DUA Bill: An Initial Assessment

When comparing the DPDI Bill that failed to pass before Parliament was dissolved and the new DUA Bill, it is interesting to note which elements have been omitted.  Most notable of the omissions are the former Bill’s controversial proposals to limit the UK GDPR’s obligations in conducting data protection impact assessments (DPIAs), maintaining records of processing activities (RoPAs), and mandating the appointment of data protection officers (‘DPOs’) in certain circumstances.  There was a real fear that if the DPDI Bill had passed into law with these elements intact, it would have seriously jeopardised the UK’s adequacy decision from the EU Commission, which in 2021 confirmed that the UK’s privacy laws provide essentially equivalent protection to those in the EU, and which is up for review in 2025.  So, in that regard, the DUA Bill represents a welcome dodging of a (potential at least) bullet.

As a consequence of the Bill’s retaining DPOs in their current form, the creation of the new role of ‘senior responsible individual’ proposed in the DPDI Bill will not now be enacted.  Nor will the provisions from the DPDI Bill that would have given political parties, elected representatives, charities and not-for-profits broader rights to send electronic marketing.

In relation to data subject rights requests, the DUA Bill does not contain the proposal in the last Government’s Bill to replace the ‘manifestly unfounded or excessive’ ground for refusing requests with ‘vexatious’.  This was another contentious dimension of the DPDI Bill because the term ‘vexatious’ was not defined in the Bill, and so it would have required the UK privacy regulator, the Information Commissioner’s Office (‘ICO’), to produce fresh guidelines on this topic, in addition to the substantial guidance and caselaw which has already developed around the meaning of the term ‘manifestly unfounded or excessive’.

Gone also is the accompanying rhetoric from the Government about the Bill’s main aim being to ease the administrative burden of data protection on British businesses.  Nowhere in the Labour Government’s official announcement of the Bill on the GOV.UK website does it refer to cutting regulatory ‘red tape’.  Instead, it talks much more about how the Bill, when passed, will allow for efficiencies in the NHS and Police, grow the country’s economy (by £10 billion over the next decade apparently) and ‘make people’s lives easier’.  The latter point is in line with much of the tone of the ICO’s recent annual online Data Protection Practitioners Conference, in which various contributors foregrounded the social value of data protection and the ICO and its ability to ‘improve people’s lives’.

Aspects of the DPDI Bill which have survived in the DUA Bill include:

• Reforming the Information Commissioner’s Office (to be renamed the Information Commission) by giving it a corporate structure more akin to other national regulators, while not preserving the previous Bill’s grant of powers to the Secretary of State to which were seen by many, including the EU, as possibly compromising the authority’s independence
• Establishing a ‘trust mark’ standard for providers of digital ID verification services to show they are approved by a new Office for Digital Identities and Attributes within the Department for Science, Innovation and Technology
• The recognition of certain activities (though a shorter list than that set out in the DPDI Bill) as automatically qualifying for the lawful basis of ‘legitimate interests’, and therefore not requiring a legitimate interests assessment (LIA) to be conducted
• Amendments in relation to processing of personal data for research purposes, including the application of the purpose limitation to research activities
• Stating that controllers need only carry out reasonable and proportionate searches in response to data subject access requests (this will provide welcome clarity for many data controllers dealing with DSARs)
• Building upon the proposed amendments in the DPDI Bill in relation to the automated decision-making provisions of the UK GDPR, which will be particularly relevant to the use of AI, with the Secretary of State getting new powers to introduce additional safeguards
• Amendments in respect of the Secretary of State taking a risk-based approach to assessing the data protection adequacy of third countries when deciding to authorise transfers of UK people’s data to those countries, whereby the ‘data protection test’ to be met by the recipient jurisdiction is whether that territory’s privacy laws afford a level of protection 'not materially lower' than that provided by UK legislation (this is possibly the most problematic remaining holdover from the DPDI Bill, from a data adequacy ruling perspective)
• An amendment requiring data controllers and processors proposing to export personal data outside the UK using one of the Article 46 appropriate safeguards (e.g., the ICO’s International Data Transfer Agreement clauses) to satisfy themselves that the importing country meets the foregoing ‘data protection test’, presumably in the transfer risk assessment they are already required to perform when relying on an appropriate safeguard
• Amendments regarding the internal complaints-handling processes that controllers must adopt
• Amendments to the ePrivacy law the Privacy and Electronic Communications Regulations (‘PECR’), including reforming the rules on the use of cookies and similar tracking technologies – e.g., by permitting organisations to deploy first party analytics tracking without the need to obtain prior consent from users – and extending the enforcement powers that apply under the Data Protection Act 2018 (including powers to impose very large fines) to infringements of the PECR.

In addition to retaining the above parts of the DPDI Bill, the DUA Bill also proposes amendments in relation to processing of ‘special category personal data’, including a power for the Secretary of State to add processing activities to the scope of what constitutes special category data.  It is possible that the Government, at some stage might want to ‘gold plate’ the UK GDPR by expanding the definition of special category data to include other types of data – e.g., personal data used to train AI algorithms, to ensure that AI developers clear a higher legal bar when processing people’s personal information for this purpose.  There is also a (rather confusingly worded) provision that appears to allow such added processing to be removed from the general prohibition on processing special category data, on which we expect clarification as the Bill passes through Parliament.

However, despite these retained and additional amendments, it is fair to say that the Data (Use and Access) Act, when it is passed, will (on the evidence of the Bill as it currently stands) be a clarificatory law, rather than the wholesale reforming legislation that the preceding DPDI Bill was positioned as (although this was considered by some to be a case of ‘overselling’ by the previous Government).  URM will be monitoring the DUA Bill’s progress through the parliamentary legislative process.  If the Bill proceeds normally (unlike its precursor), it is anticipated to become law sometime next year.