The UK Data (Use and Access) Bill (DUA Bill or UK Data Bill) was introduced to the UK House of Lords on 24 November 2024 to modernise the UK’s data protection laws, specifically the UK GDPR and Data Protection Act, in response to emerging technological advancements and societal shifts. Overall, the DUA Bill significantly impacts UK data protection, aiming to ease the regulatory burden on small and medium enterprises (SMEs), streamline data subject access requests (DSARs), and align with EU data initiatives. However, it could potentially increase divergence from EU data privacy standards, affecting the UK’s data adequacy status.

Key changes and implications of the DUA Bill

The DUA Bill introduces a wide range of reforms.

Legitimate interests and further processing

  • Recognised legitimate interests: The Bill broadens the scope of legitimate interests for data processing for the purposes of direct marketing, internal data sharing and cybersecurity. This could lead to increased flexibility for organisations, but it also raises concerns about potential overreach.
  • Further processing of personal data: The Bill tightens the rules for processing personal data for new purposes, focusing on compatibility with the original collection purpose. Organisations will need to conduct more thorough assessments to ensure that any new use of personal data aligns with the original purpose.

Consent and cookies

  • Consent clarification: The Bill clarifies the concept of ‘freely given consent’, to address specific concerns around services making access conditional upon consent. This addition could lead to more transparent and user-friendly data practices.
  • Cookie regulations: The Bill amends the Privacy and Electronic Communications Regulations (PECR) to relax consent requirements for certain types of cookies, such as analytics and functional cookies. Once consent is given, it can cover multiple future instances of data storage and access for the same purposes. While this may streamline website operations, it’s essential to balance convenience with user privacy.
  • Scientific research: The Bill amends the UK GDPR to enable data controllers processing data for scientific research purposes to obtain consent to an area of scientific research. This allows the data subject an opportunity to consent only to processing for part of the research.

DSARs and automated decision-making

  • DSARs: Data controllers must respond to DSARs promptly and conduct ‘reasonable and proportionate’ searches. However, the Bill does not provide further information on what would constitute as ‘reasonable and proportionate’. The Bill also introduces a new section in the Data Protection Act that provides an exemption for information that is subject to legal professional privilege.
  • Automated decision making: The Bill introduces rules for significant decisions made solely by automated processing, requiring safeguards like human intervention and stricter conditions for processing sensitive data through automated means. This is a significant step towards ensuring fairness and transparency in algorithmic decision-making.

New additions under the UK Data Bill

  • International data transfers: The Bill amends the UK GDPR by empowering the Secretary of State to approve data transfers based on a new “data protection test”. This ensure that standards in the third country are not materially lower than UK standards.
  • Digital verification services: The Bill introduces regulations for digital verification services, including a trust framework and a register for providers. This could increase trust in online identity verification processes.
  • ICO reforms: The Bill establishes the Information Commission to replace the existing regulator, the ICO. All functions and powers of the ICO are transferred to the Commission with included powers to issue assessment notices and request reports from data controllers and processors.

Looking ahead

Industry experts have expressed mixed reactions to the DUA Bill. While some have welcomed the proposed changes, others are concerned about the potential impact on data privacy and the UK’s adequacy status with the EU. The DUA Bill signifies a critical evolution in the UK’s data protection regime, striking a balance between regulatory compliance, innovation and privacy.

How we can help you with the UK Data (Use and Access) Bill

  • Assess your current compliance with UK data protection laws and identify areas requiring possible updates under the new UK Data Bill by asking us.
  • Explore the potential impacts on your industry by staying informed about the developments in data protection by subscribing to our newsletter.