact Assessments to “assessment of high-risk processing” has been removed.
- Records of Processing Activities: The provision that would have limited the duty to maintain such records in respect of only high-risk processing activities has been abandoned.
- UK Representative: The DUA Bill brings back the requirement, previously removed by the DPDI Bill, to have a UK representative where controllers are based outside of the UK.
What Does This All Mean?
For those familiar with the DPDI Bill, the DUA Bill is not particularly innovative in its proposed amendments to the UK’s data protection framework. However, there is a notable shift in the tone of the legislation, with the new government explicitly focusing on “better use of data” across all areas of the economy.
Since 2022, when the DPDI Bill was first proposed, the EU Parliament has voiced its concerns over reforms to the current UK regime, suggesting there should be a full and thorough review in relation to the EU/UK adequacy decision if the proposed reforms were made. While the former government consistently confirmed that adequacy was a priority for the previous UK government, and that the proposed changes in the DPDI Bill did not, in its view, jeopardize adequacy, the criticisms of the EU do appear to have been taken into consideration when preparing the DUA Bill.
In summary, the DUA Bill does not represent a significant departure from the UK’s existing data protection law sufficient to warrant a review of the jurisdiction’s adequacy by the EU. There are, however, some substantive changes and organizations will need to review their compliance frameworks in light of the new legislation, but if the DUA Bill is enacted in its current form, any changes or additional measures are likely to be limited.