In our article: data protection expectations for 2024, we hoped to see the Data Protection and Digital Information Bill (DPDIB) being granted Royal Ascent and therefore an Act of Parliament. However, due to the change in government as a result of the general election, parliament was dissolved and DPDIB shelved for the time being. Now, the Labour government have introduced their own new data protection bill – the Data (Use and Access) Bill (DUAB) - which is currently making its way through parliament.
What are the DUAB’s proposals?
The DUAB seeks to simplify data protection law in the UK. It elaborates on some previous proposals provided for by the DPDIB, removes some controversial features, and introduces new provisions.
The key proposals include:
- relaxing existing rules in relation to automated decision making regarding personal data (it is not expected that there will be any impact on the rules for special category data);
- creating a new lawful basis for processing personal data titled a “recognised legitimate interest”;
- bringing the Privacy and Electronic Communications Regulations (PECR) enforcement regime in line with that of the General Data Protection Regulation (GDPR); and
- reforming the constitution of the Information Commissioner’s Office (ICO).
How will the DUAB change existing data protection legislation?
1. Smart Data Schemes
Part 1 of the DUAB focuses on the sharing of customer and business data. This will enable businesses to share information with one another, provided the customer has given their consent; this builds upon previous consultations which were carried out when the Conservatives were in government. The UK currently has a similar scheme in place with Open Banking but this new scheme will extend the ability for organisations to share personal data with one another in new and additional sectors such as utilities. If these schemes are put in place, consumers will find it easier to switch providers and should benefit from competitive prices.
3. Digital Verification Services
Digital Verification Services (DVS) are those services which are able to identify a person’s identity and are often used by various businesses and institutions. Part 2 of the DUAB provides that the Secretary of State will prepare a trust framework of rules regarding the use and provision of DVS. The services will need to be verified and will be provided a relevant trade mark to signify they are certified. These certified services will be featured on a publicly available register providing some comfort to data subjects whose personal data will be processed by businesses using such services.
3. Privacy
Part 5 of the DUAB looks to make the most changes to the data protection legislation and frameworks we are familiar with. Definitions within the GDPR will be amended so that data can be more easily used for research purposes and specific articles relating to the use of automated processing and decision making will be tweaked so as to relax restrictions (unless dealing with special category data as mentioned above). It’s also proposed that a new “recognised legitimate interest” will be introduced which will cover legitimate interests such as disclosure to a person carrying out a public interest task, safeguarding national security, protecting public security and defence purposes, and in response to an emergency as defined in the Civil Contingences Act 2004. This list will also be able to be expanded by the Secretary of State via further regulations.
The DUAB will also increase fines for any breaches of the PECR which cover areas like marketing and cookies. These fines would now be similar to those imposed under the GDPR.
4. Information Commissioner
Part 6 of the DUAB proposes changes to the ICO. Instead of the corporation-like body we currently have in place, the DUAB proposes that a new statutory body corporate known as the “Information Commission” be introduced. The DUAB also proposes changes to the way in which the ICO exercises its powers. the ICO has published a response to the draft DUAB, agreeing with its reforms, and stating they believe it will enhance regulatory effectiveness.
The above provides a brief summary of some of the key changes we expect to impact ordinary businesses and their use of data. However, the DUAB is wide-ranging and also includes proposals regarding updating the register of births and deaths so it is solely electronic and upgrading the safety and efficiency of underground electrical assets. It’s worth noting that the DUAB has so far had a favourable reception.
When will we see the changes come into effect?
The DUAB has received its second reading within the House of Lords and is now at the first committee stage. We still have a bit of a wait it becomes law, if it succeeds in doing so.
Our data protection team will continue to monitor the DUAB’s progress and provide updates on any major changes.
If you would like to learn more about how data protection has changed in 2024 and our expectations for 2025, along with further information regarding the DUAB, please contact us or sign up here to register for our free webinar.