Data (Use and Access) Bill: Changes to the UK's Data Protection Regime

The DUA Bill, announced originally in the King's Speech of July 2024 under the name of the "Digital Information and Smart Data Bill", is somewhat of a grab-bag of assorted data-related provisions, including amendments to the UK's data protection regime, provisions covering smart data schemes and improving access to public sector data for the private sector, digital identify verification services, changes to the structure and functioning of the Information Commissioner's Office, and more besides. 

Overall, the Government intends the Bill's provisions to contribute towards three key objectives: 

1. To harness the power of data to grow the economy;
2. To improve public services and enable and support modern digital government; and 
3. To make peoples' lives easier.

In this article, the first of a series covering the Bill's key provisions, we will take a deep dive into the ways in which the Bill proposes to modify the UK's current data protection regime.

The full text of the Bill as introduced into Parliament is available here, and its explanatory notes may be read here. 

As the first part of our deep dive into the DUA Bill, we've looked at the key changes it proposes to UK data protection and e-privacy laws.
 

A new "recognised legitimate interests" legal basis

The Bill amends Article 6 of the UK GDPR to add a new lawful processing basis. This new processing basis applies where processing is necessary for one of a set of recognised legitimate interests. These include, among others, national security, emergencies, detection, investigation or prevention of crime and safeguarding vulnerable individuals. 

The "recognised legitimate interests" basis differs from the existing "legitimate interests" basis in that it does not require data subjects' rights and freedoms to be balanced against the interest in a legitimate interests assessment before proceeding. It therefore cuts down on the paperwork required for low impact processing that is generally in the public interest. 

The list of recognised legitimate interests can be amended by secondary legislation. This power to amend, however, is subject to certain constraints and safeguards, including that the processing must be necessary to safeguard one or more of a particular set of "public objectives", such as public safety.
 

Statutory examples of regular legitimate interests

Outside of the new "recognised legitimate interests" processing basis, the DUA Bill also inserts some illustrative examples of what will constitute ordinary "legitimate interests" into the UK GDPR. This is a non-exhaustive list that reflects and codifies the recitals of the EU GDPR. It includes processing "necessary for the purposes of direct marketing", "intra-group transmission of personal data", and processing "necessary for … ensuring the security of network and information systems". Reliance on the legitimate interests basis for each of these activities will still require a balancing test.
 

Purpose limitation

The Bill also amends the UK GDPR to clarify the "purpose limitation" principle, which restricts the circumstances in which "further processing" of personal data may be carried out for a purpose other than the original purpose for which the data was collected. The general principle is that processing for a new purpose which is not "compatible" with the original purpose may not be carried out. 

The amendments made by the new Bill clarify that the purpose against which compatibility should be measured is the purpose for which the controller making the assessment received the data, not the purpose for which the original controller that first received the data directly from the data subject collected it. This means that a controller collecting personal data other than directly from the data subject is not constrained by the purpose for which that data was originally collected (provided of course that that new controller's processing activity is otherwise lawful). 

The Bill also aids controllers carrying out compatibility assessments. It amends the UK GDPR to codify the factors that need to be considered when determining whether a new purpose for further processing is compatible with the original purpose. These factors include whether, and the extent to which, (i) there is a link between the new and original purposes; (ii) the context in which the data was originally collected; (iii) the nature of the processing (in particular whether it involves special category data or criminal convictions data); (iv) the possible consequences for data subjects of the further processing being contemplated; and (v) what safeguards will be in place.
 

Automated decision-making

Under the current UK GDPR, there are restrictions on when it is permissible to make decisions on a solely automated basis when those decisions would have produced a legal or similarly significant effect for the data subjects. Such processing is currently generally prohibited, permissible only where one of three exceptions applies: (i) it is necessary for entering into or performing a contract between a controller and the data subject; (ii) where doing so is explicitly required or authorised by law; or (iii) where the data subject explicitly consents. 

The DUA Bill makes a significant change to this position, so has the potential to significantly expand the types of decision that may be made on a solely automated basis. It provides that the general prohibition and exceptions above only apply in respect of decisions involving special categories of personal data. Automated decision-making with significant effect is now permissible without the need to rely on exceptions if regular personal data is involved. Although for automated decision-making with significant effect involving all types of data, the usual safeguards must still apply, such as the provision of information and the right to make representations, obtain human intervention and contest the decision. 

The Bill would also define a decision as being based solely on automated processing if there is no " meaningful human involvement in the taking of the decision…". The Bill provides that in determining whether a decision had "meaningful human involvement", the extent to which the decision was reached by means of profiling must be borne in mind. 

The Bill would then grant the Secretary of State a power to make regulations stipulating types of decision-making which are automatically to be taken to have, or not have, "meaningful human involvement", as well as types of decision-making which are to be automatically treated as not having had a "similarly significant adverse effect" on the data subject.

The practical effect of this change would be to give the Government the ability to further exclude certain types of decision from the scope of the prohibition on automated decision-making. This is intended to afford flexibility to keep up with emerging technologies which may entail or enable novel types of decision-making which might or might not be considered to have "significant" effects for data subjects.
 

Power to amend "special categories of data"

The Bill proposes to give the Secretary of State a new power to make regulations which add new types of processing or data types to the list of "special categories" set out in Article 9(1) of the UK GDPR. 

Currently, this list is exhaustive. The Government has clearly taken the view in drafting the new Bill that this is not sufficiently flexible to adequately protect individuals' rights in the face of potential future technological developments which might use different types of data in novel and presently hard-to-foresee ways. This new power is, therefore, intended to allow for the Government to more rapidly respond by adding certain types of data or processing to the Article 9 list without the need for further primary legislation. Processing or data that has been added may also be removed, but the power does not extend to removing any of the categories that are directly, explicitly listed in the UK GDPR itself. In other words, the current list of special categories of data as set out in the main legislation will be left as a "hard floor".
 

Broad consent permissible for research purposes

The new Bill would amend UK GDPR to clarify that controllers seeking to process personal data for scientific research purposes will be able to obtain valid consent for relatively broad research purposes. 

This measure is intended to mitigate the potentially overly restrictive effects of the consent requirements and the purpose limitation principle, which requires that any data processing should be for a specific purpose identified at the time of collection. This can present difficulties for researchers who might not be in a position to specify in detail the exact purposes for which data will be processed at the point of collecting it. 

When obtaining "broad consent", the data subject must be given an opportunity to consent to processing for only part of the research, so far as possible. 

The Bill will also make it clear that processing can be for scientific research purposes regardless of "whether the research is privately or publicly funded or whether it was carried out as a commercial or non-commercial activity".
 

Extension to "disproportionate effort" transparency exemption

The Bill would introduce amendments to UK GDPR extending the scope of the "disproportionate effort" exemption from providing fair processing information to circumstances in which the data was collected directly from the data subject. Currently, this exemption is only available where data is collected from another source. 

The proposed amendments in the Bill specify that privacy notices do not need to be provided to data subjects from whom the controller has collected data directly, where it would be "impossible", or would involve "disproportionate effort". A non-exhaustive list of factors that controllers should consider when deciding whether the effort involved would be disproportionate is also included. These factors include the number of data subjects, the age of the personal data, and what safeguards have been applied to the processing.

These provisions are subject to safeguards requiring controllers to have taken appropriate measures to protect data subjects' "rights, freedoms and legitimate interests". Where this exemption is relied on, the controller must still make the notice publicly available, such as through its website.
 

International transfers

Under the new Bill, the UK's adequacy regulations must be based on whether a new "data protection test" is met. The key question is whether the protections in the third country are "not materially lower" than in the UK. Particular constitutional features, traditions and culture of the third country in question may be taken into account – which the explanatory notes to the Bill say is intended to account for the fact that "differences may exist [between the UK's and third country's respective regimes] given the cultural context of privacy." 

Perhaps even more importantly, the new Bill also permits the Secretary of State to have regard to "the desirability of facilitating transfers of personal data" between the UK and the third country in question when deciding to make such regulations – opening the door to political considerations such as the potential economic benefit to the UK of more easily being able to share data with a particular country. 

The "not materially lower" standard will be the same as organisations themselves must apply when undertaking overseas transfers under the UK GDPR.
 

Other key data protection law changes in the new Bill

Aside from the above, the new Bill also proposes to bring in a wide array of other additions, alterations and clarifications to the UK's new data protection regime. 

Under the Bill, if passed in its present form:
 

• PECR would be amended to permit placing cookies on user devices without user consent for analytics and user experience purposes (such as ensuring a website displays correctly on a user's particular device). The user must still be given information about the purpose for placing the cookies.
• The legislation will codify the current regulatory guidance on the circumstances in which an extension to the standard time limit to respond to data subject rights requests will be permissible, or when the "clock may be paused";
• The existing principle that controllers are required only to carry out "reasonable and proportionate searches" in response to a subject access request will be codified;
• Various measures generally intended to remove obstacles and achieve greater ease of use of personal data for law enforcement and national security purposes will be introduced, including amending the DPA 2018 to include the same national security exemption as exists in the current UK GDPR. The elimination of this difference is considered key in removing barriers to close and efficient working between law enforcement and the intelligence services; and
• There will be a new requirement for the ICO to encourage representative industry and sectoral bodies to draw up PEC Regulations codes of conduct.

Next Up

In our next article in the series, we will consider the ways in which the new Bill proposes to shake up the ICO, which include a fundamental restructuring of the ICO itself and broadening the range and severity of its investigatory and enforcement powers.