Following the government’s announcement of a data-focused agenda in the first King’s Speech, the Data Use and Access Bill (DUAB) was published on 23 October 2024 and introduced in the House of Lords. The Bill marks a strategic shift in the UK’s approach to data management, privacy, and digital transformation, with a vision to unlock data’s potential across industry sectors while enhancing protections for individuals and boosting regulatory clarity.
The DUAB, on first reading, represents a departure from the previous legislative proposals that lapsed before the 2024 general election. Whilst the Bill introduces some new rules to liberalise data use, promote an “open data” principles culture, and establish safeguards for international data transfers, it also retains and refines some elements of the previous
Notably, some of the more controversial proposals from earlier drafts have been set aside — possibly to ensure that the UK’s adequacy status with the EU remains secure as the European Commission prepares for its 2025 adequacy review.
The DUAB's data protection proposals
The new Bill’s approach to data and digital innovation builds on existing frameworks rather than overhauling them entirely. Part 5 of the DUAB covers data protection, clarifying that the UK GDPR and the Data Protection Act 2018 (DPA) remain foundational, while amendments are intended to refine, rather than replace, current legislation.
Elements of the earlier DPDI Bill — such as the removal of records of processing activities, data protection impact assessments, exemptions for vexatious data subject access requests (DSARs), and the shift from Data Protection Officers to “Senior Responsible Individuals”— have been dropped. Instead, the DUAB’s proposals reflect a more incremental adjustment to address modern data needs.
Summary of Key Provisions
Provision |
Elements inherited from DPDI
|
New additions in the DUAB |
Automated Decision-Making (ADM) |
Maintains proposals for clearer ADM rules and replacing Article 22 with a tailored version |
Introduces new Article 22A defining "solely automated" decisions, requires human review for significant ADM
|
Compatible processing purposes |
Proposals to expand lawful purposes for compatible processing |
Adds specific purposes for public interest, crime, and safeguarding in a dedicated schedule
|
Recognised legitimate interests |
Lists legitimate interest purposes for streamlined processing |
Adds qualified government power to update this list by regulation, subject to Parliamentary approval
|
Data subject access requests (DSARs) |
Proposals to limit DSAR scope to reasonable and proportionate searches |
Codifies the ICO’s guidance on DSARs into GDPR Article 15, clarifying proportionality for data searches
|
Research purposes |
Broadens research exceptions and supports scientific data use |
Expands scientific research definitions and introduces flexible consent for scientific research
|
Privacy and Electronic Communication Regulations 2003 (PECR) enforcement |
Proposals for aligning PECR with GDPR’s fines |
Introduces a new PECR schedule to enable ICO enforcement, applying GDPR-aligned fines to PECR violations
|
International data transfers |
Retains international transfer provisions with enhanced adequacy flexibility |
Allows the Secretary of State to approve third countries. Also includes materiality test to assess data protection standards
|
In-depth Analysis of Key Provisions
- Automated Decision-Making (ADM) flexibility
One of the central reforms in the DUAB is a significant update to ADM under Article 22. The DUAB replaces Article 22 with a revised structure that permits, and restricts, ADM in specific contexts. Article 22 contains:
- A relaxation of the general prohibition concerning ADM although special category data processing in ADM remains restricted; and
- Definition of ADM (new Article 22A) which requires an assessment of the level of human involvement and provides a baseline for ADM that relies on profiling. This allows businesses more flexibility, while ensuring individuals retain rights to challenge such decisions and receive meaningful explanations. - International data transfers
The DUAB addresses international data transfers to third countries by setting a specific adequacy test that the Secretary of State will apply when approving third countries as adequate. Unlike the EU’s approach, the DUAB’s materiality test requires third countries to maintain protections “not materially lower” than those of the UK, rather than exact equivalence. While this approach provides more flexibility, it also requires careful consideration of differing standards by data controllers conducting transfers. - Compatible processing purposes
The DUAB’s compatible processing purposes are expanded in alignment with public interest needs, allowing lawful data processing for purposes like crime prevention, public safety, and safeguarding. By delineating these purposes in a dedicated Schedule, the DUAB offers clarity for organisations seeking to use data responsibly in contexts benefiting society, facilitating compliance without ambiguity. - Recognised legitimate interests
The DUAB retains the DPDI’s approach of codifying legitimate interests into an official list, with legitimate interests like fraud prevention, business operations, and public interest purposes now formalised. However, it goes further by the government to adjust this list in future, allowing for flexibility to respond to emerging data use cases through regulation (subject to Parliamentary scrutiny). - Data subject access requests (DSARs)
Data subject access requests are simplified under the DUAB, which incorporates the ICO’s current guidance on reasonable and proportionate responses directly into Article 15 GDPR. This allows data controllers to respond with proportionate searches, addressing concerns about the scope of DSARs, especially where fulfilling requests may be burdensome or disproportionate. - Research purposes
The DUAB builds upon existing research provisions, supporting scientific, historical, and statistical research by expanding the definitions and flexibility in consent for processing personal data in research contexts. This update seeks to enable innovation while maintaining necessary privacy safeguards, particularly in sectors like healthcare, AI, and academic research. - Strengthened PECR enforcement
The DUAB aligns the ICO’s enforcement powers under the PECR with GDPR’s more stringent penalty structure. Schedule 1 of PECR is replaced with a new schedule to bring the ICO’s enforcement powers under PECR into line with those available to it under the DPA. Given that PECR violations in Adtech and targeted marketing have been a significant regulatory focus, this alignment signals a likely increase in PECR enforcement actions. Businesses should prioritise compliance with PECR requirements, especially regarding cookie use and direct marketing, to mitigate the risk of heightened penalties.
Additional Reforms Beyond Data Protection
The DUAB also introduces wider digital measures aimed at fostering a more cohesive and innovative digital landscape:
- ICO structural reforms: The DUAB transitions the ICO from a "body sole" into a "body corporate", introducing a formal Board structure with an appointed CEO. These changes aim to strengthen the ICO’s oversight and administrative structure, enabling a more modern and efficient regulatory body.
- Digital identity frameworks: The DUAB establishes a framework for digital identity verification, seeking to create secure and reliable methods for online identity authentication. This change is critical for sectors like financial services and public services, as it enables individuals and businesses to engage in secure digital transactions and interactions.
- Customer and business data access: The DUAB introduces data access standards similar to the EU’s Data Governance Act, facilitating controlled data sharing between businesses and public authorities. This framework promotes a competitive digital market while maintaining safeguards for consumer data rights.
- Electronic registers for key UK assets: The DUAB includes a provision for digital registers to manage UK assets like real estate, creating a transparent and accessible registry for businesses and public authorities.
- Health and social care data standards: The DUAB introduces an information standard for IT suppliers in health and social care, intended to improve interoperability and real-time access to healthcare data for public bodies and patients alike. This aligns with the government’s goal to enhance data-sharing practices and improve healthcare outcomes.
Key Considerations for Businesses
- AI and ADM
The DUAB’s approach to ADM aligns with the UK’s principles-based AI regulation, allowing organisations greater discretion in assessing the human involvement in ADM processes. While special category data remains restricted, the broader framework empowers businesses to innovate responsibly, provided they maintain transparency and review processes. Arguably, the presence of profiling, of itself, would not necessarily mean there is no human involvement such that the decision could amount to solely automated processing. - Data transfers
The introduction of a materiality test for data transfers underscores the government’s intent to balance flexibility with the UK’s adequacy status. Controllers will need to ensure that their third-country transfers comply with the DUAB’s new standard, which differs from the EU’s equivalence-based approach. These standards, although similar, are not exactly the same as those proposed in the European Essential Guarantees. This divergence requires careful attention to transfer impact assessments, as businesses may need to adjust compliance mechanisms for non-EU countries. - PECR enforcement and Adtech compliance
The increase in potential fines for PECR violations aligns with GDPR’s regulatory framework, reflecting the ICO’s ongoing focus on compliance in Adtech and targeted marketing. Businesses in these areas should reassess compliance strategies, particularly in cookie management and customer data usage, to avoid the risk of significant penalties.
Conclusion
The DUAB represents an important step in modernising the UK’s data protection and digital economy framework. By balancing innovation with strong privacy protections, the DUAB aims to position the UK as a leader in digital transformation, ready to harness the benefits of data-driven innovation while safeguarding individuals’ rights.
Kennedys’ data protection team will continue to monitor the DUAB’s progress through Parliament alongside responses and comment from key stakeholders (such as the ICO) on the Bill’s proposals, anticipating its impact on data compliance and the broader digital economy.
Related items: