The previous UK government's Data Protection and Digital Information ("DPDI") Bill did not become law due to the July 2024 UK general election. That Bill contained provisions – for example, allowing the Government to set strategic priorities for the Information Commissioner's Office ("ICO") – that could have jeopardised the UK's EU adequacy decision, which is up for review in June 2025.
For details on these previous unsuccessful attempts at reform, please see A New Direction for UK Data Protection Law: the Data Protection and Digital Information Bill and Another new direction: UK reintroduces the Data Protection and Digital Information Bill, but what's changed?.
The new Data (Use and Access) Bill bears a close resemblance to the DPDI Bill, but with changes apparently intended to maintain the UK's EU adequacy status. The the new Government has stated that this is a key priority, alongside growing the economy, improving UK public services and "making people's lives easier".
The changes will not signifcantly increase the burden on organisations subject to UK data protection law, which may instead be able to take advantage of certain provisions.
The Bill's proposed key changes to UK data protection law
Complaints. Controllers must facilitate complaints by data subjects and data subjects should complain to controllers before going to the regulator. There is a new 30-day deadline for acknowledging complaints and controllers must give a substantive response "without undue delay". This will likely require amendments to privacy notices and rights request processes.
Enforcement and the regulator. The ICO would gain significant new investigatory powers, including the authority to request documents, to require a wide variety of individuals to attend an interview and to compel a third party report on processing being investigated to be drawn up, at the controller or processor's own expense. The regulator's fining powers under PECR have also been increased to the same level as the UK GDPR – up to 4% of annual turnover or £17.5m, whichever is higher. The ICO would be given a makeover, with a new name - the Information Commission – a new corporate structure and a board, bringing it in line with other UK regulators such as Ofcom.
Legal bases. The Bill provides a new "recognised legitimate interests" basis for processing. No balancing test will be needed to pursue certain listed processing purposes. These include national security, public security and defence, emergencies, detection investigation or prevention of crime, safeguarding vulnerable individuals and disclosure to a person performing a public interest task.
There is also a new list of statutory examples of "ordinary" legitimate interests, including direct marketing – though the usual balancing test will still apply.
Automated decision-making. The prohibition on automated decision-making with significant effects ("ADM") is narrowed, to cover only ADM using special category data. Safeguards to protect the rights and freedoms of data subjects must still be applied to all ADM, irrespective of the data used. These include the provision of information about the decision-making; allowing for representations to be made; and enabling the data subject to obtain human intervention in those decisions and to contest them.
A decision will be automated if there is no "meaningful human involvement", and ministers will have powers to specify types of decision that will automatically have, or not have, "meaningful human involvement".
Purpose limitation. The Bill clarifies that the current controller's original purpose for processing is the relevant one, when considering whether further processing is compatible – not the original controller's purpose when they first collected data from the data subject. Subsequent controllers will therefore not be "tied" to the original controller's purpose, provided their processing is otherwise lawful.
Broad consent for research. The Bill will validate "broad consent" to scientific research processing, even if it does not specify the exact processing purposes (on the basis that it isn't possible to define these at the point of collection). This will cover both publicly- and privately-funded research, by both non-commercial and commercial organisations.
International transfers. When the Secretary of State is considering a third-country adequacy decision, they must apply a "data protection test": namely, whether that country's standards are "not materially lower" than the UK's. This is also the standard that organisations will need to apply when they carry out transfer impact assessments. The Secretary of State can consider the "desirability" of facilitating data transfers between the UK and a third country – opening the door to political and economic considerations.
Special categories of data. Ministers will be able to amend the list of "special categories" of personal data. Ministers can add to the list and can subsequently remove these additions, but cannot remove any existing categories listed in UK GDPR itself. The Government considers this to be an important measure to add flexibility for novel uses of data in new technologies.
Disproportionate effort exemption. This exemption from the need to provide fair processing information to data subjects would apply even when data is collected directly from the data subject. Safeguards should be applied – controllers will be required to take "appropriate measures to protect the data subject's rights, freedoms and legitimate interests", and will need to make the relevant notice available publicly, such as on their website. The Bill also sets out a non-exhaustive list of factors for determining whether "disproportionate effort" would be involved – for example, the number of data subjects involved and the age of the data.
Subject access requests. The Bill codifies the existing case law position that controllers need only carry out a "reasonable and proportionate" search in response to a subject access request ("DSAR"), and that the clock can be stopped while a controller seeks clarification from the data subject on a DSAR.
Cookies and PECR. The Bill will amend PECR to allow cookies to be placed on users' devices without user consent if those cookies are solely for analytics or user experience purposes, or to provide emergency assistance. Users must still be given information about the cookies and the purposes for which they have been placed, as well as an option to opt out.
Other changes
The Bill also contains provisions intended to spur wider use and commercialisation of data for economic growth and societal benefit, such as on smart data schemes and digital IDs. The smart data provisions are comparable to the measures found in the EU Data Act, but are broader in scope as the data sharing measures in the UK Bill are not confined to data from connected devices. Details of such schemes would be contained in future regulations.
What next?
As at December 2024, the Bill is at Committee stage, in which legislators will consider potential amendments. It looks likely that the Bill will ultimately pass into law sometime in the spring or early summer of 2025. Following this, we would expect to see a flurry of secondary legislation from the Government and guidance from the Information Commission, filling in the detail of the overarching frameworks created by the Bill
Article provided by INPLP member: Katie Hewson (Stephenson Harwood LLP, UK)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
