The UK Government has published a new bill that will make changes to data protection and ePrivacy law. The Data (Use and Access) Bill also makes changes to the laws in relation to digital identity and verification. In this update we summarise the key changes that the bill will make to data protection law.
Background
In June 2022, the previous Government introduced the Data Protection and Digital Information Bill (DPDIB), which proposed wide-ranging changes to UK data protection law. Progress of the Bill stalled in September, with a new DPDIB being introduced in March 2023. That Bill made slow progress through Parliament and did not make it into the wash-up process prior to the General Election.
What will the Data (Use and Access) Bill do?
The DUAB proposes a number of amendments to data protection law, including UK GDPR and Parts 3 and 4 of the Data Protection Act 2018 (which deal with processing for purposes of law enforcement and by intelligence services).
The amendments are not as wide ranging or radical as the changes that were proposed by the previous Government in the DPDIB. Instead, many of the changes that are being proposed seek to clarify rather than reform the existing law.
The DUAB will also make changes to ePrivacy laws and reform the Information Commissioner's Office.
I'm a data protection officer. Will I still have a job?
Yes. Unlike the DPDIB, the DUAB does not propose abolishing the role of the data protection officer. GDPR accountability concepts such as DPIAs, registers of processing activities and DPOs will remain a part of the compliance framework under UK data protection law.
While the key features of the GDPR compliance framework remain it does mean that the role of a Senior Responsible Individual (as proposed in the DPDIB) will not be taken forward. This means smaller organisations that require a DPO, in particular small public authorities, will continue to face challenges in relation to how they fulfil that role.
What other changes does the DAUB make to data protection law?
The DAUB retains a number of amendments and clarifications that were proposed in the DPDIB. These include:
- Research - clarifications and amendments in relation to processing of personal data for research purposes, including the application of the purpose limitation to research activities
- Legitimate interests - the "whitelisting" of certain activities as being deemed legitimate interests (though a narrower list than that set out in the DPDIB)
- Data subject requests - expressly stating that controllers need only carry out reasonable and proportionate requests and that controllers can wait until they have verified the identity of the requestor before the time period for responding commences (formalising the position set out in the ICO's guidance)
- Automated decision making - the DUAB retains and builds upon the proposed amendments in the DPDIB in relation to Article 22 of UK GDPR. These amendments will be particularly relevant to the use of AI, with the Secretary of State getting new powers to introduce additional safeguards.
- International transfers - the DUAB retains the proposed amendments in the DPDIB in relation to a risk based approach to assessing adequacy
- Complaints - the DUAB retains the proposed amendments in the DPDIB in relation to the complaints processes that controllers must adopt
In relation to data subject requests, the DAUB does not contain the proposal in the DPDIB to replace the concept of "manifestly unfounded or excessive" requests with "vexatious" requests.
In addition to including a number of amendments that formed part of the DPDIB, the DAUB also proposes amendments in relation to processing of special category data, including powers for the Secretary of State to add or remove processing activities from the scope of special category data.
What changes are being made to ePrivacy laws?
The DUAB makes a number of amendments to the Privacy and Electronic Communications Regulations, including reforming the rules on the use of cookies and similar tracking technologies. These amendments include permitting organisations to deploy first party analytics tracking without the need to obtain prior consent from users.
The enforcement powers that apply under the 2018 Act (including powers to issue monetary penalties) will also be extended to breaches of the Privacy and Electronic Communications Regulations.
However, the DUAB does not contain the provisions from the DPDIB that would have given political parties, elected representatives, charities and not-for-profits broader rights to send electronic marketing. This means the soft opt-in will not be extended to charities and non-commercial organisations.
What is happening to the Information Commissioner?
As with the DPDIB, the DUAB proposes to reform the office of the Information Commissioner. The Commissioner will be replaced by a new body called the Information Commission.
The DUAB retains many of the DPDIB's proposed amendments to the ICO, but does not include the more contentious provisions that would have given the Secretary of State the power to designate the Commissioner's strategic priorities and to make recommendations in relation to codes of practice.
Next steps
The DUAB had its first reading in the House of Lords on 23 October 2024. You can find the Bill homepage on the UK Parliament website.
We will track the DUAB's progress through Parliament, including any amendments that are made to the DUAB.
We will also be covering the DUAB at our next Data Protection Update webinar on 28 November 2024. Follow this link to register.