On 23 October 2024, the Data (Use and Access) Bill ("DUAB”) was laid before Parliament in the House of Lords. The introduction of the DUAB was expected following its inclusion in the King's Speech and two abandoned efforts to pass the Data Protection and Digital Information Bill[1] ("DPDIB") under the previous government.
A perceived lack of clarity within existing the UK's data protection and privacy framework is, in the words of the Government, impeding "the safe development and deployment of some new technologies." The DUAB therefore seeks to make targeted reforms to parts of the UK’s existing and retained version of the EU General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 (“DPA”) and the Privacy and Electronic Communication Regulations ("PECR").
It is expected that the DUAB will proceed to conclusion, particularly as there is overlap with previous iterations, with some elements of the DPDIB reproduced in full. However, a number of prior proposals have been shunned in the first draft, and we discuss those below.
The Information Commissioner has provided his comments, stating that the changes "proposed in the Bill are pragmatic and proportionate amendments to the UK regulatory landscape." The full response issued by the ICO can be found here.
The second reading of the DUAB will take place on 19 November 2024. The House of Lords has published its briefing paper (available here) and the ICO has published a number of technical drafting comments on various clauses within the Data Bill, which may form the basis of Parliamentary discussions.
Measures to be introduced
The creation of a new lawful ground of 'recognised legitimate interests'
The DUAB will insert a new Annex 1 into the UK GDPR and amend the DPA, setting out a limited, exhaustive list of 'recognised legitimate interests'. The proposals largely reflect that as set out within the DPDIB.
The limited exhaustive list consists of processing for the purposes of national security, public security and defence, emergencies, crime and the safeguarding of vulnerable individuals. This limited, exhaustive list of interests which automatically “pass” the balancing test will be welcomed by those controllers who process personal data for these purposes, although they may be of little relevance for private companies. Of particular interest is the fact that proposals within the DPDIB to include 'democratic engagement' on the list have been dropped, which is largely expected to be welcomed.
Clarification of the rules around purpose limitation principles
The Data Bill will insert a new Annex 2 into the UK GDPR and amend the DPA. Whilst the concept of purpose limitation and incompatible purposes is maintained, specific provisions have been added to aid controllers when determining if a new purpose is compatible with the original purpose. Again, these proposals largely reflect those as set out within the DPDIB. However, in addition, a specific list of purposes deemed to be compatible is proposed, setting out that processing of personal data for a new purpose is to be treated as compatible with the original purpose in circumstances where:
- new consent has been obtained;
- processing is for the purposes of scientific or historical research or archiving in the public interest; or
- the relevant conditions set out in Annex 2 are met and processing is for the purposes of public security; detection of crime; responding to an emergency; protection of data subjects' vital interest; safeguarding vulnerable individuals; taxation; or compliance with a legal obligation.
Processing for research purposes
The definitions "scientific research", "historical research" and "statistical research" purposes will be clarified. Furthermore, an amendment to Article 4 of the UK GDPR will provide for circumstances in which consent to process personal data for research purposes remains valid even if not specific to the usual UK GDPR standard. This broader consent mechanism will be welcome by those operating in this field.
Expanding the lawful basis for solely automated decision-making (ADM)
The DUAB as currently drafted will replace the existing version of Article 22 UK GDPR in its entirety and amend the DPA, as necessary. These changes allow the use of ADM in lower risk scenarios.
The ICO has welcomed the proposals as striking as "a good balance between facilitating the benefits of automation and maintaining additional protection for special category data." However, this proposal has previously been highlighted as one that may be subject to close scrutiny by the European Commission when considering the UK's adequacy decision, as it is a clear departure from the protections provided in the EU GDPR.
The creation of the Information Commission
The Information Commissioner's Office will be abolished and replaced with the Information Commission. This moves the regulator away from the corporation sole structure, introducing a body corporate with a statutory board with a chair and chief executive. The Information Commissioner has responded positively to these changes, noting these "refreshed governance arrangements will maintain our independence and enhance our accountability."
The role of the Information Commissioner will be transferred to the new role of the chair of the Information Commission (still identified as the Commissioner within the Bill). This change will bring the ICO into line with other UK regulators such as Ofcom and the FCA, reflecting the growth in importance and size of the current iteration of the ICO since its creation. The Commission will consist of non-executive members (appointed by the Secretary of State for DSIT) and executive members (appointed by the non-executive members). The appointment of the non-executive members via a public appointment process is in line with other regulators.
The principal objective of the Commissioner will be to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest; and to promote public trust and confidence in the processing of personal data.
The Commissioner will be expected to have regard to the promotion of innovation and competition, along with being tasked with the publication of a strategy for the discharge of its functions.
The ICO response to the DUAB noted that the "government has decided not to pursue the proposal that the ICO must follow a statement of strategic priorities" which would have been prepared by the Secretary of State. This proposal had generated concerns about the regulatory independence of the ICO (and, in turn, the future of the UK's adequacy status), and its removal has been welcomed by the Commissioner.
There will also be a new requirement for the publication on analysis of the Commissioner's performance using key performance indicators on an annual basis.
Powers of the Information Commission
The Information Commission will be given the power to compel a witness to attend an interview in certain circumstances. An "interview notice" can be served on current and former employees. This is a similar measure to that proposed in the DPDIB. As noted initially, our experience to date has shown that organisations are typically at pains to assist the ICO with its investigations and we are yet to encounter an individual that refuses to engage. As such, we suspect that this power will not be widely relied upon and is likely to have limited application.
Targeted amendments to PECR
Targeted amendments to PECR have been carried across from the DPDIB which will provide the Information Commission (or ICO if appropriate) with the same enforcement powers in respect of a breach of PECR as under the UK GDPR or DPA.
The Information Commissioner has welcomed these changes as "ensure greater consistency for organisations as well as greater operational efficiency for the ICO."
Separately, the requirement for user consent will be removed (subject to various conditions) for the use of cookies/other tracking technologies in some online services where they are used for:
- collecting information for statistical purposes about how the website/service is used with a view to making improvements;
- ensuring user preferences (such as font size) are followed and;
- providing emergency assistance through the use of geographical location.
Data transfers
The DUAB proposes measures very similar to those proposed in the DPDIB. The regime for assessing the adequacy of third countries has been reformed and rebadged as the “data protection test” which focuses on risk-based decision-making and outcomes. The test will be met if the standard of data protection is “not materially lower” than that provided under UK law.
As set out in our previous analysis, this would provide more flexibility for UK government when considering UK adequacy decisions. However, it could raise concerns with the European Commission, particularly if it is deemed that any onwards transfer from the UK is not subject to the same protections as those provided in the EU. We expect this proposal to be closely scrutinised.
Similarly, the DUAB will amend the use of alternative transfer mechanisms. Although the use of an alternative transfer mechanism will remain subject to 'appropriate safeguards', such safeguards are to be determined by reference to the “data protection test” (as mentioned above) and be based on the “reasonable and proportionate” assessment of the relevant controller or processor.
Absences from the DPDI Bill
As set out above, much of the DUAB is familiar. A review of the research briefing published in December 2023 indicates that some clauses in dispute at that stage have been removed in line with Labour objections including a controversial proposal to amend the definition of "personal data".
A number of the provisions which have not been carried forward relate broadly to accountability obligations including proposals to.
- replace the Data Protection Impact Assessment with an 'Assessment of high risk processing';
- limit the requirement to maintain a Record of Processing Activity to high risk processing only; and
- replace “data protection officers” with “senior responsible individuals".
A new proposed power enabling the ICO to commission independently produced technical reports to inform investigations is no longer part of the draft legislation. Our own analysis of this proposal raised concerns as to how these reports would be treated in terms of priority as against internal reports that are commissioned by the relevant organisation from specialist third party forensic investigators. The removal of this proposal, in particular, due to the associated costs being met by the organisation and not the ICO, will be welcomed by companies.
Finally, a proposed alteration to the threshold for refusing to comply with a data subject access request from 'manifestly unfounded' to 'vexatious or excessive' has been removed. This alteration would have made it easier for controller to refuse certain requests.
Given the history of the DUAB, many of its provisions have already been subject to intensive scrutiny in a lifespan under two Governments. We therefore expect it to have a relatively short and shift journey through Parliament. Third time lucky for UK data protection reform!
[1] References to the DPDIB are to the version of the draft Data Protection and Digital Information Bill as amended in Grand Committee in April 2024.
