Proposed Changes to the UK Data Protection Regime: What Do Businesses Need to Know?

Posted

The Data (Use and Access) Bill (DUA Bill) represents the most recent effort to reform the UK’s data protection landscape, introducing changes aimed at simplifying compliance and enhancing regulatory flexibility. The DUA Bill has three stated core objectives: (i) improving public services, (ii) growing the economy, and (iii) making people’s lives easier. The DUA Bill retains some content from the previous Data Protection and Digital Information Bills proposed by the previous Conservative government(s) (DPDI), though some of the more controversial elements have been dropped.

While the changes introduced in the DUA Bill may benefit businesses focused solely on the UK, if implemented, those operating across both the UK and EU would still need to comply with the EU GDPR framework. For businesses, understanding the potential impact of these changes is crucial for compliance and strategic adjustments. Below, we summarize key aspects of the DUA Bill and provide insights into how these changes may affect businesses.

Key Changes

  • Automated decision making rules. The DUA Bill differentiates between automated decision making that involves the processing of special categories of personal data and that which does not, unlike the GDPR. Automated decision making involving special categories of personal data that results in a significant decision will remain generally prohibited (except in certain limited circumstances, e.g., with the data subject’s consent). However, automated decision making resulting in a significant decision that does not involve special categories of personal data is generally permitted provided that certain safeguards contained in the DUA Bill are complied with (such as providing the data subject with information about how such decisions are taken and enabling the data subject to obtain human intervention). These amendments could introduce more flexibility around automated decision making, which is particularly relevant given the rapid growth of artificial intelligence.
  • Special category data. The DUA Bill grants the Secretary of State the power to classify additional categories of personal data as “special category,” which would subject processing of such data to the higher protections under the current regime. While no new categories have been proposed in the DUA Bill itself, this would go some way to “future proofing” the data protection landscape as new categories of data become relevant, such as neurodata which has been the focus of recent regulatory publications.
  • Cookie compliance. The DUA Bill introduces new categories of cookies and similar technologies for which consent is not required, including where such technologies are used: (i) for statistics on how a website or service is used with a view to make improvements (e.g., certain analytics); or (ii) to enable the way the website or service is displayed to adapt to the preferences of the user or be otherwise enhanced. In each case, clear and transparent information must be provided to the user, who must be given the option to object to the storage (i.e., the placement of such cookies shifts from an opt-in basis to opt-out). The practical impact of this measure is likely to be limited, given the global nature of many sites and the absence of corresponding changes under EU law. Similar changes were proposed in the EU as part of the ePrivacy Regulation, but progress has stalled in recent years, with no expected timeline for its passage.
  • Further processing and research. Clarifications are made to existing rules which may enable organizations to engage in processing activities that were otherwise at risk of being within grey areas. In particular, the DUA Bill (i) confirms that processing could occur for the purposes of scientific research, even when conducted by private entities; (ii) allows for broader consent to be obtained for scientific research, even where all purposes are not clear at the outset (subject to ethical safeguards); and (iii) provides criteria that organizations can use to determine if further processing of personal data can be considered “compatible” with the original purpose for which it was collected (i.e., to enable such further processing to be conducted in accordance with the data minimization principle).
  • Subject access requests. The DUA Bill does not include the same restrictions on the right of access previously included under DPDI. In particular, the DUA Bill does not propose to allow controllers to refuse to comply with “vexatious” or “excessive” data subject requests, to the frustration of many controllers. It does, however, include some clarifications relating to the time periods to comply and confirm that controllers are only required to provide data they can obtain via “reasonable and proportionate” searches, effectively placing the generally understood position based on existing guidance and case law on a statutory footing.
  • Legitimate interests. The DUA Bill seeks to introduce “recognized legitimate interests.” Organizations can process personal data on the basis of “recognized legitimate interests” without requiring the usual exercise in balancing the organization’s interests against the fundamental rights and freedoms of the data subject. The proposed list of recognized legitimate interests includes security and defense, emergencies, crime, and safeguarding. The UK Secretary of State will have powers to add to this list within certain restrictive parameters.
  • Children’s data. The DUA Bill places an express statutory obligation on the UK regulator for data protection (currently, the Information Commissioner’s Office—but see comments below) to consider that children may be less aware of the risks, consequences, and their rights regarding personal data processing when carrying out its functions. This reflects a broader trend among data protection regulators in Europe and globally, emphasizing the need for enhanced protections for children in data processing activities.

Complaints and Enforcement
In addition to the above changes, the DUA Bill introduces a new obligation on controllers to facilitate the making of complaints by data subjects of any alleged infringements of UK data protection law, for example, by providing a complaint form which can be completed electronically. Controllers receiving such complaints must take appropriate steps to respond and inform the complainant about the outcome. Controllers could be forced to notify the regulator of the number of complaints received. While many businesses will already have established complaints procedures, should the DUA Bill pass with these provisions included, such existing procedures would need to be reviewed to ensure alignment with the new rules.

The DUA Bill will bring into effect proposed restructuring of the Information Commissioner’s Office with a new “Information Commission” which will be governed by a board of between three and 14 members. The regulator will also have new powers, including to compel individuals to attend interviews as part of an investigation and to require the preparation of a report into certain matters (e.g., relating to an organizations compliance) by an approved person.

Maximum penalties for breaches of the Privacy and Electronic Communications (EC Directive) Regulations—e.g., relating to cookie consent and direct marketing—has also been raised to the GDPR maximum of 4% of global turnover of £17.5 million (whichever is higher), increasing the risk for noncompliant cookie or direct marketing practices.

What Next?
The DUA Bill has entered the committee stage of the House of Lords where it will be debated and reported on before entering the House of Commons early next year. It is expected to receive royal assent and be passed into law during the course of 2025.

While there is an unshakeable sense of déjà vu in discussing proposed changes to the UK’s data protection regime, this time around it feels much more likely that the proposed changes in the DUA Bill will be made. Many of the provisions have already received cross parliamentary support as part of the debate around DPDI, and the more controversial aspects of previous reform attempts have been stripped away. The DUA Bill is also seen as much less of a threat to the UK’s adequacy with the EU, another factor that makes its passing into force seem more likely. Organizations processing personal data subject to the UK’s data protection regime should therefore consider the impacts the changes in the DUA Bill may have on their activities.