The Data (Use and Access) Bill
Monday 6th January 2025
On 24 October 2024, the Data (Use and Access) Bill (DUA) was introduced into Parliament, signalling the Government’s intentions on data protection law reform. The DUA follows the previous Government’s two failed attempts to replace the legacy GDPR, the most recent being the Data Protection and Digital Information (No. 2) Bill (DPDI). The DUA largely reflects the DPDI’s aims rather than being a wholesale rewrite.
The UK sees itself as a world leader in innovation, and the Government wishes to remove ‘red tape’ imposed by the GDPR. Whether this is achievable remains to be seen.
Current Stage: Report Stage
Much like the DPDI, the DUA is tricky to read, so below we summarise key obligations for UK businesses should the DUA become law and how these differ from current data protection laws.
What does the DUA look like?
The Bill has eight parts:
- Part One: Powers for the Secretary of State to create new regulations on accessing customer and business data, including providing data directly to authorised parties and imposing financial penalties on those who fail to comply.
- Part Two: A new framework for Digital Verification Services, including registering approved services and issuing a trust mark to verified service providers.
- Part Three: Creating a statutory framework for the National Underground Asset Register, standardising how owners of underground assets should share data and streamlining this process to reduce delays caused by underground works.
- Part Four: Creating a digitised register for births and deaths, removing the requirement for paper registers.
- Part Five: Changes to the Data Protection Act 2018 (DPA), the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).
- Part Six: The creation of the Information Commission, replacing the current regulator, the Information Commissioner’s Office (ICO).
- Part Seven: Other changes, including standards for the use of data in health and social care and smart meters.
- Part Eight: Mainly governance and mechanical provisions.
There are also 20 Schedules, some more significant than others, including details of ‘recognised legitimate interests’, relevant for organisations seeking to rely on these as a lawful basis for processing, automated decision-making rules changes, international transfers rule changes, and proposed penalties for direct marketing/cookies rules breaches under the PECR.
See the ‘Jargon Buster’ section for key data protection terms.
What are the proposed changes?
The practical changes for UK commercial organisations and how they differ to the GDPR are summarised below:
A new data subject right – the right to complain
Current position under GDPR
The GDPR contains several established rights, such as the right of access, the right to be forgotten, and the right to rectification. There is however no express right for a data subject to complain, or have their complaint investigated by a data controller.
DUA proposal
Individuals under the DUA will have the right to complain where they suspect an infringement of their rights. Controllers are required to facilitate the making of complaints by taking appropriate steps, e.g. providing a complaint form to be completed and adopting appropriate governance around complaints. Such complaints must be acknowledged within 30 days of being received.
Controllers must also take appropriate steps to respond to the complaint, including investigating the subject matter of the complaint, and informing the complainant of the progress as the investigation is ongoing.
Artificial Intelligence: using AI and automated decisions
Current position under GDPR
Individuals (‘data subjects’) have the right not to be subject to a decision based solely on automated processing, which produces legal or similarly significant effects concerning them, with three exceptions.
DUA proposal
Widens the scope of automated decision-making beyond the three exceptions, effectively allowing automated decision-making in most cases as long as an organisation implements safeguards. This paves the way for AI implementation.
Changes to the UK’s regulatory structure
Current position under GDPR
Currently, the UK’s data protection regulator is the Information Commissioner’s Office, with an Information Commissioner appointed who is responsible for enforcing the law.
DUA proposal
The DUA proposes restructuring the UK’s regulatory authority by transferring the functions of the current ICO to a new entity called the Information Commission. The DUA expands the regulator’s power and amends some of its current statutory framework, for example, the power to require specific documents/information from an organisation in its investigation process.
DSARs: refusing requests
Current position under GDPR
Controllers can refuse to respond to or charge a fee for responding to requests from data subjects that are manifestly unfounded or excessive. As clarified by UK and EU guidance, this is a high threshold to meet.
DUA proposal
The DUA will allow controllers to charge a fee for ‘vexatious’ or ‘excessive’ requests. Controllers must be transparent with individuals about their right to complain to the regulator if they refuse a request, and publish guidance on the fees they charge for responding to requests.
DSARs: searches
The DUA adds a new paragraph to Article 15 of the UK GDPR, clarifying the searches that controllers must undertake in the event of a DSAR.
The proposed amendment states that controllers must only conduct reasonable and proportionate searches for information and personal data requested.
In addition, controllers will be able to clarify from the requestor specific data they are asking for if they receive an ‘all data request’, which will be welcome to many organisations.
DSARs: timelines
Current position under GDPR
DSARs must be responded to within one month of receipt unless the DSAR is particularly complex, in which case the timeframe lengthens to three months.
DUA proposal
The DUA allows the response time to a DSAR to be paused to seek reasonable clarification on the information requested. Once the clarification is received, the response time resumes.
The DUA also states that an extension may be necessary due to the number of requests submitted, but controllers must inform the data subject of the extended response time and the reason for the delay within one month of receiving the request.
Enforcement for direct marketing/cookies rules breaches
Current position under PECR
Maximum fines under PECR for breaches is £500,000.
DUA proposal:
The DUA proposes aligning fines with the current GDPR thresholds: £17.5m or 4% of annual global turnover.
International transfers of personal data
Current position under GDPR
Organisations must implement additional safeguards when transferring personal data outside of the UK/EEA. These include the International Data Transfer Agreement/Addendum and a risk assessment relating to the transfer.
DUA proposal
This adopts a risk-based approach, making lower-risk transfers, in theory, easier to undertake.
The UK will also have the power to make its own ‘adequacy decisions’, which will be dealt with under the ‘data protection test’.
PECR – cookies rules
The DUA proposes to negate the need for consent for certain analytics cookies, making compliance more manageable for those undertaking this type of tracking.
Recognised legitimate interests
Current position under GDPR
The GDPR currently allows processing for ‘legitimate interests’ pursued by the controller, provided such interests do not override the interests or fundamental rights and freedoms of data subjects. The ICO recommends conducting a legitimate interests assessment to balance the proposed processing against individual rights.
DUA proposal
The DUA adds a new Annex 1 to the GDPR, recognising a number of legitimate interests. These include, among others: where the processing is necessary for national security, when responding to an emergency, and to safeguard vulnerable individuals. This would help many organisations demonstrate they have a lawful basis for processing.
Research and statistical use of personal data
Current position under GDPR
The GDPR contains provisions referring to three research-related purposes for processing personal data: (1) archiving in the public interest (2) scientific or historical research, and (3) statistical purposes.
DUA proposal:
The DUA introduces a new definition of ‘research and statistical data’ within the UK GDPR. This amendment provides enhanced flexibility for commercial research by expanding the scope of ‘scientific research’ to include certain privately funded and commercial activities in addition to non-commercial research.
Special category data
The DUA gives the Secretary of State the power to add new special categories of data, tailor their conditions of use, and add new definitions.
Significantly, though, the same power isn’t extended to removing existing conditions.
Tasks carried out in the public interest
The DUA clarifies that the task carried out in the public interest referred to in Article 6(1)(e) of the GDPR must be that of the controller – i.e., a controller cannot process personal data relying on another controller’s tasks carried out in the public interest.
Challenges
If the DUA is adopted, organisations that operate both in the UK and EU will be dual-regulated by UK laws and the EU GDPR, and as such will have to take steps in order to be compliant with both sets of laws. Previously, when the DPDI was introduced, the Government maintained that if companies were GDPR compliant, they would meet the requirements of the new laws. However, changes to legal and governance requirements could add further complications for organisations operating across the UK and Europe.
Furthermore, to allow a free flow of data between the UK and European Economic Area (‘EEA’), the European Commission requires countries outside of the EEA to have an equivalent level of protection to the GDPR. An overhaul of our data protection laws could theoretically lead to a lower level of protection than the GDPR, meaning organisations would need to put additional safeguards in place to give effect to ‘lawful transfers’, if the UK is no longer deemed ‘adequate’. The cost would fall to organisations in updating their contracts and undertaking risk assessments, which would be arguably counter-productive to the intention of the legislation. This somewhat restricts meaningful change if the change would negatively impact individual rights.
Next steps
The DUA is still in its early stages, currently at the Report Stage. As it progresses through Parliament, it will inevitably be subject to change. Although it helps to know about the proposed changes, there is no need to take any immediate steps. We will provide updates as the Bill progresses and confirm if and when businesses should consider updating contracts, policies and governance processes.
Data protection Jargon Buster:
| Term | Meaning |
| Controller | The party who decides on the purposes and means of the processing of personal data (for example, an employer in an employment context) |
| Data subjects | Individuals |
| DSAR or Data Subject Access Request | The right of an individual set out under GDPR (and the DUA) which allows an individual to access personal data an organisation holds about them, |
| Information Commissioner’s Office or ICO | The regulator responsible for regulating privacy and data protection in the UK |
| PECR | The Privacy and Electronic Communications Regulations 2003, regulating direct marketing and the use of cookies in the UK and EU |
| Personal data | Any information which identifies a living individual |
