The Data (Use and Access) Bill 2024-25 (DUA Bill) had its second reading on 19 November 2024, following its introduction in the House of Lords on 23 October 2024. The Bill replaces the Conservative Government’s stalled Data Protection and Digital Information Bill (DPDI Bill) and proposes several similar reforms to the UK’s data protection framework.
Background
Since Brexit, the UK has sought to modernise its data protection laws to maintain high standards while easing administrative burdens on businesses. Previous efforts with the DPDI Bill failed, but the Labour Government has revived a more modest set of reforms under the DUA Bill. The goal is to modernise data laws while safeguarding the UK’s “adequacy” status, which is essential for seamless data flows between the EU and the UK.
Key updates to UK GDPR and DPA 2018
The DUA Bill introduces several significant changes:
- Legitimate Interests: the Bill defines different types of processing that automatically qualify as “legitimate interest”, such as processing for “direct marketing” (widely defined), intra-group transfers and for network security.
- Recognised legitimate interest: a new ground for lawful processing allows processing necessary for purposes like national security, public safety or emergency response, outlined in a new annex to UK GDPR.
- Data Subject Access Requests (DSARs): A change that will be welcomed by many businesses on the wrong end of DSARs from a disgruntled or ex-employee is that a controller will only need to conduct searches that are “reasonable and proportionate.” However, an express exemption for “vexatious” requests—proposed in the DPDI Bill—has been omitted. It also confirms a procedure enabling the courts to inspect withheld material to determine whether it is exempt from disclosure.
- Purpose Limitation: clarifies when personal data can be used for purposes beyond the original intent, with certain scenarios like public interest research or statistical analysis) deemed compatible.
- Cookies: The Bill simplifies pop-ups by removing the need for consent for low-risk cookies, such as those used for statistical purposes or to improve websites. It also defines when a cookie is “strictly necessary” (e.g., for fraud prevention, user safety, or maintaining user preferences). Transparency requirements remain, but consent will often no longer be needed. On the other hand, GDPR-level fines (up to 4% of global turnover) will now apply to breaches of cookie rules, replacing the current £0.5m cap.
- Automated Decision-Making (ADM): The Bill allows ADM with To facilitate increased use of AI for ADM (where there is “no meaningful human involvement in the taking of the decision”), the Bill provides that, apart from cases using “special categories” of data, ADM resulting in a legal or similarly significant effect will no longer be prohibited with exceptions. Instead, ADM will be possible regardless of the lawful basis, as long as suitable safeguards are in place. This includes reliance on legitimate interests as a lawful basis, except for cases involving “special categories” of data.
- Scientific Research: provides a clearer definition of “scientific research” and guidance on when consent is needed.
- Complaints Process: requires controllers to take “appropriate steps” to facilitate data subject complaints, such as by providing a complaints policy or online form. It also paves the way for regulations requiring controllers to notify the Information Commissioner of the number of complaints received.
- International Data Transfers: Introduces a less stringent adequacy test for third countries, requiring protection to be “not materially lower” than the UK’s. This could allow more countries to achieve UK adequacy but may complicate the EU’s adequacy review of the UK in 2025.
What’s Missing?
The Bill excludes some of the more controversial proposals from the DPDI Bill, such as removing the requirement for Data Protection Officers (DPOs), redefining “personal data,” and relaxing Data Protection Impact Assessment (DPIA) obligations. These omissions likely aim to preserve the UK’s adequacy status with the EU.
Beyond Data Protection
At over 260 pages, the Bill covers more than data protection. As the title of the Bill indicates, it includes sections related to the use of and access to data more generally, including:
- use of “smart data” (supporting open banking and the development of new smart data schemes such as in respect of utilities);
- establishing a “trust mark” for approved digital verification services;
- simplifying data use for law enforcement and the NHS, including enabling easier patient data transfers;
- creating a national map of the UK’s underground infrastructure (pipes and cables).
This broader approach reflects aspirations similar to the EU’s Data Act, treating data as a shared asset for businesses and consumers alike.
Comment
The Government aims to “put technology and data protection at the heart of the economy” by simplifying rules to make data laws more business-friendly while maintaining high standards. Supported by the ICO (soon to be known as the Information Commission), the Bill seeks to modernise the UK’s data framework without jeopardising EU adequacy status, which comes up for review in June 2025.
The expectation is that the Bill will be finalised before this review. However, amendments may still arise, so watch this space for further updates.
Related News
Authors
Related legal expertise
Connect with us
