The previous Conservative Government’s 2022 Data Protection and Digital Information Bill (‘DPDI Bill’) was billed as a wholesale reform to this country’s EU law-derived data protection regime of the kind which Brexit made possible. However, it provoked criticism from the European Parliament and anxious speculation that it could undermine the UK’s hard-won and valuable data adequacy decision from the EU. In the end the DPDI Bill, after a tortuous two years adrift in the legislative process, did not make the cut of bills which passed into law before this summer’s General Election.
The Government’s much-anticipated replacement for the former Data Protection and Digital Information Bill, now titled the Data (Use and Access) Bill,(referred to hereafter as the DUA Bill) was introduced in Parliament on 23 October 2024. As expected, the DUA Bill’s data protection clauses are a somewhat watered-down version of its predecessor’s provisions: it is noticeable, for example, that the term ‘data protection’ does not appear in the name of the Bill this time; and that the data protection section, which was the first Part of the old Bill, does not appear until Part 5 of the new one.
Which of the DPDI Bill’s Provisions Are Not in the DUA Bill?
When comparing the DPDI Bill that failed to pass before Parliament was dissolved and the new DUA Bill, it is interesting to note which elements have been omitted. Most notable of the omissions are the former Bill’s controversial proposals to limit the UK GDPR’s obligations in conducting data protection impact assessments (DPIAs), maintaining records of processing activities (RoPAs), and mandating the appointment of data protection officers (‘DPOs’) in certain circumstances. There was a real fear that if the DPDI Bill had passed into law with these elements intact, it would have seriously jeopardised the UK’s adequacy decision from the EU Commission, which in 2021 confirmed that the UK’s privacy laws provide essentially equivalent protection to those in the EU, and which is up for review in 2025. So, in that regard, the DUA Bill represents a welcome dodging of a (potential at least) bullet.
As a consequence of the Bill’s retaining DPOs in their current form, the creation of the new role of ‘senior responsible individual’ proposed in the DPDI Bill will not now be enacted. Nor will the provisions from the DPDI Bill that would have given political parties, elected representatives, charities and not-for-profits broader rights to send electronic marketing.
In relation to data subject rights requests, the DUA Bill does not contain the proposal in the last Government’s Bill to replace the ‘manifestly unfounded or excessive’ ground for refusing requests with ‘vexatious’. This was another contentious dimension of the DPDI Bill because the term ‘vexatious’ was not defined in the Bill, and so it would have required the UK privacy regulator, the Information Commissioner’s Office (‘ICO’), to produce fresh guidelines on this topic, in addition to the substantial guidance and caselaw which has already developed around the meaning of the term ‘manifestly unfounded or excessive’.
Gone also is the accompanying rhetoric from the Government about the Bill’s main aim being to ease the administrative burden of data protection on British businesses. Nowhere in the Labour Government’s official announcement of the Bill on the GOV.UK website does it refer to cutting regulatory ‘red tape’. Instead, it talks much more about how the Bill, when passed, will allow for efficiencies in the NHS and Police, grow the country’s economy (by £10 billion over the next decade apparently) and ‘make people’s lives easier’. The latter point is in line with much of the tone of the ICO’s recent annual online Data Protection Practitioners Conference, in which various contributors foregrounded the social value of data protection and the ICO and its ability to ‘improve people’s lives’.
Which DPDI Bill Provisions Have Remained in the DUA Bill?
Aspects of the DPDI Bill which have survived in the DUA Bill include:
- Reforming the Information Commissioner’s Office (to be renamed the Information Commission) by giving it a corporate structure more akin to other national regulators, while not preserving the previous Bill’s grant of powers to the Secretary of State to which were seen by many, including the EU, as possibly compromising the authority’s independence
- Establishing a ‘trust mark’ standard for providers of digital ID verification services to show they are approved by a new Office for Digital Identities and Attributes within the Department for Science, Innovation and Technology
- The recognition of certain activities (though a shorter list than that set out in the DPDI Bill) as automatically qualifying for the lawful basis of ‘legitimate interests’, and therefore not requiring a legitimate interests assessment (LIA) to be conducted
- Amendments in relation to processing of personal data for research purposes, including the application of the purpose limitation to research activities
- Stating that controllers need only carry out reasonable and proportionate searches in response to data subject access requests (this will provide welcome clarity for many data controllers dealing with DSARs)
- Building upon the proposed amendments in the DPDI Bill in relation to the automated decision-making provisions of the UK GDPR, which will be particularly relevant to the use of AI, with the Secretary of State getting new powers to introduce additional safeguards
- Amendments in respect of the Secretary of State taking a risk-based approach to assessing the data protection adequacy of third countries when deciding to authorise transfers of UK people’s data to those countries, whereby the ‘data protection test’ to be met by the recipient jurisdiction is whether that territory’s privacy laws afford a level of protection 'not materially lower' than that provided by UK legislation (this is possibly the most problematic remaining holdover from the DPDI Bill, from a data adequacy ruling perspective)
- An amendment requiring data controllers and processors proposing to export personal data outside the UK using one of the Article 46 appropriate safeguards (e.g., the ICO’s International Data Transfer Agreement clauses) to satisfy themselves that the importing country meets the foregoing ‘data protection test’, presumably in the transfer risk assessment they are already required to perform when relying on an appropriate safeguard
- Amendments regarding the internal complaints-handling processes that controllers must adopt
- Amendments to the ePrivacy law the Privacy and Electronic Communications Regulations (‘PECR’), including reforming the rules on the use of cookies and similar tracking technologies – e.g., by permitting organisations to deploy first party analytics tracking without the need to obtain prior consent from users – and extending the enforcement powers that apply under the Data Protection Act 2018 (including powers to impose very large fines) to infringements of the PECR.
In addition to retaining the above parts of the DPDI Bill, the DUA Bill also proposes amendments in relation to processing of ‘special category personal data’, including a power for the Secretary of State to add processing activities to the scope of what constitutes special category data. It is possible that the Government, at some stage might want to ‘gold plate’ the UK GDPR by expanding the definition of special category data to include other types of data – e.g., personal data used to train AI algorithms, to ensure that AI developers clear a higher legal bar when processing people’s personal information for this purpose. There is also a (rather confusingly worded) provision that appears to allow such added processing to be removed from the general prohibition on processing special category data, on which we expect clarification as the Bill passes through Parliament.
However, despite these retained and additional amendments, it is fair to say that the Data (Use and Access) Act, when it is passed, will (on the evidence of the Bill as it currently stands) be a clarificatory law, rather than the wholesale reforming legislation that the preceding DPDI Bill was positioned as (although this was considered by some to be a case of ‘overselling’ by the previous Government). URM will be monitoring the DUA Bill’s progress through the parliamentary legislative process. If the Bill proceeds normally (unlike its precursor), it is anticipated to become law sometime next year.
How URM can Help
With a 19-year track record of providing GDPR consultancy to assist organisations in achieving and maintaining compliance with data protection legislation, URM is ideally positioned to help you understand and comply with the DUA Bill when it passes into law. Our large team of highly experienced GDPR consultants can offer a range of services to help your organisation comply with the Regulation, offering advice and guidance that is always informed by the latest developments in data protection legislation. For example, we can conduct a gap analysis of your current processing practices against GDPR requirements and support your remediation of any non-compliances identified, as well as offering more specific GDPR consultancy services such as assistance with DPIAs, data transfer impact assessments (DTIAs), and with producing a ROPA. URM’s data protection experts can also support your processing of data subject access requests (DSARs) by offering a GDPR DSAR redaction service. For ongoing compliance support, URM can provide a virtual DPO (vDPO) service, through which you will gain access to an entire team of experienced data protection practitioners, each with their own area of specialism.
If you would like to enhance your own understanding of DP and how to achieve and maintain GDPR compliance, we regularly run a range of DP-related training courses. If you are looking to gain an industry-recognised qualification in DP, URM offers a BCS Foundation Certificate in Data Protection (CDP) course, aimed at providing you with a strong understanding and practical interpretation of UK data protection law, including the UK GDPR and DPA 2018. To develop your skills in more specific areas of compliance with the Regulation, you can also attend our half-day courses on conducting DPIAs and DTIAs, and our 1-day ‘How to Manage DSARs’ training course, each of which will leave you with the skills necessary to undertake these activities when you return to your workplace.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
We have seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits.
URM answers key questions around data protection impact assessments (DPIAs), providing detailed guidance on the best practice approach to conducting them.
Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).