|
Newsflash: Data (Use and Access) Bill – Re-return of DPDI (in part)!
The Data (Use and Access) Bill (DUA Bill) was introduced into the House of Lords on 23 October 2024. It revives some (but not all) of the proposed changes to data protection law under the former Conservative Government’s Data Protection and Digital Information Bill (DPDI Bill, which was changed for a few months to DPDI 2, before going back to DPDI).
Here’s my comparison of the (later versions of the) DPDI Bill and DUA Bill using the topics from my newsflash of 14 March 2023.
| TOPIC | DPDI/DPDI 2 Bill | DUA Bill |
|---|---|---|
| Lawful basis for processing (Article 6 UK GDPR) | In addition to the existing six lawful bases, there will be a new
one (Article 6(1)(ea)):
‘processing is necessary for the purposes of a recognised legitimate interest’. A new Annex 1 to the UK GDPR contains a list of such recognised legitimate interests including:
There is also a new list of examples of the types of processing that may be necessary for the purpose of a legitimate interest under the existing lawful basis 6(1)(f) (reflecting existing Recitals 46, 47 and 49 of the UK GDPR):
|
These changes are included. |
| Compatible purposes of processing (Article 5(1)(b)) | A new Annex 2 to the UK GDPR will list purposes of data
processing which are considered ‘compatible’ with the purposes of
collection of personal data.
These include:
|
These changes are included. |
| Vexatious requests from data subjects (new Article 12A UK GDPR) | The ‘manifestly unfounded or excessive’ exemption to requests from data subjects (previously Article 12(5) is to be replaced with an exemption for ‘vexatious or excessive’ requests. Examples of vexatious requests include those: intended to cause distress; not made in good faith, or which are an abuse of process. | These changes are NOT included. |
| Clarifying subject access requests and searching for data (Article 15 UK GDPR) | A new Article 12B allows controllers to clarify a SAR ‘where the
controller reasonably requires further information to identify the
information or processing activities to which a request…relates’.
This expands the current ‘large quantities of data’ rule (in Recital 63), as holding a large amount of data is now just an example of when clarification may be sought. The House of Lords also made an amendment such that a “reasonable and proportionate” search is required. |
These changes are included. |
| Automated decision-making (Article 22 UK GDPR) | There will be fewer restrictions on solely automated
decision-making, though safeguards must still be in place.
The main restrictions will be on solely automated decisions based on special category data, or which rely on the new lawful basis of a ‘recognised legitimate interest’ (as raised in the first row above). Though safeguards must be in place for all solely automated decisions involving personal data. The provisions only apply where the decision is a ‘significant decision’, producing a legal effect or ‘similarly significant effect’ for the individual. Regulations may specify specific situations which have (or do not have) a similarly significant effect. In considering whether there is meaningful human involvement in a decision, a person must consider the extent to which a decision is reached by means of profiling (in other words automated processing to evaluate individuals). Regulations may be made to describe cases where there is (or isn’t) meaningful human involvement. |
These changes are included. |
| Some fun relabelling: DPIAs, DPOs, ROPAs, ICO |
There is some substance to these name changes too, aimed at reducing the burdens on organisations in complying with these requirements.
|
The provisions on assessments of high risk processing, senior
responsible individuals and records of processing are NOT
included.
The provisions on the new Information Commission are included. |
| International Data Transfers (Chapter V UK GDPR) | Schedules 5 to 7 to the Bill contain lots of stuff on
international data transfers (IDT). The aim is to enable the UK
government to take a risk-based approach to assessing adequacy of other
countries, and to allow data exporters to act pragmatically and
proportionally when using alternative transfer mechanisms (though the
key transfer mechanisms appear to remain the same as under current
law).
Schedule 7 (transitional provisions) contains some additional provisions relating to the continuation of ‘pre-commencement’ transfer mechanisms. |
These changes are included (in Schedules 7 to 9). |
| Direct marketing rules under PECR | Under current law, an organisation can use ‘soft opt-in’ rules as an alternative to seeking consent to sending direct marketing communications by email or SMS. These rules apply to the marketing of the organisation’s own goods or services, where contact details have been obtained in the course of previous sales (or negotiations to sell) goods or services to the recipient (and provided certain other conditions are satisfied). These rules therefore exclude organisations which do not sell goods or services, such as charities, political organisations and other non-commercial organisations. DPDI 2 expands the scope of the ‘soft opt-in’ rules such that non-commercial organisations can use them to send marketing emails or SMSs relating to their non-commercial objectives. | These changes are NOT included. |
| Cookies rules under PECR | There will be new circumstances in which consent to the use of cookies is not required. The Explanatory Notes to the Bill explain that these are purposes which ‘are considered to present a low risk to people’s privacy’. | Similar changes are included, though there are differences to the wording in a new Schedule A1 (that I will need to read in more detail). |
| Use of personal data for statistical, scientific or historical research purposes (Article 89) | There has been a lot of commentary on DPDI provisions relating to use of data for research and statistical purposes. This purpose of processing is an exception to many rules under the UK GDPR. They should not be overused, particularly as they limit the application of data subject rights. DPDI 2 clarifies the meanings of “scientific research”, “historical research” and “statistical purposes”. A key clarification in DPDI 2 (which was not in DPDI 1) is that something can be scientific research whether carried out as a commercial or non-commercial activity. DPDI 2 also introduces new safeguards for processing of data for research purposes, which replace the existing safeguards under Article 89 UK GDPR. | These changes are included. |
| UK-based representative (Article 27 UK GDPR) | Under the current UK GDPR, controllers and processors may be subject to UK requirements if they are not established in the UK, but are targeting UK data subjects (to sell them goods or services, or to monitor their behaviour. Under Article 27, such organisations are required to appoint a representative within the UK. The DPDI 2 Bill removes this requirement for a representative. | These changes are NOT included. |
The DUA Bill is available here.
Olivia Whitcroft, principal of OBEP, 25 October 2024
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details
