The Data (Use & Access) Bill (DUA Bill) was introduced to Parliament on 23 October 2024, and is currently awaiting parliamentary approval which is expected in May 2025. The DUA Bill seeks to reduce the burden of existing data protection laws in the UK and in this article we summarise 5 key changes that will take effect if the DUA Bill receives Royal Assent in its present form:
- International data transfers – the DUA Bill offers organisations a more flexible mechanism for international data transfers by allowing data transfers to countries where the standard of protection is “not materially lower” than that in the UK. It is likely the UK courts will sculpt their own test for measuring a third country’s level of data protection.
- Data Subject Access Requests (DSAR) – the DUA Bill codifies existing guidance from the Information Commissioner’s Office on conducting DSARs by requiring organisations to carry out “reasonable and proportionate” searches when responding to DSARs. This seeks to reduce the administrative burden and cost of responding to demanding DSARs.
- A new lawful basis (“recognised legitimate interests”) – the DUA Bill introduces “Recognised Legitimate Interests” as a new lawful basis for processing personal data, which can be relied on by private organisations pursuing specific interests such as emergencies, crime prevention, safeguarding vulnerable individuals, public safety and national security. Under the current version of the DUA Bill the “recognised legitimate interests” basis does not require organisations to conduct an initial legitimate interests assessment, unlike the existing “legitimate interests” basis. It appears that the new legal basis will not extend to public authorities and therefore, can only be relied on by private organisations.
- Cookies & similar technologies – the DUA Bill will remove the requirement to obtain user consent for use of certain non-essential cookies and other similar tracking technologies, provided certain conditions are met. For example, cookies used for statistical data collection and website improvement will be exempt from the consent requirement if users are informed of their purpose and can easily opt out in practice.
- PECR fines for non-compliance – fines for non-compliance with the Privacy & Electronic Communications Regulations (which governs direct marketing and cookies) are set to increase, bringing penalties in line with UK GDPR. The DUA Bill proposes to sanction fines of up to 4% of global turnover or £17.5 million, whichever is higher, meaning infringements of PECR are likely to get a lot more costly for businesses.
The DUA Bill is wide ranging and proposes to make other interesting changes to existing data protection laws in addition to those set out above. Broadly speaking, the aim of the DUA Bill is to reduce compliance burdens for organisations and drive data-related services. Once passed, we can expect some of the changes to come into effect immediately, but the majority of changes are likely to come into force 6-12 months after the date it receives Royal Assent.
At present it is unlikely that the changes the DUA Bill propose to make will threaten the EU’s adequacy decision in respect of the UK’s data protection framework given that the DUA Bill does not appear to radically transform existing data protection rights or data risk management procedures organisations are required to comply with. If the EU do not renew its adequacy decision in respect of the UK later this year, this will counteract the economic benefits the DUA Bill is intending to usher as organisations looking to transfer personal data from the EU to the UK will likely incur higher compliance costs due to the restrictions EU data protection law will impose on the international transfer of personal data.
How Moore Barlow can help
Protecting your business and its assets is essential. You will also want to ensure consistency of approach across your whole business at both a corporate and operational level. You may also need support with specific requirements affecting your business sector such as regulatory issues governing financial services, healthcare, or operating an outsourced or franchised business.
If you want a professional and personal service from experienced commercial and technology lawyers, Moore Barlow are here to help.
