Out with the old and in with the new- The Data (Use and Access) Bill

What’s gone?

Although much of the DUAB is familiar, a number of components from the DPDI Bill have not been re-introduced.

Personal Data

Perhaps most notably is the definition of ‘personal data’. The proposed change in the DPDI Bill was to broaden the definition of personal data, to include where the individual is identifiable “by reasonable means”. This proposed change has been scrapped in the DUAB.

Accountability obligations

Many of the provisions that have been abandoned relate to accountability obligations. For example, the DPDI Bill proposed  changes to require (i) records of processing activities only where the processing of personal data was likely to result in a high risk to the rights and freedoms of individuals and (ii) data protection impact assessments for high-risk processing activities only. Both of these accountability obligations have been dropped.

Vexatious or excessive DSARs

The DPDI Bill proposed a change to data subject access requests (DSAR), to allow controllers to refuse to comply with a DSAR if they believed the request to be “vexatious or excessive”. This change has not been retained in the DUAB and therefore, the existing test of “manifestly unfounded or excessive” remains.

Data Protection Officer

The DPDI Bill proposed to replace the GDPR obligation to appoint a DPO in certain mandatory circumstances with an obligation to have a ‘senior responsible individual’ to oversee data protection compliance. This proposed DPDI Bill change is not in the DUAB.

What’s stayed?

Some of the elements of the DPDI Bill were retained in the DUAB. We set out below some of those key proposals.

Recognised legitimate interests

The DUAB preserves the concept of “recognised legitimate interests” originally introduced in the DPDI Bill and adds additional grounds which too could be recognised as legitimate interests. Organisations relying on one of the recognised legitimate interests’ grounds will not have to conduct a legitimate interest assessment. The list currently includes purposes such as national security, public security and defence, safeguarding vulnerable individuals and crime but removes democratic engagement which was in the DPDI Bill. The DUAB also includes additional recognised legitimate interests such as intra-group data sharing for internal administrative purposes, direct marketing and ensuring security of network and information systems. It also adds Secretary of State power to update this list by regulation, subject to Parliamentary approval.

Solely automated decision making

The DUAB implements a number of updates to automated decision making (ADM). The general prohibition concerning solely ADM is relaxed in the DUAB. More clarity is provided as to what ‘solely’ means in the context of ADM is provided. The DUAB effectively permits ADM in most cases provided safeguards are in place and allows individuals impacted by those decisions to be able to challenge decisions and request human review when decisions significantly affect them. However, special category data processing in ADM remains restricted.

ICO interview notices

The DUAB retains the similar power first introduced in the DPDI Bill for the ICO to issue an interview notice to an individual in the capacity of either controller or processor in certain circumstances. The ICO is able to issue a penalty notice for failure to comply with an interview notice and knowingly or recklessly make a false statement is considered an offence.

What’s new?

New proposed elements introduced by DUAB include:

International data transfers

The DUAB retains the data protection test which assesses the data protection standards of the relevant third country when international data transfers are being made. The UK standard requires third countries or international organisations to maintain protections “not materially lower”, therefore providing a more flexible standard than the EU standard which requires ‘essentially equivalent’ personal data protection. Notably, the DUAB also limits the ability of the Secretary of State to modify existing transfer safeguards and requires secondary legislation to be put in place. Whilst these additions seemingly seek to provide clarity and assist organisations navigating the complexities that exist in relation to international data transfers, creating a different standard level could add to the complexity for organisations that would no doubt prefer a level of harmonisation for the requirements in this space.

PECR enforcement

Under the current rules, the maximum fine for Privacy and Electronic Communications Regulations (PECR) violations is £500,000. The DUAB strengthens enforcement powers under PECR and aligns it with that of the UK GDPR (up to 4% of global turnover or £17.5 million).

Children’s data

The DUAB highlights the significance of protecting children by placing an additional duty on the UK ICO to consider the vulnerability of children in relation to data processing.

Special categories of personal data

There is also a new proposal for the Secretary of State to have powers to amend the UK GDPR’s “special categories of personal data” via secondary legislation. Currently, any amendments require primary legislation.

ICO complaints

The DUAB has also introduced a power for the ICO to refuse or charge a fee to act on “manifestly unfounded or excessive” complaints submitted by data subjects. The aim is to reduce the number of complaints reaching the ICO.

DSAR response clarification

While the DUAB does not give ability for controllers to refuse responding to data subject access requests (DSARs) if they are vexatious, it does provide a more detailed timeline in responding to them. The DUAB introduces a new article into the UK GDPR which sets out that an extension may be necessary due to the number of requests submitted in relation to the data subject.

Cookies

Cookies used for security, analytics and user improvement purposes can be deployed without consent (subject to various conditions). This does not absolve organisations from ensuring transparency obligations are followed i.e. requiring information about cookies used to be displayed and providing the ability to opt out.

Right to make a complaint to data controller

Under the DUAB, data subjects are able to complain to controllers if they consider there to be an infringement of the UK GDPR which controllers have to acknowledge within 30 days beginning from when the complaint is received. Controllers are under an obligation to facilitate the making of complaints by taking certain steps such as providing a complaint form which can be completed by electronically and by other means and have to acknowledge the complaint within 30 days of receipt.

On the whole, the DUAB has been received positively by the ICO. The Information Commissioner, John Edwards has described the amendments as ‘proportionate’ and ‘pragmatic’ that align well with the ICO’s objectives. Whist these changes, the divergence from the EU standard is a fine balancing act to be struck in order to ensure the UK’s adequacy status is not at risk, a point also flagged by John Edwards in his response.

The DUAB is currently at the committee stage in the House of Lords which began on the 3^rdDecember 2024, awaiting proposed changes. Given there has previously been two failed attempts at bringing in updated data protection laws under earlier governments, many of the proposed provisions have already been under intense scrutiny therefore, we expect the DUAB to have a quick journey through Parliament.