d
c

The UK’s Data (Use and Access) Bill (DUA Bill) was recently introduced into Parliament for its first reading. The DUA Bill seeks to bring a series of significant changes to data management, access, and privacy regulations, with a focus on modernising public service operations, strengthening data privacy frameworks and enhancing UK regulatory powers of enforcement. The DUA Bill also seeks to update the Privacy and Electronic Communications Regulations (PECR), a legacy piece of legislation derived from EU law that governs electronic marketing, cookies and similar technologies.

Here are some of the key changes proposed by the DUA Bill and what it means for businesses operating in the UK:

  1. Enhanced data access for public services: The DUA Bill promotes streamlined data sharing among public bodies, like the NHS and the police, to boost efficiency and reduce time-consuming administrative processes. For instance, healthcare providers will gain real-time access to necessary data, enabling more timely responses and potentially better service delivery.
  2. Privacy standards for data-driven research: The DUA Bill introduces a “researcher data access regime” to permit ethical data access for research, with specific privacy protections in place. This allows for the use of personal data in scientific research while safeguarding against unauthorised or excessive data usage, supporting innovation without compromising privacy.
  3. Digital Verification Services: The DAU Bill provides a framework for digital identity verification, allowing secure and reliable digital ID solutions across sectors. This aims to create interoperable systems that protect user data while easing identity verification processes for businesses and public services.
  4. Privacy Notices: The DUA Bill removes the obligation on businesses to provide privacy information to individuals under Articles 13 and 14 (e.g. via a privacy notice) if providing this information is “impossible or would involve disproportionate effort”. Whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing. However, businesses would still be responsible for taking appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, for example by making the information available publicly.
  5. Legitimate Interests: The DUA Bill seeks to refine and expand upon the circumstances in which businesses can rely on legitimate interests as a ground for processing personal data. Examples include processing that is necessary for the purposes of direct marketing (e.g. for legitimate business communications under PECR); intra-group sharing of personal data which is necessary for internal administrative purposes; and processing that is necessary for the purposes of ensuring the security of network and information systems. The DUA Bill also introduces the concept of ‘recognised legitimate interests’ which recognises the lawful processing of personal data for purposes of national security, emergencies, crime and safeguarding vulnerable people.
  6. Cookie Consent: The DUA Bill relaxes the requirement on businesses to obtain consent for non-intrusive cookies, such as those used solely for website functionality or analytical purposes, so long as they don’t track user behaviour across websites. This relaxation aims to reduce the frequency of cookie pop-ups for UK users, aligning with user-friendly practices similar to those in the EU’s ePrivacy regulation reforms.
  7. Creation of the Information Commission: The Information Commissioner’s Office (ICO) and the statutory role of the information commissioner (currently held by John Edwards) will be abolished and replaced by the Information Commission, a corporate body that will likely be overseen and influenced by the government in a similar manner to the Financial Conduct Authority and Competition and Markets Authority.
  8. Complaints procedure: In attempt to reduce the number of complaints reaching the UK ICO, complaints made by data subjects must be made first to the data controller. The DAU Bill requires businesses to facilitate the making of complaints by taking steps such as providing a complaints form. Furthermore, businesses will be required to acknowledge receipt of the complaint within 30 days and investigate and respond to the complaint without undue delay. These requirements are likely to reflect what is already common practice for most businesses but having a formal process in place will be important particularly as the new DUA Bill seeks to hold Controllers accountable for managing complaints and could require Controllers to notify the ICO of the number of complaints received in specified period.
  9. Enforcement Powers: The ICO is granted expanded enforcement capabilities for PECR violations, including higher fines for serious non-compliance, particularly where automated or unsolicited communications are used. Currently, the maximum fine the ICO can impose under PECR is £500,000. Bringing the potential fines for infringements of PECR in line with the level of fines under the UK GDPR is part of a broader push to ensure robust privacy protection in line with ICO enforcement trends.

Perhaps unsurprisingly the changes proposed by the DUA Bill remain closely aligned with the EU which will be important factor if the UK wants to keep its adequacy decision with the EU which currently allows personal data to freely pass between the EU and UK. This adequacy decision is due to be reviewed by the European Commission in 2025 and so the timing and nature of the DUA Bill is significant.

The DUA Bill is at the early stages of the legislative process and could be amended as it passes through the House of Lords and House of Commons before being enacted in UK law. We will be reporting on the Bill as it passes through government so please continue to check back here for further updates or alternatively you can join our Intellectual Property mailing list to stay abreast of all the latest legal matters.

If you have any questions or would like to discuss any of the topics in this article, please contact Nick Phillips or Selina Clifford in our Intellectual Property team.

Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.

Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.

Please also see a copy of our terms of use here in respect of our website which apply also to all of our blogs.

Latest Blogs See All

Share by: