Data protection reform in the UK: what’s being proposed and what are the practical considerations?

The Data (Use and Access) Bill (“the Bill, DUA Bill”) is the new Government’s version of the former Government's Data Protection and Digital Information Bill ("DPDI Bill"), which lapsed prior to the last general election.  

This article explores the key proposed changes to current data protection law, the introduction of digital ID and e-privacy provisions, and the practical considerations for organisations when navigating this new Bill.

Changes to Current Data Protection Laws:

The DUA Bill introduces several amendments to existing data protection laws, with the intention of making the legal framework more user-friendly and accessible for both individuals and businesses. The following are some of the notable changes:

Data Subject Complaints

Individuals will be required to submit their data protection related complaints to organisations directly in the first instance. This means that complaints can only be escalated to the ICO (the UK data protection authority) where the complaint has not been dealt with adequately or the individual is dissatisfied with an organisation’s response. This is intended to ensure that the ICO focuses on complaints of greater significance whilst also giving organisations the opportunity to address and resolve complaints first.

Data Subject Access Requests (“DSARs”)

Under the DUA Bill, individuals are only entitled to personal data that organisations can provide following on a “reasonable and proportionate” search. This codifies existing ICO guidance and should give organisations comfort on the scope of the searches they are required to make in response to a DSAR.

Scientific Research

The Bill aims to redefine scientific research and modify the consent requirements to simplify the process of reusing personal data initially gathered for specific research projects. The Bill now makes clear that commercial research, privately funded research, and any research that can reasonably be described as scientific, falls within the scientific research exemption under Article 89(2) of the UK GDPR (which disapplies certain data subject rights in certain circumstances). The new Bill also amends consent requirements.  This means that organisation can obtain broad consent for broad purposes which is designed to help address situations where it is not possible to fully identify the data processing purposes at the time personal data are collected.

Legitimate Interests

The DUA Bill retains the concept of a “recognised legitimate interest” from the DPDI Bill whereby organisations relying on this basis will not have to carry out a balancing exercise in certain “recognised” situations. The list of recognised legitimate interests includes sharing data in relation to national security, emergency response and safeguarding vulnerable people. There is also a list of activities where legitimate interests may be relied upon including intra-group data sharing for administrative purposes, direct marketing and processing to ensure network and information security but those will still require legitimate interest assessments to be carried out. The Secretary of State (“SoS”) can omit, add to or vary these lists, if they are necessary to safeguard a public objective in Article 23(1)(c) to (i) of the UK GDPR (e.g. public security, the protection of judicial independence and judicial proceedings and the protection of the data subject or the rights and freedoms of others). However, it will be interesting to see whether these aspects survive the legislative process as critics have expressed concern that the provisions give the SoS extremely wide-ranging powers.

Special Category Data: 

The SoS will have powers to expand the list of special category data and amend processing activities that would form the basis of its processing. This has been introduced to address emerging uses of data in new technology and ensure the law is future-proof in relation to particularly sensitive data. For example, it may be that neural data (i.e. data collected from brainwave activity) ought to be special category data given the ethical considerations around processing this type of data.  This is an important addition which was not present in the DPDI Bill and could impact businesses if additional protections are given to new categories of data. 

Solely Automated Decision-Making (“ADM”)

The DUA Bill intends to replace Article 22 of the UK GDPR which relates to solely automated decision-making (i.e. decisions made by automated means with no meaningful human involvement) where there are “significant legal effects” (e.g. an online decision to give a loan, or a recruitment test with pre-set algorithms and criteria). 

Under the UK GDPR, ADM is restricted to three conditions where: (i) it is necessary for the performance or entering into a contract between an organisation and individual; (ii) it is authorised by law; or (iii) the individual has explicitly consented. The Bill seeks to relax this by providing that one of these conditions only needs to be met where special category data is involved.  This means that ADM will generally be allowed subject to certain safeguarding measures. For example, organisations will need to provide information to individuals about the decisions being taken using ADM, their right to contest those decisions and to seek human intervention.

International Transfers 

The Bill proposes a more flexible, risk-based approach to international data transfers, as was also proposed in the DPDI Bill.  When the SoS is assessing a third country/organisation (i.e. to determine whether it is “safe” for personal data to be sent to that country/organisation), the Bill introduces a new “data protection test”. The key here is that the level of protection in a third country/organisation must not be "materially lower" than the UK.  This new test seeks to recognise that other countries’ data protection regimes will not be identical to the UK’s in form and differences may exist given the cultural context of privacy.  A similar test is also introduced for organisations to consider when they are transferring personal data outside of the UK.

Regulatory reform

Under the Bill, the ICO will now be known as The Information Commission and will adopt a new structure containing a board of non-executive and executive members. The Information Commission will still be required to consider certain factors when exercising its functions including promoting innovation and competition; prevention, investigation, detection and prosecution of crimes and public and national security. The Information Commission will also have a duty to regard children’s vulnerability and the fact that they may be less aware of the risks and consequences of personal data processing and of how they can exercise their rights. 

E-Privacy, Digital ID, and Smart Data: 

Cookie Consents

The Bill retains an exemption first introduced by the DPDI Bill which relaxes some of the cookie consent requirements where the privacy risk to users is low. These include non-intrusive cookies (such as those used for analytics and website display) and those used in security (such as preventing or detecting fraud). However, this is not a blanket exemption, and users must still be given information about the purpose for placing the cookies, and an ability to the opt-out. The aim of these changes is to simplify the cookie regime, reduce the frequency of cookie pop-ups, and improve user experience.

Penalties and Enforcement Powers

Currently, the penalties for e-privacy breaches are a maximum of £500,000. The DUA Bill increases these fines to align them to the UK GDPR.  This means that breaches of e-privacy rules (including cookie and e-marketing breaches) can attract the maximum penalty of £17.5 million or 4% of worldwide turnover. The aim is to increase consistency across the data privacy enforcement landscape. However, it will inevitably leave more organisations facing exposure to greater fines, especially in areas where the ICO is already very active, such as nuisance calls and texts. 

Codes of Conduct

The Bill imposes obligations on the ICO to encourage representative bodies to design codes of conduct to help with e-privacy compliance. There is also a provision for accreditation bodies to monitor compliance with these codes. The hope is that it will improve organisational efficiency and increase the consistency of the application of privacy rules. 

Smart Data

The DUA Bill builds on the approach to open banking and creates a framework that  aims to ease information sharing between business and regulated/authorised third parties in key sectors such as utilities, transportation, and real estate. Details of sector specific frameworks will be contained in secondary legislation, but so far the Bill proposes: (i) digital registers for UK assets, such as real estate, to create more transparency for businesses and public authorities, and (ii) common data standards for IT suppliers across the health and social care sector to enable real time data sharing across platforms, to improve access to healthcare data for public bodies and patients.

Digital ID

This section builds on the digital ID provisions of the DPDI Bill.  The DUA Bill creates a more structured system where providers of digital verification service (“DVS”) can be certified within a trust framework. The DVS trust framework outlines rules and codes of conduct when providing DVS, and a DVS register through which organisations can apply to if they are certified by an accredited body as compliant with the framework. Once registered, the DVS provider will receive a trust mark to enable public recognition. The DVS also establishes an “information gateway” for public authorities to share personal data with DVS providers so that the individual can receive the DVS services; but only if the individual requests it and the disclosure does not breach data protection legislation. The hope is that this will allow better digital ID solutions across different sectors to improve interoperable systems, while easing the administrative burden of the existing paper ID verification process for business and public services. However, the Bill goes to lengths to stress that this is not a mandatory national ID system, so the digital ID system is purely voluntary. 

Online Safety Research

The Bill proposes to amend the Online Safety Act (the “OSA”) to allow the SoS to issue regulations that require providers regulated under the OSA to give online safety researchers access to data from online services, provided any such disclosure does not breach data protection laws. The hope is that this will make it easier for researchers to access data to study online harms and provide a similar framework under UK laws as that under Article 40 of the EU Digital Services Act.

Practical Considerations for organisations:

The DUA Bill does not depart significantly from the UK’s existing data protection regime and, in fact, may make life easier for companies. Therefore, organisations will only be required to make minor changes to their existing documentation and processes. However, organisations may need to reconsider their complaints procedure considering the new requirement for people to complain directly to organisations, before escalating to the ICO. 

We will keep you posted as the Bill makes its way through the legislative process.