Share
In 2024 the UK got a new government and (at long last) a new draft data protection bill which is currently under discussion in Parliament. Is the UK on the verge of enacting a major overhaul of its data protection framework? Not quite. The Data (Use and Access) Bill (DUA Bill), builds on the legacy of the GDPR, while introducing bespoke changes tailored to the UK’s digital economy.
What’s New in the DUA Bill?
This cautious approach signals the government’s intent to preserve the UK’s hard-won adequacy decision, which enables frictionless data transfers between the UK and the EU.
The DUA Bill retains familiar elements from previous legislative proposals but introduces crucial refinements. Notably, contentious proposals such as redefining personal data in ways that could threaten the UK’s adequacy agreement with the EU—have been shelved. Data Protection Officers can breathe a sigh of relief - the UK’s adequacy decision looks safe for now. Here is a closer look at the key reforms introduced by the DUA Bill.
Automated Decision Making (ADM): fewer restrictions, more accountability
One of the most transformative changes in the DUA Bill is its revised framework for Automated Decision Making (ADM). The Bill narrows the scope of restrictions to significant decisions involving special category data with no meaningful human involvement. This shift is designed to reduce compliance burdens while safeguarding individuals from procedural unfairness. The introduction of enhanced redress mechanisms is a noteworthy addition. These measures aim to give individuals the tools to challenge decisions, fostering trust and transparency in ADM systems. This is particularly significant for industries such as financial services and insurance, where ADM systems are widely used to assess creditworthiness, claims, or risk. In practice, many ADM systems will fall outside the scope of these restrictions, especially if they do not involve special category data or have legal/contractual effects.
Legitimate interest: A welcome clarification
The DUA Bill introduces explicitly recognised legitimate interests where controllers are not required to conduct a Legitimate Interests Assessment (LIA). These include processing for national security, defence, and other public interest activities. However, these carve-outs are unlikely to impact most businesses. For day-to-day operations, controllers will still need to conduct LIAs for common purposes like direct marketing, intra-group transfers, and security measures. The inclusion of direct marketing as a qualifying legitimate interest reaffirms the legal basis frequently relied upon by businesses, despite objections raised by some regulators, such as the Dutch Data Protection Authority. Please refer to our article.
Cookies and PECR: e-Privacy bites
The DUA Bill introduces important changes to the UK’s Privacy and Electronic Communications Regulations 2003 (PECR), providing long-awaited clarity for website operators. The key updates include consent exemptions for analytics and appearance cookies. These cookies will no longer require user consent if they are necessary to improve user experience and do not pose significant privacy risks. It clarifies what counts as an essential cookie. However, marketing cookies remain subject to explicit user consent. Organisations should also note that the maximum PECR fines (currently £500,000) will be aligned with those under the UK GDPR: up to £17.5 million or 4% of global annual turnover. This alignment underscores the growing importance of compliance in the digital marketing industry.
International transfers: a material test for adequacy
The DUA Bill introduces a more flexible risk-based approach for international data transfers. The new test requires that the data protection standards in the destination jurisdiction must not be materially lower than those in the UK. This standard is less rigid than the EU’s "essential equivalence" requirement but raises questions about how “materially lower” will be interpreted in practice.
Data Subject Rights: Streamlined access and portability
While less headline-grabbing, the DUA Bill introduces refinements to data subject rights, aiming to simplify the process for both individuals and controllers. Key updates include clearer timelines and reduced administrative burdens for controllers. It also provides an expanded scope for the data covered under portability rights to encourage innovation and competition.
On the horizon
As the DUA Bill moves through Parliament, organisations should prepare for significant updates in 2025 when the Bill is expected to become law.
Related item: Looking back: International transfers are snow joke
This article was co-authored by Joshua Curzon, Trainee Solicitor.