How The Data (Use and Access) Bill Reshapes UK Data Protection and Privacy

The Data (Use and Access) Bill (DUAB), introduced to the UK Parliament on October 23, 2024, represents a significant evolution in the UK’s data protection and privacy framework. Building on existing laws like the UK GDPR, Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR), the DUAB aims to foster innovation (where as other AI regulations had done the opposite), enhance data-sharing, and modernize regulatory oversight while maintaining robust privacy standards. With provisions for smart data schemes, increased fines, and reforms to the Information Commissioner’s Office (ICO), the Bill presents both opportunities for growth and challenges for compliance.

What is the DUAB, and When Will It Be Implemented?

The DUAB is a comprehensive legislative proposal designed to modernize the UK’s data protection regime, promote economic growth through data-driven innovation, and improve public services. Introduced in the House of Lords, it builds on elements of the abandoned Data Protection and Digital Information Bill (DPDI) but shifts focus toward enabling secure data access and use, particularly through smart data schemes and digital identity frameworks. Unlike its predecessor, the DUAB retains core UK GDPR obligations, such as Data Protection Officers and Data Protection Impact Assessments, to ensure alignment with EU adequacy standards.

Implementation Timeline:

• Introduction: The Bill was introduced on October 23, 2024.
• Consultation Period: A public consultation is expected to conclude by January 2025.
• Royal Assent: The Bill is anticipated to receive Royal Assent right about now.
• Enforcement: Most provisions are expected to come into force by early 2026, with transitional arrangements to aid compliance.

Headline Impacts and Changes to Current Data Protection Legislation

The DUAB introduces targeted reforms to the UK GDPR, Data Protection Act 2018, and PECR, balancing innovation with privacy. Key changes include:

• Smart Data Schemes: The Bill enables sector-specific regulations for secure data-sharing between service providers (e.g., financial or communications sectors) and authorized third parties, promoting innovations like open banking.
• ICO Reforms: The ICO will transition into a body corporate, the Information Commission, with a formal board and CEO, enhancing its regulatory authority and aligning it with regulators like the Financial Conduct Authority.
• Increased Fines for PECR Violations: Fines for breaches of PECR, which governs cookies and direct marketing, will align with UK GDPR levels, rising from £500,000 to up to £17.5 million or 4% of global annual turnover, whichever is higher.
• Automated Decision-Making (ADM): Restrictions on ADM under Article 22 of UK GDPR are relaxed, allowing greater use of AI-driven decisions, except for special category data (e.g., health data), provided safeguards are in place.
• Data Subject Complaints: Individuals must first raise data protection complaints with the data controller before escalating to the ICO, reducing the regulator’s workload and encouraging direct resolutions.

These changes aim to streamline compliance for businesses while maintaining high data protection standards, though they require organizations to adapt policies and procedures.

Lawful Processing of Personal Data: Changes and Best Practice

The DUAB clarifies and expands the use of “legitimate interests” as a lawful basis for processing personal data. Key updates include:

• Recognized Legitimate Interests: A new category exempts certain activities like national security, crime prevention, and safeguarding vulnerable individuals—from requiring a Legitimate Interests Assessment (LIA). Direct marketing, intra-group data transfers, and network security may also qualify as legitimate interests, subject to a balancing test.
• Privacy Notices: Organizations are exempt from providing privacy information under Articles 13 and 14 of UK GDPR if it involves “disproportionate effort,” particularly for indirectly collected data, as seen in the Experian vs. ICO case.

Best Practices:

• Conduct and document LIAs for non-recognized legitimate interests to ensure compliance with the balancing test.
• Update privacy notices to reflect new rights, such as the right to complain to the data controller, and ensure transparency.
• Regularly review data-sharing agreements to align with smart data scheme requirements and maintain EU adequacy compliance.

Data Subject Access Requests: Impact on Organisations and the Public

The DUAB codifies ICO guidance on Data Subject Access Requests (DSARs), emphasizing “reasonable and proportionate” searches. Key changes include:

• Clarification of Scope: Organizations can request clarification from the requester and pause response timelines until identity verification or additional details are provided.
• No Vexatious Exemption: Unlike the DPDI Bill, the DUAB retains the “manifestly unfounded or excessive” threshold for refusing DSARs, rejecting the broader “vexatious” exemption.
• Complaint Process: Individuals must first address DSAR-related complaints to the data controller, reducing direct ICO complaints.

Impact:

• For Organizations: The “reasonable and proportionate” standard reduces the burden of extensive searches, but robust DSAR policies and staff training are essential to manage complaints effectively.
• For the Public: The requirement to raise complaints with controllers first may delay resolutions but encourages direct engagement, potentially improving outcomes.

PECR: Email Marketing Impact, Increased Penalties, and ICO Enforcement

The DUAB significantly strengthens PECR enforcement, particularly for email marketing and cookie usage:

• Increased Fines: PECR fines will rise to UK GDPR levels (£17.5 million or 4% of global turnover), increasing the risk for non-compliant marketing practices.
• Cookie Consent Exemptions: Consent is no longer required for low-risk cookies (e.g., analytics or functionality cookies), provided an opt-out is offered, reducing consent fatigue. Targeting cookies still require consent.
• Spam Definition: Fines will apply to the sending of spam messages, not just successful deliveries, potentially leading to higher penalties for spammers.
• ICO Enforcement: The ICO’s enhanced powers include compelling document production and electronic notice delivery, improving efficiency in addressing overseas controllers.

Impact on Email Marketing:
Organizations must ensure compliance with PECR’s consent rules for email marketing, as the legitimate interests basis applies only where consent is not required. The ICO’s focus on privacy-preserving advertising models may reduce enforcement for low-risk activities, but heightened fines underscore the need for robust compliance.

Practical Tips to Benefit from Opportunities and Avoid Non-Compliance Pitfalls

To leverage the DUAB’s opportunities while avoiding penalties, organizations should:

1. Review PECR Compliance: Audit cookie management and email marketing practices to ensure consent where required and leverage exemptions for low-risk cookies.
2. Update DSAR Processes: Implement clear policies for handling DSARs, including identity verification and complaint procedures, to align with the “reasonable and proportionate” standard.
3. Leverage Smart Data Schemes: Explore opportunities in sectors like finance or communications to participate in secure data-sharing initiatives, ensuring compliance with sector-specific regulations.
4. Enhance Training: Train staff on updated lawful bases, particularly legitimate interests, and ensure awareness of increased PECR penalties.
5. Monitor EU Adequacy: Align compliance with UK and EU GDPR to maintain seamless data transfers, as the EU’s adequacy review is scheduled for December 2025.
6. Engage with ICO Guidance: Utilize the ICO’s forthcoming statement on low-risk advertising and participate in stakeholder panels to shape compliance practices.