On 24 October 2024, the UK Parliament saw the introduction of the Data (Use and Access) (DUA) Bill. This is the second attempt to reform the EU GDPR (as retained by the UK following Brexit) after the previous effort, the Data Protection and Digital Information (DPDI) Bill, fell over earlier this year.

Like the DPDI Bill, the aim of the DUA Bill is to simplify access to, and use of, personal data for UK data controllers, without going so far as to erode the protections that give the UK its adequacy in the EU. There is a strong focus on easing the administrative burden of using personal data, by clarifying the kinds of activities that the UK would consider either low risk or in the public’s interest. Many of the changes are “tweaks” rather than structural changes. Businesses will therefore need to carefully assess if these changes are relevant to them. For businesses that operate across the UK and EU, these changes may be of limited practical benefit and impose the burden of having to comply with a dual regime. 

Automated decision making

The DUA Bill permits automated decision making (ADM) in "low risk scenarios" provided special category data is not processed. This is a relaxation compared to the current UK GDPR and EU GDPR, which have a blanket prohibition with only narrow exceptions.

For "significant decisions" (those with legal or similarly significant effects on a data subject), data controllers must implement safeguards, including informing data subjects about the automated processing, their right to contest decisions, and their right to seek human intervention. ADM which processes special category data is prohibited unless necessary for: (1) contractual or legal reasons; and (2) substantial public interest, the latter being difficult to demonstrate for businesses.

There are no plans for the EU GDPR to mirror this relaxation on ADM. UK businesses operating in the EU will thus still be restricted by the EU GDPR prohibition, unless one of the narrow exemptions applies.

New lawful grounds for processing

The DUA Bill introduces a new lawful ground for processing personal data: processing necessary for "recognised legitimate interests." When these interests apply, data controllers do not need to conduct a balancing test to determine if their legitimate interest is overridden by the data subject's interests, rights, or freedoms. Recognised legitimate interests include safeguarding national security, responding to emergencies, detecting, investigating, or preventing crime, and safeguarding vulnerable individuals. 

This streamlined process will be of limited benefit to businesses that are not significantly involved in public service sectors, such as healthcare, social care, national security, or crime prevention. 

“Likely legitimate interests”

The DUA Bill identifies some processing purposes as "likely legitimate interests”. These purposes are: (i) direct marketing; (ii) intra-group personal data transfers; and (iii) processing necessary for network and IT security. While this aims to simplify data processing, businesses must still conduct a legitimate interests assessment and the balancing test. Arguably, this change does little more than restate an existing recital in the EU GDPR and UK GDPR, which notes that processing personal data for direct marketing may be a legitimate interest though whether it is or not is often contested.

The European Data Protection Board (EDPB) has recently cautioned businesses to carefully evaluate the necessity of direct marketing activities and their impact on consumers when relying on legitimate interests for such activities. This suggests businesses should continue to obtain consent for direct marketing, as “best practice”. 

Processing for scientific research

The DUA Bill broadens the definition of scientific research to include any research "reasonably described as scientific," covering both publicly and privately funded research, whether commercial or non-commercial. The DUA Bill also allows data subjects to consent to their personal data being processed for scientific research even if the specific purposes are not fully identified at the time of consent. This more relaxed approach offers businesses greater flexibility in conducting scientific research (particularly when research is in its infancy) without excessive data protection restrictions.

Exemptions to cookie consent requirements

The DUA Bill amends The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), allowing businesses to use cookies without user consent in certain cases, such as for: (i) collecting statistical data to improve services or websites; or (ii) enhancing website appearance or performance, commonly known as “statistical” or “performance” cookies. However, businesses relying on these exemptions will still be subject to certain conditions to protect the user, such as informing users about the cookies (transparency) and allowing them to opt-out. 

UK businesses with online users in the EU should be cautious in their use of these exemptions. The EU GDPR has not relaxed its cookie rules, meaning you would need to comply with both regimes.

Data subject access requests

Under the DUA Bill, data subjects are only entitled to receive personal data found in a "reasonable and proportionate" search by the data controller. Existing ICO guidance on response time frames for DSARs is also now codified in the DUA Bill. Businesses can pause their response time to seek clarification from the data subject (but only where it cannot reasonably proceed with responding to the subject access request without this information). Businesses can also extend their response time by two months for complex requests or if they have received a high volume of requests. 

These changes aim to reduce the administrative burden and cost of responding to DSARs. However, the DUA Bill does not go as far as the DPDI Bill, which suggested allowing businesses to refuse or charge for "vexatious or excessive" requests.

Takeaway

The DUA Bill is currently in its early stages, and its provisions may change as it undergoes scrutiny during the legislate process.

Most UK businesses operate across the UK and the EU, so for many businesses this slightly more permissive regime is likely to have limited practical benefit. In practice, it is likely that any UK business operating in the EU will decide to adhere to the more stringent regime (the EU GDPR) when developing or deploying its products, services, and online presence, particularly when using ADM or cookies. 

The DUA Bill is also silent on the interplay between data protection and artificial intelligence, indicating that the government has yet to tackle this significant issue.