Data Protection Update: Data (Use and Access) Bill 

The Labour Government has introduced a new Data (Use and Access) Bill (Bill) which, if it becomes law, would make significant changes to the Data Protection Act 2018 (DPA), UK GDPR and Privacy and Electronic Communications Regulations (PECR). Some of these changes were put forward by the previous Conservative Government in the form of the Data Protection and Digital Information (DPDI) Bill. The DPDI Bill failed prior to becoming law as a result of the recent UK general election. The new Bill moves forward with reforming data protection law in the UK. 

This blog post will explore the Bill, its key features and how it could impact businesses in the UK. 

Key Features

1. Changes to lawful bases of processing

Additional lawful basis for processing

Under the UK GDPR, you must have a valid lawful basis to process personal data. There are currently 6 lawful bases for processing: 

• consent
• contract
• legal obligation
• vital interests
• public task 
• legitimate interest

In addition to the above lawful bases, the Bill introduces a new lawful basis for processing: 

‘processing necessary for the purposes of a recognised legitimate interest’

Recognised legitimate interests proposed are: 

• disclosure for the purposes of processing described in Article 6(1)(e) UK GDPR (public task basis) 
• national security, public security and defence
• emergencies
• detecting, investigating or preventing crime
• safeguarding vulnerable individuals 

Normally, when relying on legitimate interests, a data controller is required to carry out what is known as a legitimate interests assessment (LIA). This requires the controller to consider and document whether the legitimate interests, on which it seeks to rely, outweigh the rights and interests of the data subject. 

Under the Bill, when processing personal data on the basis of a new recognised legitimate interest, a LIA would not be necessary. It would remain necessary in relation to standard legitimate interests, however. 

For certain businesses, more so for public organisations, not having to carry out a LIA would reduce the administrative burden that data controllers are under. 

Expansion of other ‘legitimate interest’ types of processing

“Standard” legitimate interests are not left unconsidered by the Bill. The Bill also adds a non-exhaustive list of examples of the types of processing that may be necessary for the purposes of a  legitimate interest under existing lawful basis.  

These examples are: 

• processing necessary for the purposes of direct marketing

• intra-group transfer of personal data necessary for internal administrative purposes

• processing necessary for the purposes of ensuring the network and IT security

The intention here is to make it easier for businesses to identify and rely on legitimate interest as the lawful basis for their processing activities in the above areas. 

2. Compatible purposes of processing

In the current version of Article 5, the UK GDPR sets out key principles that should lie at the heart of any processing of personal data. It is a breach of the UK GDPR, if data controllers do not comply with the principles.

One of the principles is the purpose limitation principle. 

In simple terms, the purpose limitation principle means that if a data controller collects personal data for one purpose and later wants to process this personal data for another purpose, it can only do so in the following scenarios: 

• the new purpose is compatible with the original purpose
• data subject gives consent for the new purpose
• processing is in public interest

When it comes to compatibility, the UK GDPR currently states that following purposes should be considered defacto compatible with the original purpose: 

• archiving purposes in the public interest
• scientific or historical research purposes
• statistical purposes

If the new purpose is not one of the three above, it could still be compatible – you would need to do a compatibility assessment to decide whether your new purpose is compatible with your original purpose (which the Information Commissioner’s Office (ICO) considers to be similar to legitimate interests assessment). 

The new Bill broadens the list of defacto compatible purposes by adding the following: 

• protecting public security
• responding to an emergency
• protecting vital interests of data subjects and others
• safeguarding vulnerable individuals 
• assessing or collecting of a tax or duty or an imposition of a similar nature 
• complying with a legal obligation of the controller under an enactment, a rule of law or an order of a court or tribunal

This would mean that data controllers would not have to do a compatibility assessment or obtain consent when processing personal data for the above-listed purposes. 

However, the Bill sets out two restrictions on such use of ADM. 

The first restriction is where  the business is implementing ADM based (entirely or partly) on special category personal data. 

Special category personal data includes:

• race or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data (where used for identification purposes)
• health
• sex life
• sexual orientation

A significant decision based entirely or partly may not be taken by ADM in respect of special category personal data where ADM is solely responsible for the significant decision unless one of the two conditions is met:

• the data subject gives their explicit consent
• the decision is necessary to enter into or perform a contract between the data subject and the controller or the decision is required or authorised by law (and that requirement is in the substantial public interest). 

The other restriction is where the business relies on the new lawful basis of processing – recognised legitimate interest (discussed above). Using solely ADM for decisions that have a legal or similarly significant impact on individuals would not be allowed in this case. 

The Bill also implements new safeguards around ADM that controllers would be required to put in place to use ADM. 

This shift could provide businesses with greater flexibility to adopt ADM, thereby facilitating the deployment of AI systems in various contexts. By reducing some of the regulatory burdens, the Bill encourages innovation and efficiency in how businesses process data and make decisions. However, it also underscores the necessity of implementing robust safeguards to protect individuals from potential harms associated with ADM. 

4. Amendments to PECR

Cookies

PECR is a set of regulations that govern e-marketing and cookie use in the UK. 

The Bill introduces new exceptions in which user consent to the use of cookies would not  be required, in contrast to the existing position where it is required under PECR. 

The Bill would permit the use of cookies for specific purposes without the requirement to obtain consent:

• to collect information for statistical purposes about how the service (or a website by means of which the service is provided) is used with a view to making improvements to the service (or the website)
• to enable the way the website appears or functions when displayed on the terminal equipment (the computer or mobile device on which the cookie is set) to adapt the preferences of the user

These practical exceptions would be well-received by online service providers in the UK.

Fines 

The Bill further proposes to strengthen enforcement powers under PECR by introducing fines for breaches of PECR equivalent to those under UK GDPR. Note that the UK GDPR sets a maximum fine of £17.5 million, or in the case of an undertaking, up to 4% of annual global turnover (whichever is greater).

5. Abolishment of the Information Commissioner

The supervisory body regarding the data protection in the UK is currently the ICO which is lead by the Information Commissioner. All the notices, policies and other documents issued by the ICO are in the name of the Information Commissioner. 

One of the more structural changes in the Bill is the proposed replacement of the traditional Information Commissioner role with a newly formed corporate body, the “Information Commission.” This shift would mean that all the powers that the Informational Commissioner currently holds would be transferred to a corporate body. But this is not just a name change. The Bill gives more powers to the Information Commission, such as power to require documents from data controllers and processors that the Commission reasonably requires for the purposes of carrying out its functions (this would amend section 142 of the DPA) or interview controllers and processors under certain circumstances specified in the Bill.

The rationale behind this restructuring is to create a body better equipped to handle the increasingly complex and large-scale demands of data protection in the digital era. The new corporate model is expected to allow for broader expertise and potentially more consistent decision-making across different cases. While there is some anticipated efficiency in this collective approach, it also represents a significant cultural shift in how the UK’s data protection authority operates.

6. Data Subject Access Requests (DSARs)

Right to access

Under Article 15(1) of the UK GDPR, data subjects have the right to ask the controller to confirm whether it is processing his or her personal data and if this is the case, right to access that personal data and other related information such as the purposes of processing or the recipients to whom that personal data have been disclosed. 

The Bill proposes to limit this right of access. Data subjects would only be entitled to confirmation as to whether their personal data is being processed, a copy of their personal data and other information (in response to their DSAR) that the controller is able to provide based on a “reasonable and proportionate search”. 

Direct complaints to controllers 

Data subjects would have to file complaints directly with the data controller before escalating to the ICO. The controller would have to facilitate making of complaints, such as providing a complaint form which can be completed online and by other means. UK GDPR compliant privacy policies would then need to include the additional wording to inform data subjects of their right to complain to the controller, with information as to how that right may be exercised.

7. Codes of conduct 

Under the UK GDPR, trade associations and other bodies that represent controllers and processors in various UK sectors may draw up codes of conduct that address certain data protection issues specific to their sectors, such as fair processing or exercise of people’s rights. The ICO is generally encouraging these bodies to produce codes of conducts as this would help to build trust in the sectors’ ability to comply with data protection laws. However, no codes of conduct have been set out so far. 

The Bill now introduces an obligation on the ICO to prompt the relevant bodies to produce codes of conduct. The idea is that these codes would serve as good practice for various sectors.

The Bill in this respect also amends the general obligations of the controllers and processors. Both controllers and processors would be required to adhere to a code of conduct approved by the ICO for their sector. 

Conclusion

The Bill was introduced in House of Lords on 23 October 2024. The second reading in the House of Lords is scheduled for 19 November 2024. Although it is still in initial stages, we advise businesses to closely monitor the progress of the Bill and consider its potential impact on their projects. For further guidance on how these developments may affect your business or for data protection law more generally, please reach out directly to our specialists Colin Lambertus or Neil Williamson. 

Further Reading