On Monday 25 November 2024, we were delighted to welcome Privacy Law & Business to Silk Street to discuss the new Data (Use and Access) Bill (the “DUA Bill”). An august panel of representatives from the Department for Business and Trade, the Department for Science, Innovation and Technology and the Information Commissioner’s Office, were on hand to provide some behind-the-scenes insight into the new Bill.

The DUA Bill is intended to harness the power of data for UK economic growth, to enable modern digital government and to improve people’s lives, while also affirming high data protection standards to maintain EU adequacy.

It is the successor to the Data Protection and Digital Information Bill No 2 (the “old DPDI Bill”), which fell away in the summer, and the predecessor Data Protection and Digital Information Bill which lapsed in March 2023. While borrowing significantly from the draft provisions of the old DPDI Bill, the new Bill also moves away from some of the more controversial aspects of that Bill.

Goodbye Information Commissioner; Hello Information Commission

The DUA Bill will create the Information Commission as the independent UK authority responsible for upholding information rights, promoting data privacy for individuals, and overseeing compliance with data protection laws among organisations.

The Information Commissioner is a corporation sole, but the new Information Commission will be a body corporate, bringing it more in line with the structure of other regulatory bodies such as the Competition and Markets Authority.

The DUA Bill also gives the Information Commission new powers to compel individuals (rather than organisations) to be interviewed and to require organisations to prepare an expert report for the Information Commission’s purposes. These powers have been a long time coming, and Information Commissioner’s representatives have indicated that they are expected to significantly enhance its investigatory and enforcement capabilities.

Changes to data protection laws

The DUA Bill contains evolutionary (rather than revolutionary) reforms but does contain important amendments to several key aspects of the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

Many of the changes are carried over from the old DPDI Bill and include the following:

• A list of recognised legitimate interests is included in the DUA Bill, together with a power granted to the Secretary of State to determine new recognised legitimate interests. Each of these newly recognised legitimate interests, such as processing for the detection, investigation, or prevention of crime, will automatically constitute a lawful basis under the UK GDPR, without requiring the carrying out of the balancing test between the legitimate interest and the rights of data subject(s).
• The DUA Bill defines ‘scientific research’, which is a special purpose granted various exemptions under the UK GDPR, as ‘any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity’. This is particularly important in relation to justifying the processing of special category data under the UK GDPR.
• The prohibition on automated decision making is set to be narrowed so as to only apply to decisions significantly affecting data subjects and for which special category data is processed. The DUA Bill also introduces data subject rights in relation to permitted automated decision making, such as the right to be provided with information on automated decisions, and to request human intervention in the decision making.
• The data protection test threshold for international transfers will be amended from that of equivalence, to a requirement that data protection standards in the recipient country are not ‘materially less’.
• Certain limited exemptions to the requirement to obtain consent to cookies will be implemented. Organisations will be able to rely on an opt-out process for cookies used for the specified purposes, such as for analytics and for website appearance optimisation.
• The maximum limit to fines that can be handed down under PECR will be increased to align with the fines available under the UK GDPR. (Currently fines are capped at £500,000.)

A representative from the Information Commissioner indicated that organisations currently in compliance with the UK GDPR will be generally compliant with the new law, highlighting the moderate nature of the reforms in the DUA Bill.

Data protection: What we lost along the way

The moderate nature of the DUA Bill is highlighted by the dropping of some of the more controversial provisions of the old DPDI Bill. In particular, the following proposed amendments have been removed:

• There will be no attempt to clarify the definition of ‘personal data’, leaving the definition under the UK GDPR intact and aligned with the EU GDPR.
• The threshold for the exemption from the requirement to respond to a data subject access request remains ‘manifestly unfounded or excessive’. The change to ‘vexatious or excessive’ has been done away with.
• ‘Democratic engagement’ has been removed from the list of recognised legitimate interests, and the regulation-making power granted to the Secretary of State in relation to these has been tightened-up so that only new legitimate interests that serve a ‘public interest’ can be added via secondary legislation.
• Data Protection Officers will remain. The old DPDI Bill proposed their replacement with ‘Senior Responsible Individuals’, who would necessarily have been part of senior management, but this has been dropped.

Smart Data

The DUA Bill promises more than reforms to data protection laws with a new “smart data” regime, allowing individuals to choose to share their personal data with third parties, known as ‘interface bodies’. The representatives of DSIT and DBT highlighted how this will help realise the efficiency, benefits and costs-savings of greater data-sharing with customers.

The DBT representative gave the example of supermarket customer data sharing to provide customers with greater visibility of price differences and cost-savings across different supermarkets.

The plans are substantially based on the Open Banking system. It will be interesting to see how this system, which currently operates in the highly-regulated sector of banking, will be adapted to address the issues raised in less regulated sectors such as retail and marketing.

The system will be designed via Government consultation with relevant stakeholders, and we expect there might be further guidance on the types of organisations that will be permitted to share and receive personal data under the regime, as well as protections for customers.

Digital verification

These proposals are not for a centralised Government database of national identification, but instead a legislative framework for the growing use of digital verification services in the UK.

Digital verification allows people to prove things about themselves, such as their age or citizenship, without using hardcopy ID documentation.

These services are already provided by the Post Office and Lloyds Bank, and the DUA Bill’s legislative underpinning of these services is welcome. It enables the promise that these services offer both economically, in the anticipated cost-savings in processes such as right to work checks, but also for the millions of individuals in the UK who do not possess photo ID documents to prove their identity. DSIT estimates that the roll-out of digital verification will lead to cost-savings of £4.3 billion over the next 10 years.

The digital verification scheme will be regulated by way of a trust framework, building on the current UK digital identity and attributes trust framework, with supplementary codes to follow. Providers of digital verification services that meet the criteria would then be included in the publicly available Government register and receive a trust mark to evidence their compliance.

What’s next?

The Bill is expected to progress through Parliament relatively expediently, due to the similarities to the DPDI Bill, leading to Royal Assent in the spring or summer of 2025.