The Data (Use and Access) Bill

The Data (Use and Access) Bill (DUAB), introduced in late October, represents the UK’s latest attempt to reform the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, Privacy and Electronic Communications Regulations (PECR), and other data and digital-related laws.

The Conservative government’s Data Protection and Digital Information Bill No. 2 (DPDIB) failed to pass before July’s general election. The DUAB represents a less radical approach to data protection and privacy reform, but the new bill retains many of the DPDIB’s proposals.

Here’s a look at how the DUAB retains some of the DPDIB’s key provisions, changes or drops others, and introduces new proposals to reform the UK’s data protection and privacy regime.

Which DPDIB provisions have been dropped from the DUAB?

The following provisions from the previous government’s DPDIB are not included in the new government’s DUAB:

• New “personal data” definition: A test for establishing whether information is “identifiable” and thus within the scope of the UK GDPR.
• Democratic engagement: A new “democratic engagement” definition to provide a clearer definition of activities that qualify. This purpose for processing personal data has also been dropped from the bill’s list of “recognized legitimate interests” (more on those below).
• Direct marketing: Extension of the “soft opt-in” to charities, political parties, and other non-profit organizations.
• Unlawful direct marketing: A requirement for communications service providers to report suspicious unlawful marketing activities to the Information Commissioner’s Office (ICO).
• Data subject rights: Changing the threshold at which controllers may reject a data subject rights request, from “manifestly unfounded or excessive” to “vexatious or excessive”.
• Complaints to the ICO: Formally empowering the Information Commissioner to refuse to act on complaints unless the data subject had raised them with the controller or processor.
• UK representative: Removal of the requirement for controllers not established in the UK to appoint a UK representative under Article 27 UK GDPR.
• Senior responsible individual: Abolition of the Data Protection Officer (DPO) role, to be replaced by the “senior responsible individual” operating at the highest level of management.
• Record-keeping and risk assessment: Minor changes to the threshold and process for carrying out a Data Protection Impact Assessment (DPIA) and maintaining Records of Processing Activities (RoPA).
• Automated decision-making: A new government power to amend automated decision-making safeguards (most of the reforms in this area have been retained, as explained below).
• Strategic priorities for data protection: A requirement for the Information Commissioner to have regard to a “statement of strategic priorities” issued by the government.
• Codes of Practice: New powers for government ministers over data protection Codes of Practice.
• Storing and accessing information on devices: Non-consensual access to devices for the purposes of providing for certain software updates.
• Data for social security purposes: New government powers to require banks to provide data on accounts linked to benefit claimants for fraud detection purposes (the new government plans a separate Fraud, Error and Debt Bill covering this issue).
• Biometrics Commissioner: Abolishing the office of the Biometrics Commissioner and transferring oversight to the Investigatory Powers Commissioner.
• Surveillance Camera Commissioner: Abolishing the office of the Surveillance Camera Commissioner and repealing the requirement for a surveillance camera code.

Which DPDIB provisions remain in the DUAB?

Focusing on the provisions related to data protection and privacy, here are some of the proposed reforms from the last government’s DPDIB that have been revived via the current government’s DUAB:

• Scientific research: New definitions relating to scientific research and a new test to determine whether consent is compatible with new processing purposes.
• Recognized legitimate interests: A list of activities recognized as constituting a “legitimate interest” by default, without the need for controllers to conduct a “balancing test” before relying on this legal basis, namely:
  • Disclosing personal data to a public authority
  • Safeguarding national security or protecting public safety
  • Responding to an emergency
  • Detecting, investigating, or preventing crime
  • Safeguarding vulnerable individuals
• Data subject rights: 
  • Clarifications around when the one-month response period for responding to a request begins.
  • A requirement for controllers to inform data subjects of the reasons for denying a request, and inform them of their right to complain to the Information Commissioner.
  • A provision stating that controllers only need to conduct a “reasonable and proportionate” search for personal data in response to a subject access request.
• Automated decision-making: Article 22 UK GDPR’s replacement with new provisions that clarify what constitutes a “solely automated individual decision”, which safeguards must be implemented when conducting such decision-making, and loosening the rules in respect of non-”special category” data.
• International data transfers: A new “data protection test” for international data transfers, which must be used by:
  • The Secretary of State, when assessing the adequacy of third countries, and
  • Controllers and processors, when determining whether to rely on a given data transfer mechanism (essentially providing a new framework for transfer risk assessments)
• Information Commission:
  • Replacing the ICO with a new “Information Commission”, comprising a CEO and a new board structure with executive and non-executive directors.
  • An obligation for the Commissioner to have regard to certain priorities – such as promoting innovation, promoting competition, and safeguarding security – when publishing strategic plans
• PECR:
  • Aligning PECR’s maximum fines (currently £500,000) with the UK GDPR’s (with some exceptions)
  • Clarifying PECR’s rules on consent for cookies and similar technologies.
  • Introducing two new activities for which operators may rely on an “opt-out” rather than consent, if certain conditions are met: Collecting statistical information to improve a website or app, adapting websites for different displays.
  • Enabling emergency services to access a device’s precise geolocation if the user requests emergency assistance.

What’s new in the DUAB?

As we’ve seen, the DUAB would remove many of the Conservative government’s proposed reforms under the DPDIB, and retain others. The DUAB also introduces new proposals around “smart” and “open” data, and amendments to laws such as the Online Safety Act.

The DUAB does not offer many new data protection and privacy clauses that did not originate with the DPDIB. The following two new clauses appear:

• Special category data: The Secretary of State would have new powers to amend the UK GDPR’s “special categories of personal data” via secondary legislation. Currently, such amendments require primary legislation.
• Complaints to the Information Commissioner: The Information Commissioner would be empowered to refuse or charge a fee to act on “manifestly unfounded or excessive” complaints submitted by data subjects.

Some campaign groups have already argued that the bill would detrimentally impact human rights.

However, the DUAB’s proposed reforms to the UK’s data protection and privacy framework are unarguably more moderate than the DPDIB’s. The less radical nature of the new bill might alleviate some observers’ concerns regarding the UK’s EU “adequacy decision” and the impact on data subjects.