Authors
The Data (Use and Access) Bill (DUA Bill) proposes several reforms to the UK’s data protection framework and is expected to receive Royal Assent later this year. The House of Commons decision not to include amendments proposed by the House of Lords which were intended to ensure operators of web-crawlers’ compliance with UK copyright law has led to a wave of calls for the Government to reconsider its position. At the time of writing, we wait to see whether the Government will revise its position.
In the meantime, in this article, we look more closely at some of the key changes which the DUA Bill will introduce to UK data protection law.
Key changes to data protection law introduced by the DUA Bill
1. Examples provided of “legitimate interests” for processing
The DUA Bill recognises that organisations are unsure about whether their purpose for processing will constitute a “legitimate interest”, which is one of the six lawful bases for processing personal data under UK GDPR. A new Article 6(11) sets out a non-exhaustive list of examples of activities which are more likely to constitute a legitimate interest.
The examples include processing that is necessary for direct marketing, intra-group transmission of personal data where necessary for internal administrative purposes, and processing necessary for the purpose of ensuring the security of network and information systems.
2. “Recognised legitimate interests” as a new lawful ground for processing
The DUA Bill also introduces a new lawful ground for processing. Under UK GDPR, data controllers are required to conduct a balancing test to determine if their legitimate interest in processing an individual’s personal data is overridden by the individual’s rights and interests. Following the DUA Bill, if processing is necessary for the purposes of a “recognised legitimate interest“, then data controllers will not need to conduct a balancing test.
Examples given of recognised legitimate interests include where the processing is necessary for the purposes of national security, public security and defence, responding to an emergency, detecting, investigating and preventing crime and safeguarding vulnerable people.
3. Processing for the purposes of scientific research
Scientific research is a special purpose that is granted various exemptions under UK GDPR. The DUA Bill introduces a broader definition of scientific research, to include research that “can reasonably be described as scientific“. It does not matter whether the research is publicly or privately funded or whether it is carried out as a commercial or non-commercial activity.
4. Relaxing the rules regarding automated decision-making
Automated decision-making is the process of making a decision by automated means, without any human involvement. Whilst this can bring benefits such as increased efficiency, the current UK GDPR prohibits automated decision making other than in a few specific cases.
Under the DUA Bill, the current prohibition is relaxed (provided that suitable safeguards are in place) to only apply where special category data is involved.
5. Relaxing the rules regarding international data transfers
The DUA Bill introduces changes that will enable personal data to flow more easily from the UK to other countries that offer the same level of protection. The Secretary of State will use a new “data protection test” to assess the standard of data protection in another country in the context of international transfers. The test looks to ensure that the level of protection in that country is not “materially lower” than in the UK.
The test will consider the wider context of the data transfer between the UK and another country, and how the data transfer may benefit the UK.
6. A new process for submitting complaints
The DUA Bill provides greater clarity for organisations regarding how to respond to complaints.
Organisations must put a complaints process in place, and data subjects must submit their data protection related complaints to the organisation in the first instance. The complaint can only be escalated to the Information Commissioner if it has not been addressed adequately by the organisation.
7. A new process for responding to data subject access requests (DSARs)
The DUA Bill sets out an “applicable time period” and procedure for responding to DSARs in certain circumstances, for example, an extension may be necessary due to the number of requests a data subject has submitted or, where the data controller requires further information to proceed with the response.
The DUA Bill also clarifies that controllers only need to carry out “reasonable and proportionate” searches for information and personal data in response to a DSAR. This seeks to reduce the administrative burden and cost of responding to a DSAR.
8. Increased fines for e-privacy breaches
The DUA Bill proposes an increase in potential fines for breaches of the Privacy and Electronic Communications Regulations, including cookie and e-marketing breaches (such as predatory marketing calls which often target those at most risk of harm). Currently, the penalties for such breaches are limited to a maximum of £500,000. The DUA Bill increases these fines to align with the maximum under the Data Protection Act 2018 and UK GDPR, meaning that breaches can incur a penalty of up to £17.5 million or 4% of global turnover.
9. Relaxation of cookie consent requirements
The DUA Bill includes updates to the consent requirements for storage and access of people’s terminal equipment (the ‘cookies’ rule). This seeks to simplify the cookie regime, as it means that organisations need consent for fewer low-risk purpose cookies. This should reduce consent fatigue and allow organisations to more easily collect information for statistical purposes and to improve their websites.
Examples of where cookies can be used without consent are to prevent or detect fraud or technical faults in connection with the provision of the service requested, to collect information for statistical purposes to make improvements to the service or to provide emergency assistance.
Conclusion
The Government’s objective with the DUA Bill has been to balance a pragmatic approach aimed at easing compliance burdens for organisations and the Public sector whilst not presenting a risk to the UK’s adequacy status for data flows between the UK and the EU. The UK’s supervisory authority, the Information Commissioner’s Officer has welcomed the proposed changes and confirmed that, in his view, “the proposed changes in the Bill strike a positive balance and should not present a risk to the UK’s adequacy status“.
For further advice on the proposed changes to UK GDPR, or more generally in relation to data protection law compliance, please contact Anne Todd, Moya Smith or other members of our Data Protection & Privacy team. We also offer a range of data protection training which can be tailored to meet your requirements.
This article is for general information only and does not, and is not intended to, amount to legal advice and should not be relied upon as such. If you have any questions relating to your particular circumstances, you should seek independent legal advice.