The UK’s Data (Use and Access) Bill (DUA Bill) was recently introduced into Parliament for its first reading. The DUA Bill seeks to bring a series of significant changes to data management, access, and privacy regulations, with a focus on modernising public service operations, strengthening data privacy frameworks and enhancing UK regulatory powers of enforcement. The DUA Bill also seeks to update the Privacy and Electronic Communications Regulations (PECR), a legacy piece of legislation derived from EU law that governs electronic marketing, cookies and similar technologies.

Here are some of the key changes proposed by the DUA Bill and what it means for businesses operating in the UK:

1. Enhanced data access for public services: The DUA Bill promotes streamlined data sharing among public bodies, like the National Health Service (NHS) and the police, to boost efficiency and reduce time-consuming administrative processes. For instance, healthcare providers will gain real-time access to necessary data, enabling more timely responses and potentially better service delivery.
2. Privacy standards for data-driven research: The DUA Bill introduces a “researcher data access regime” to permit ethical data access for research, with specific privacy protections in place. This allows for the use of personal data in scientific research while safeguarding against unauthorised or excessive data usage, supporting innovation without compromising privacy.
3. Digital verification services: The DUA Bill provides a framework for digital identity verification, allowing secure and reliable digital ID solutions across sectors. This aims to create interoperable systems that protect user data while easing identity verification processes for businesses and public services.
4. Privacy notices: The DUA Bill removes the obligation on businesses to provide privacy information to individuals under Articles 13 and 14 (e.g., via a privacy notice) if providing this information is “impossible or would involve disproportionate effort”. Whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing. However, businesses would still be responsible for taking appropriate measures to protect the data subject’s rights, freedoms and legitimate interests (for example, by making the information available publicly).
5. Legitimate interests: The DUA Bill seeks to refine and expand upon the circumstances in which businesses can rely on legitimate interests as a ground for processing personal data. Examples include processing that is necessary for the purposes of direct marketing (e.g., for legitimate business communications under PECR); intra-group sharing of personal data which is necessary for internal administrative purposes; and processing that is necessary for the purposes of ensuring the security of network and information systems. The DUA Bill also introduces the concept of ‘recognised legitimate interests’ which recognises the lawful processing of personal data for purposes of national security, emergencies, crime and safeguarding vulnerable people.
6. Cookie consent: The DUA Bill relaxes the requirement on businesses to obtain consent for non-intrusive cookies, such as those used solely for website functionality or analytical purposes, so long as they do not track user behaviour across websites. This relaxation aims to reduce the frequency of cookie pop-ups for UK users, aligning with user-friendly practices similar to those in the EU’s ePrivacy regulation reforms.
7. Creation of the Information Commission: The Information Commissioner’s Office (ICO) and the statutory role of the information commissioner (currently held by John Edwards) will be abolished and replaced by the Information Commission, a corporate body that will likely be overseen and influenced by the government in a similar manner to the Financial Conduct Authority and Competition and Markets Authority.
8. Complaints procedure: In an attempt to reduce the number of complaints reaching the UK ICO, complaints made by data subjects must be made first to the data controller. The DUA Bill requires businesses to facilitate the making of complaints by taking steps such as providing a complaints form. Furthermore, businesses will be required to acknowledge receipt of the complaint within 30 days and investigate and respond to the complaint without undue delay. These requirements are likely to reflect what is already common practice for most businesses but having a formal process in place will be important particularly as the new DUA Bill seeks to hold controllers accountable for managing complaints and could require controllers to notify the ICO of the number of complaints received in specified period.
9. Enforcement powers: The ICO is granted expanded enforcement capabilities for PECR violations, including higher fines for serious non-compliance, particularly where automated or unsolicited communications are used. Currently, the maximum fine the ICO can impose under PECR is £500,000. Bringing the potential fines for infringements of PECR in line with the level of fines under the UK GDPR is part of a broader push to ensure robust privacy protection in line with ICO enforcement trends.

Perhaps unsurprisingly the changes proposed by the DUA Bill remain closely aligned with the EU, which will be an important factor if the UK wants to keep its adequacy decision with the EU which currently allows personal data to freely pass between the EU and UK. This adequacy decision is due to be reviewed by the European Commission in 2025, and so the timing and nature of the DUA Bill is significant.

The DUA Bill is at the early stages of the legislative process and could be amended as it passes through the House of Lords and House of Commons before being enacted in UK law. To read the original blogpost by Selina Clifford and Nick Phillips of Ally Law member firm Edwin Coe LLP, please click here.