New data protection law - the Data (Use and Access) Bill
The new UK Government introduced the Data (Use and Access) Bill (DUAB) into Parliament in October 2024. It represents the biggest change to the data protection regime since the General Data Protection Regulation (GDPR) came into force. It is expected to receive Royal Assent before the end of June 2025.
The new Bill will amend the UK GDPR, the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA). Some of the measures were proposed by the previous Government in the form of the Data Protection and Digital Information Bill (DPDI) so, bearing in mind the current Government’s majority, it is likely to receive little or no opposition in Parliament. It will be important therefore that you prepare for the changes well in advance.
Several of the measures not taken forward from the abandoned DPDI include changing the definition of ‘personal data’ and relaxing record-keeping obligations. New restrictions on vexatious or excessive Data Subject Access Requests (DSARs) and proposals to replace DPOs with Senior Responsible Individuals were also dropped.
What measures are included in the Bill?
The key measures that are being taken forward and likely to become law include the following...
Recognised Legitimate Interests (RLI)
The Bill will create a set of statutory RLIs as a ‘lawful basis’ for processing personal data. Organisations correctly using one of these RLIs will not have to conduct a Legitimate Interests Assessment balancing test.
Recognised Legitimate Interests will include…
- National security, public security and defence
- Safeguarding vulnerable individuals
- Crime
- Intra-group data sharing for international admin purposes
The sole use of Automated Decision Making (ADM)
ADM is currently widely used in filtering applications in areas such as recruitment, insurance and financial products. The Bill effectively allows decisions to be made solely by ADM in most cases with certain safeguards. For example, decisions must be open to challenge and subject to human review where the impact on the individual is significant. The use of ADM for special category data remains restricted.
ICO interview notices
A new type of notice will be available to the ICO, which can demand an interview with a data processor or data controller regarding a complaint or data breach. Failure to comply could result in a penalty notice and the making of false statements, knowingly or recklessly, will be an offence.
International Data Transfers (IDT)
The DUAB defines the UK adequacy standard for third countries or international organisations data protection measures as ‘not materially lower’ than those set out in UK law. However, the current EU standard is ‘essentially equivalent’. Theoretically this could cause problems for the UK’s adequacy status with the EU as the perception could be that the UK will accept lower standards of data protection in the UK market than those acceptable in the EU Single Market.
The Privacy and Electronic Communications Regulations (PECR)
The Bill will amend the UK PECR to bring the penalty regime in line with that of the GDPR. The maximum fine is currently £500,000. This will change to a potential £17.5 million or up to 4% of global turnover, whichever is higher.
Personal data relating to children
There will be a new obligation on the ICO to give special consideration to the vulnerability of children in data processing activities.
The ICO says: “When we refer to a child we mean anyone under the age of 18. This is in accordance with the UN Convention on the Rights of the Child which defines a child as everyone under 18”.
Special categories of personal data
Special categories of personal data are particularly sensitive in relation to discrimination and fundamental rights and freedoms. They include information relating to health, disability, sex, race, politics and religion, amongst others. This list of categories is fixed by the GDPR.
The DUAB gives the Secretary of State the power to amend the special categories of personal data via Regulations, which may be controversial given the nature of the information concerned.
Complaints to the ICO
Where data subjects make apparently ‘unfounded’ or ‘excessive’ numbers of complaints, then the ICO will have a new power to charge a fee for processing the complaint or refuse to act on the complaint at all. The intention is to reduce the currently high rate of complaints that the ICO considers to be unnecessary.
Data Subject Access Requests (DSAR)
The right for controllers or processors to refuse vexatious requests has not been carried forward to the DUAB, however the Bill will provide a more detailed timeline for responding to a DSAR. It will insert a new Article into the UK GDPR permitting an extension to response times for data controllers in certain circumstances.
Cookies
Currently consent is required for all cookies, which is mainly handled through seemingly endless pop-up ‘accept’ or ‘reject’ boxes. This Bill allows for certain cookies to be deployed without a positive consent action.
Cookies that may be deployed automatically are those necessary for security, analytics or website performance. However, the use of such cookies must be transparent (with a notice) and there must be the option to opt out.
Complaints to data controllers
The Bill asserts the rights of data subjects to make complaints directly to data controllers about GDPR infringements. This is not especially new but data controllers must now have a complaints procedure and an easy way to facilitate the submission of a complaint, such as an online form. The data controller will be legally obliged to acknowledge the complaint within 30 days of it being submitted.
Other reforms
The Bill also proposes changes in national policy that don’t directly impact on the day-to-day running of a business. They include the following:
- Improving public sector data sharing
- A new statutory scheme for digital identity verification services
- Minor amendments to the Online Safety Act
- Technical standards for IT services in health care
- Giving coroners more powers to access information held by technology companies after a child's death
- Changing the governance model of the Information Commissioner's Office (ICO)
Conclusion
Some aspects of these changes are quite controversial with data protection specialists, such as increased powers for the Secretary of State. There is also concern that the combination of these changes will endanger the United Kingdom’s adequacy status with the EU.
The EU’s concern is that a looser data protection regime may give the UK an unfair competitive advantage, contrary to the Trade and Cooperation Agreement (the Brexit deal). The Government hopes it will attract more inward investment and encourage technological innovation.
It is highly likely that the Bill will enter into law, perhaps with minor changes, within the next 2 years. The changes will affect most UK organisations in some way, so keep an eye on developments and make sure you are prepared.
Ensure that you keep yourself bang up to date with all the important developments in UK data protection law by attending our half-day course: The GDPR Update – see here for details.
Written by Paul Murphy
Connect with me on Linkedin here
Follow UK Training on Linkedin here
http://www.uktraining.eu/news-article/new-data-protection-law-the-data-use-and-access-bill/189?type%5B%5D=classroom