The UK government is making another attempt to modernise data protection law in the United Kingdom. We explain what the planned Data (Use and Access) Bill (DUA Bill) means for companies.
What is the Data (Use and Access) Bill?
Following Brexit, the United Kingdom (UK) initiated reforms to its data protection framework to reduce compliance burdens for businesses and capitalise on opportunities created by leaving the European Union (EU).
As part of these efforts, the UK introduced the Data Protection and Digital Information Bill (DPDI Bill) in July 2022. However, due to the UK Parliament being dissolved ahead of the July 2024 general election, the DPDI Bill did not progress to enactment.
Subsequently, the Data (Use and Access) Bill (DUA Bill) was introduced to the Parliament on 23 October 2024. It seeks to update data protection laws in the UK post-Brexit, enabling secure and effective use of data for the public interest without adding financial pressures.
The DUA Bill is currently undergoing legislative scrutiny and has not yet been enacted (see the UK Parliament website).
Key proposals of the DUA Bill
First things first: The DUA Bill will not repeal the existing UK data protection legislation, namely the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018) but amends and supplements them, so that the DUA Bill, the UK GDPR and the DPA 2018 must be read together to get a full picture.
In the following, we introduce the most relevant changes for businesses subject to the existing UK data protection regime:
New legal basis: recognised legitimate interest
A new legal basis for data processing called recognised legitimate interest has been introduced. This amendment to Art. 6 UK GDPR allows personal data to be processed without the legitimate interest assessment required under the legitimate interest legal basis in Article 6(1)(f) UK GDPR, so long as the processing is necessary for certain specified purposes.
The designated recognised legitimate interests include:
- national security,
- emergency situations,
- detection, investigation, or prevention of crime,
- safeguarding vulnerable individuals.
Examples for legitimate interest under Art. 6(1)(f) UK GDPR
Several statutory examples have been proposed by the DUA Bill to give hints to organisations to be decided whether the processing activity can be conducted by relying on their legitimate interests:
- processing that is necessary for the purposes of direct marketing,
- intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and
- processing that is necessary for the purposes of ensuring the security of network and information systems.
However, organisations should conduct a legitimate interest assessment, ensuring that that the organisation´s interest are not overridden by the rights and freedoms of data subjects.
Automated decision-making
Under the current UK GDPR, data subjects have, subject to specific exceptions, the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them.
Under the proposed DUA Bill, the UK plans to generally permit automated decision-making that has significant effects on individuals, provided that certain safeguards are implemented. These safeguards include:
- providing information to individuals about the automated decision-making affecting them,
- enabling individuals to make representations regarding such decisions,
- allowing individuals to obtain human intervention in the decision-making process, and
- permitting individuals to contest these automated decisions.
Automatic decision-making based on the processing of special categories of personal data as defined in Article 9(1) UK GDPR is subject to specific, stricter conditions.
Purpose limitation
The DUA Bill introduces a list of compatible purposes, which pre-defines certain new purposes as being compatible with the original purpose of data processing. When being enacted, it shall form an Annex to the UK GDPR.
For the processing activities not included in the abovementioned list, the DUA Bill specifies key factors to assess when determining whether further processing is compatible and permissible.
Scientific research
The DUA Bill aims to simplify the requirements for processing activities conducted for scientific research by broadening the scope of Art. 89(2) UK GDPR scientific research exemption. This expansion includes commercial research, privately funded research, and any other type of research, making it easier for organisations to process data for a wider range of research purposes.
Art. 89(2) UK GDPR has already been interpreted broadly by the ICO in its guidelines, stating that “scientific or historical research has a broad meaning, encompassing research conducted in commercial settings, as well as technological development, innovation, and demonstration.” The proposed DUA Bill seeks to formalise this interpretation, providing a clear and consistent regulatory framework.
International data transfer
The DUA Bill introduces a notable change regarding international data transfers, marking a significant departure from its EU counterpart. It proposes a shift to a risk-based approach by replacing the current adequacy test with a data protection test. This test evaluates whether the data protection standards in the recipient country are “not materially lower” than those in the UK, offering greater flexibility in assessing third-country protection levels.
As a result, the UK would continue to deviate from the EU Commission’s adequacy decisions, leading to differences in the list of adequate third countries between the UK and the EU.
Data subjects´ requests
Section 53 (1) of the Data Protection Act 2018 currently allows controllers to either refuse to respond to, or charge a reasonable fee for, data subject requests deemed to be manifestly unfounded or excessive. The proposed amendments under the DUA Bill aim to enhance transparency by empowering the Secretary of State to introduce regulations requiring controllers to publish clear guidance on the fees charged for such requests.
Additionally, when refusing to respond to a manifestly unfounded or excessive request, controllers will be required to inform the data subject of the refusal and their right to lodge a complaint with the ICO.
The proposed regulation also updates the subject access request process. Controllers will be permitted to request clarification from data subjects if their request is unclear. During this clarification period, the response deadline will be paused, but only if it is unreasonable for the controller to process the request without further details. Once the necessary clarification is provided, the response timeframe will resume.
Cookies
The DUA Bill does not just seek to update the data protection rules but also the Privacy and Electronic Communications Regulations (PECR) in order to update the cookie rules.
Under the current version of the PECR, Art. 6 establishes rules regarding the confidentiality of “terminal equipment,” which includes devices such as computers, mobile phones, wearable technology, and smart TVs. These rules prohibit organisations from storing or accessing information on an individual’s terminal equipment (e.g., through the use of cookies) unless the individual has explicitly provided their consent or an exception applies.
The DUA Bill introduces two new exceptions to this consent requirement under the PECR.
- The first exemption allows the use of cookie-like technologies to store or access information for the purpose of collecting statistical data about how an organisation’s information society service is utilised. This is intended to enable organisations to improve their services. For example, this exemption would cover the collection of data on how many people are accessing a service, which features they are interacting with, and how long users spend on specific pages of a website.
- The second exception allows the use of cookie-like technologies to enhance the appearance or functionality of a website when displayed on a user’s device. For example, this could involve using a cookie to optimise content, such as enabling responsive design to adjust a webpage’s layout to fit the specific dimensions of a user’s screen or monitor.
Both exceptions apply only if users are provided with clear and comprehensive information about the purpose of the storage or access and are offered a simple, cost-free way to object to it.
Conclusion
While the DUA Bill aims to facilitate the effective use of data by offering companies greater flexibility, it represents a less substantial departure from the existing UK GDPR framework than the previous DPDI Bill.
Notably, unlike the DPDI Bill, the DUA Bill does not intend to remove the obligation to appoint a Data Protection Officer and/or a UK Representative. However, its enactment remains uncertain due to ongoing criticism and debate.
Time will reveal the outcome and the direction of the next steps. Certainly, we will keep you updated as the DUA Bill progresses through the legislative process or if there are any further developments.
