DUA Act Finally Becomes Law

Section 80 of the DUA Act relaxes restrictions on decisions made solely by automated means.  While safeguards remain, the threshold for requiring human involvement has been lowered, raising both opportunities and concerns around transparency and fairness.  

What it means

The rules banning fully automated decisions that have a legal or major impact have been loosened, and they now only apply if you are using special category data (e.g., health information).  With these changes, which are arguably the most significant in the Act, the UK is seeking to recognise the mainstream nature of automated decision-making and sharpen its risk-based approach to such practices.  However, even if your organisation is not using special category data, it will still be subject to obligations, such as maintaining transparency and allowing people to challenge decisions.  So, if your organisation does use automated decision-making, you will need to update your privacy notices to reflect these changes.

Note: The Act also contains extensive non DP-related provisions regarding such matters as: enabling smart data schemes for different sectors using trusted intermediaries; new rules for digital verification service providers; and updating the rules on information standards for health and social care which, though interesting, are outside the scope of this blog.

Section 78 of the Act introduces a ‘reasonable and proportionate search’ standard for DSARs under Article 15 UK GDPR.  This limits the burden on data controllers by allowing them to exclude excessive or unfocused searches.

What it means

If an individual asks for their personal data (a DSAR), and you as the data controller find that it would take an unreasonably long or difficult search through lots of files, emails, or systems, you will be able to either say no or ask the person making the DSAR to narrow down what data they would like to access.  This ability to refuse or focus data access requests already exists in the UK privacy regulator’s (ICO) guidance, but the DUA Act makes it official law.  This should give organisations more confidence to say no when needed and hopefully encourage people to make more focused requests from the start, saving time for everyone.

The DUA Act creates a ‘data protection test’ which will be used by the Secretary of State when determining whether a country outside the UK has adequate data protection laws in place (called an ‘adequacy decision’), to assess whether a third country or international organisation has a standard of data protection ‘not materially lower’ than that in the UK.  The threshold currently, under the previous law, is the same as that applied by the EU Commission in its adequacy findings, namely ‘essentially equivalent’ – which could be argued to be a higher standard.

What it means

The Act’s data protection test will also be used when UK organisations assess the risks of sending personal data to other countries, i.e., conducting a transfer risk assessment (TRA).  Because this new test might be slightly easier to pass, it could help organisations get positive results on these TRAs more easily.  Although the Act’s changes to the rules on automated decision-making are often described as the most far reaching of its reforms, URM’s view is that this alteration to the UK’s adequacy threshold and its application to data export risk assessments could possibly give rise to a more serious point of contention between this country and the EU. The changes could result in the UK and EU using different rules to determine whether a proposed data importer country’s data protection is robust enough.  This may impact mutual trust in each other’s data protection regimes, particularly as the UK’s new rules could allow EU people’s data to be sent to countries the EU does not deem to offer sufficient safeguards.  Since Brexit, the UK has been in lockstep with the EU on the granting of new adequacy decisions, but this could be about to change.  We’ll have to wait and see how this plays out!

Although the DUA Act increases the maximum fine available for breaches of the PECR from £0.5m to £17.5m (one of its few provisions that takes effect immediately), Schedule 12 of the Act also amends the PECR to expand exemptions to cookie consent requirements.  Consent is no longer required for cookies that are used for statistical analysis or user interface preferences, or where they are strictly necessary to ensure security, or to prevent or detect fraud.  The Act also extends the power to rely on so-called ‘soft opt-in’ consent (to the sending of electronic marketing messages to consumers) to not-for-profit organisations, such as charities. Another helpful change is that the reporting timeframe for personal data breaches for service providers under PECR has also been extended, from the rather impractical 24 hours to the more reasonable (and aligned with UK GDPR) deadline of 72 hours.

What it means

You will be able to update your cookie banners and policies to remove the need for consent on certain types of cookies.  Nonprofit organisations can send marketing emails and messages using a ‘soft opt-in' (meaning they don’t need to get formal consent), as long as they explain this clearly in their privacy notices and include an option to ‘unsubscribe’ in each message.

The DUA Act ushers in changes to the ‘legitimate interests’ legal basis provisions, including new, limited, pre-approved ‘recognised legitimate interests’, such as use of personal data in serious civil emergencies and sharing personal data with government regulators.  Whilst it is correct that LIAs will not now need to be completed for data processing purposes such as national or public security or defence, the prevention and detection of crime or safeguarding of vulnerable individuals (and the other interests listed as being presumed legitimate in the Act), this ultimately represents a fairly narrow set of cases, and reliance on this legal basis will not absolve the controller from having to consider the wider principles and other provisions of the UK GDPR as a whole.

What it means

Because of the types of legitimate interests involved, this change will mainly help public bodies.  However, some private sector organisations will also benefit and appreciate not having to conduct LIAs for new processing that fits one of the approved categories.

Finally, what the law gives with one hand, it (sometimes) partially takes away with the other.  Despite all the anticipation around the Act lightening the DP administrative load on organisations, it does, in fact, add a new statutory duty on data controllers; namely, that controllers must now have in place a procedure for dealing with all complaints from data subjects (not just those in relation to DSARs, for instance).  Individuals’ right to invoke this complaints process, with statutory timeframes for response, must be included in your organisation’s privacy notices.

URM will monitor the Commencement Orders enabling relevant parts of the DUA Act to come into force as these are issued in due course.  As ever, URM is poised to assist any clients, existing or new, to respond to their amended DP compliance obligations under the new law and to adjust their corporate privacy frameworks accordingly.