Proposed reforms to the UK data landscape – round 2

The current UK government has proposed changes to UK data protection laws via a new Data (Use and Access) Bill (DUAB) instead of the now abandoned Data Protection and Digital Information Bill (DPDIB) which was proposed by the former government. Whilst the intention of the changes was to reform the UK’s data protection framework and ease the business compliance burden, the DUAB is also focussed on enabling better use and sharing of data to make people’s lives easier and grow the economy.

How does the DUAB impact UK businesses?

In its previous form, the EU parliament had been concerned that the proposed changes to the UK GDPR were substantial and therefore that the EU/UK adequacy decision (which is due to be reviewed by June 2025) may have been affected.

However, the current view is that the DUAB does not significantly alter the UK’s existing data protection laws, and therefore it is hoped that enactment of the DUAB will not trigger a review of the UK’s adequacy by the EU. If this is the case, the UK will continue to be deemed a country which provides adequate protection for personal data transferred from the EU to the UK and businesses can continue to share data between the two territories with relative ease.

If enacted as is, the changes that organisations may have to make to accommodate the DUAB are likely to be limited. Some of the amendments will come as welcome help to businesses by bringing some clarification, and some may require businesses to change internal policies or practices. We explore these key amendments below.

What are some of the key amendments UK businesses should be aware of?

Legitimate interests

The DUAB amends the UK GDPR by introducing “recognised legitimate interests” as a new lawful basis for processing personal data. These types of processing activities would be exempt from a full legitimate interest assessment, though are unlikely to be relevant for most businesses and instead are those which are generally in the public interest. They include where processing is necessary for national security, defence, responding to emergencies and for safeguarding vulnerable people.

The change which is more helpful for businesses, is a clarification of what may be considered ‘legitimate interests’ for the purposes of the UK GDPR, and therefore what types of processing would require a full legitimate interest assessment. Examples include processing which is necessary for direct marketing, intra group transmission of personal data and ensuring the security of network and information systems.

Purpose limitation

The DUAB will further amend the UK GDPR by clarifying the purpose limitation principle, i.e. the restriction against processing for a new purpose which is not compatible with the original purpose. The DUAB introduces a list of purposes which are deemed compatible with the original purpose which, again, are those which are in the public interest such as disclosures to public authorities and safeguarding vulnerable people.

Automated decision making

The DUAB softens the position on automated decision making, expanding the types of decision that can be made on a solely automated basis. It limits the general prohibition against solely automated decisions in the UK GDPR to those decisions involving special categories of personal data, so makes it easier for automated decision making to take place involving normal personal data. It also clarifies that “solely” means no “meaningful human involvement”, and that a “significant decision” is one which has a legal or similarly significant effect on the individual. These provisions are intended to make it easier to deploy AI whilst still protecting individuals.

International transfers

The DUAB introduces a new "data protection test" which the Secretary of State can use to decide whether the country to which the personal data is proposed to be transferred is ‘adequate’. This is different from the adequacy assessment currently in place, as the data protection test will assess whether that country has a standard of data protection which is not “materially lower” than the UK. This is intended to give the UK more flexibility when considering adequacy decisions.

Privacy and Electronic Communications Regulations (PECR)

The DUAB contains an exemption from the requirement for consent for cookies where the risk to the user is low. Examples of this are where cookies are necessary for security purposes, including to prevent fraud, or where cookies are used solely for analytics. In addition, the DUAB aligns penalties for breaches of PECR with the UK GDPR. The maximum fines are lifted from £500,000 to up to 4% of global turnover or £17.5 million, whichever is the higher.

ICO Changes

The DUAB makes significant changes to the structure and governance of the ICO. The ICO will be renamed the Information Commission and will be a body corporate instead of a corporation sole, much like other regulatory bodies such as the CMA. The DUAB will abolish the lead Information Commissioner role and replace it with a CEO, a Chair and executive/non-executive members, who will have more authority internally. The Information Commission will also have additional information gathering, investigatory and enforcement powers which could increase pressure on businesses, particularly in the context of a data breach.

Changes to subject access requests

The DUAB will legislate what is currently set out in ICO guidance. It provides that if, in relation to a subject access request, the controller reasonably requests more information, the response time clock “stops” until the information is provided. It also clarifies that the controller’s search is limited to what is "reasonable and proportionate" but it doesn’t go as far as the DPDI did in enabling a controller to reject a ‘vexatious’ request. In addition, controllers are required to have a complaints process in place and to facilitate this process, including by providing a complaint form.

Special category data

The DUAB introduces a power for the Secretary of State to class further types of data as special category data – which is the most sensitive data and requires additional processing safeguards. Although this power can only be exercised after issuing secondary legislation, if used, it could significantly increase the burden on businesses. 

What next? What is the likelihood of the DUAB being enacted?

A number of the proposed provisions were previously considered under the DPDIB which may well speed up the legislative process and assist the enactment of the DUAB. The more controversial proposals under the DPDIB have been dropped and it is therefore likely that the DUAB will proceed with little challenge and little risk to the UK’s current adequacy status with the EU. No doubt the EU will be watching its progression carefully though.

As explained above, some of the amendments to UK data protection laws should benefit UK businesses, such as the clarification of legitimate interests and the ability to deploy automated decision making more easily unless it involves the processing of special category data. For some businesses though, the changes do not go as far as they might have hoped in order to lower the perceived high administrative burden of data protection compliance. In the run-up to formal enactment of the DUAB, businesses should be ensuring that they are compliant with the existing rules under the UK GDPR such that they can easily implement any changes required by the DUAB.

Look out for further updates and analysis on the DUAB on our website or by signing up to our newsletter. If you have any questions on the DUAB or its impact and would like to get in touch – please contact us by emailing [email protected].