What's changing and what's the same in the UK's Data (Use and Access) Bill from a GDPR compliance perspective? (2024)

If you're a business operating across Europe including the UK, what do you need to know about proposed UK data protection reform following the introduction of the Data (Use and Access) Bill (DUA) to Parliament? The overriding message is that much of the UK GDPR will stay the same as the EU GDPR. The more significant reforms proposed under the previous UK government in its Data Protection and Digital Information (DPDI) Bill have been dropped so the UK will still adopt the EU position on, for instance, appointing Data Protection Officers and documenting Record of Processing Activities.

But there are certain aspects of the UK GDPR that this latest Bill intends to amend and we set out a summary of the main areas below. Please see our articlefor commentary on the approach that the Bill takes on processing for research purposes including around purpose limitation and transparency.

Lawful bases

It would be a brave UK government to introduce wholly novel lawful bases under Articles 6 and 9 of the UK GDPR. What we have instead is one example of a bit of tinkering around the edges, and one example of providing reassurances (clause 70).

The tinkering around the edges relates to Article 6(1)(e) where the proposed new wording (new wording in bold) is: "processing is necessary for the performance of a task of the controller carried out in the public interest or a task carried out in the exercise of official authority vested in the controller".

This amendment makes it clear that the task carried out in the public interest must be that of the controller – in other words it cannot be another controller's task.

The reassurances are focused on reliance on certain examples of legitimate interest. The DUA Bill amends Article 6 UK GDPR to permit controllers to rely on "recognised legitimate interests" listed in Annex 1. Annex 1 is set out in Schedule 4 of the Bill. The real benefit here is that if you can point to one of these recognised legitimate interests for your processing, you are not expected to carry out a legitimate interest assessment. The recognised legitimate interests cover relatively discrete circumstances and are:

  • making a disclosure to a controller who needs to process that data for their task in the public interest or exercise of their official authority where the controller has requested that data
  • safeguarding national security or protecting public safety
  • responding to an emergency
  • detecting, investigating or preventing crime or apprehending or prosecuting offenders
  • safeguarding vulnerable individuals.

The DUA Bill has left out the legitimate interest of "democratic engagement" included in the DPDI Bill. The DUA Bill gives the Secretary of State the power to vary the recognised legitimate interest grounds but they must go through a specific process to do so, including that the addition to Annex I must be necessary to safeguard a public objective identified in particular parts of Article 23 UK GDPR.

The DUA Bill also includes a list of types of processing that are examples that may be considered processing necessary for the purposes of legitimate interest which are:

  • direct marketing
  • intra-group sharing of data for internal administrative purposes, and
  • processing to ensure network and information security.

These examples all come from recitals 47-49 of the EU GDPR, so that the amendment here simply lifts those concepts into the main body of UK law.

Special category data

The Secretary of State under clause 74 has the power to issue new regulations to add new special categories of data to Article 9 UK GDPR. The regulations may also tailor the conditions applicable to the use of such data and add new definitions. In the explanatory notes accompanying the Bill this is justified as a way for "Government to rapidly respond to future technological and societal developments". The Secretary of State may also remove categories of special category data although the power cannot be used to remove any of the pre-existing Article 9 categories i.e. those fundamental to the EU GDPR.

DSARs

While the DUA Bill does not include the ability for controllers to refuse to respond to data subject access requests (DSARs) because they are considered to be vexatious (a provision from the DPDI Bill), it does include certain provisions dealing with applicable time periods and the scope of the search in response to a DSAR.

The amendments in clause 76 introduce a new Article 12A into the UK GDPR which establishes a more specific outline of time periods for handling a DSAR depending on whether the controller requires confirmation of the requestor's identity and/or further information about the processing activities under the DSAR. It will be music to the ears of controllers that the Bill states that an example of a "case in which a controller may require further information is where the controller processes a large amount of information concerning" a requestor.

An additional comfort for controllers formulating their approach to responding to DSARs, is that the Bill (at clause 78) confirms that the "data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information". In other words, the controller will be able to point to statutory underpinning on the parameters of the search they conduct, rather than just guidance from the regulator.

Solely automated decision-making

One of the more topical areas where the DUA Bill's proposals differ from the EU GDPR relates to the provisions around solely automated decision-making. The DUA Bill (clause 80) intends to replace Article 22 (which deals with automated individual decision-making) in full with new Articles 22A – 22D.

The amendments deliberately enable automated decision-making involving personal data to be more flexible under the UK GDPR than under the EU GDPR – essentially the stricter regime would only apply to processing involving special category data. The Bill also introduces new terminology – a "significant decision" and "meaningful human involvement" – as well as defining what a decision based solely on automated processing is. The definition of "significant decision" follows the EU GDPR concept closely i.e. a legal effect or similarly significant effect on the individual. Meaningful human involvement is a new concept. The recitals to the EU GDPR refer to "human intervention" (recital 71) but not a threshold by which human action becomes meaningful.

Under the DUA Bill, when considering whether there is meaningful human involvement in taking a decision (which would mean it is not 'solely' automated), a person must look at, among other things, the extent to which the decision is reached by means of profiling. A decision will be based solely on automated processing if there is no meaningful human involvement in taking it. This means that organisations looking to avoid the application of Article 22A-22D will need to be able to demonstrate that there is meaningful human involvement.

Article 22B stipulates that a significant decision based entirely or partly on processing special categories of data may not be taken based solely on automated processing unless:

  • the individual has provided explicit consent for all the processing, or
  • the decision is necessary due to a contract between the individual and a controller and the processing must also be necessary for substantial public interests under UK law i.e. as set out in Data Protection Act 2018 Schedule 1 Part 2. This echoes aspects of the EU GDPR Article 22 as it applies to special category data, or
  • the decision is required or authorised by law.

The big difference here is that personal data that is not special category data is not subject to the restrictions in Article 22B. In fact, solely automated decision-making involving personal data could potentially take place on the basis of legitimate interests. However a significant decision may not be taken based solely on automated processing if the processing of personal data carried out by the decision-maker is carried out entirely or partly in reliance on a recognised legitimate interest (Article 22B (4)).

Article 22C sets out the safeguards for solely automated significant decision-making involving personal data (so not just special category data), and this requirement actually goes wider than the similar provision under Article 22(3) EU GDPR since the safeguards in the DUA Bill apply in all cases of significant decisions. Here the controller must ensure safeguards are in place for the rights, freedoms and legitimate interests of the individual which involves providing information to affected individuals about the decisions taken, enabling such individuals to make representations about the decisions, enabling human intervention, and enabling the individual to contest the decisions.

The Secretary of State has further specific powers around automated decision-making. So they can issue regulations:

  • to indicate decisions which do or do not involve meaningful human involvement
  • to provide a description of a decision which is or is not to have a similarly significant effect for an individual
  • about requiring safeguards to include certain measures, and imposing requirements about what safeguards must consist of or include, and about measures which are not to be taken to satisfy the safeguards required.

International data transfers

Like the DPDI Bill the DUA Bill also introduces a schedule (Schedule 7) to amend Chapter V of the UK GDPR where the rules for international data transfers are set out. Big picture – the Bill removes the current Articles 44 and 45 and replaces them, and Articles 46 and 49 are amended. A number of the amends are simply to give the drafting a UK flavour e.g. adequacy regulations not adequacy decisions, and provide a more logical structure to the options available to businesses when considering making a data transfer.

However, the Bill also introduces the new 'data protection test' which the Secretary of State considers in order to decide whether a recipient country or organisation is adequate. The data protection test differs from the adequacy assessment under the EU GDPR in that the Secretary of State is considering whether or not the standard of protection provided to individuals in the recipient country in question is materially lower than the standard under UK law. In considering whether the data protection test is met, the Secretary of State can also take account of certain factors including the constitution, traditions and culture of the third country. The explanatory notes to the DUA Bill make the point that the UK recognises that "other countries' data protection regimes will not be identical to the UK's in form and differences may exist given the cultural context of privacy". Additionally, the explanatory notes indicate that the Secretary of State will also need to consider the laws and practices in the third country regarding public authorities' access to personal data for national security or law enforcement purposes.

The Secretary of State is also required to constantly monitor the situation in a third country where adequacy has been awarded under UK law in case they need to amend or revoke their regulations. Amendments to Article 46 don't substantially change the approach to reliance on appropriate safeguards, although the amendments expect the organisation making the data transfer to assess that the data protection test is met i.e. a Schrems II-like assessment.

New Article 45A gives the Secretary of State the discretion to make adequacy regulations having had regard to any matter which they consider relevant, including the desirability of facilitating transfers to and from the UK. This hints at circumstances where, perhaps for political or economic reasons, the UK government may wish to award a country adequacy. New Article 47A allows the Secretary of State to issue regulations to specify standard data protection clauses which secure meeting the data protection test. New Article 49A allows the Secretary of State to issue regulations restricting the transfer of a category of personal data to a third country where they consider the restriction to be necessary for important reasons of public interest. While this Article is new, it doesn't reflect a significant change since this provision already exists under s18(2) of the Data Protection Act 2018.

What does this mean for you?

The UK data protection regime is going to change but many of the more cosmetic changes under the DPDI Bill have gone, as have some of the more controversial ones. As a result, the DUA Bill is expected to have a fairly smooth passage through Parliament, particularly as much of it has already been debated in the form of the DPDI Bill. But perhaps more importantly, the DUA Bill is unlikely to threaten the EU-UK adequacy arrangements for the purposes of data transfers.

What's changing and what's the same in the UK's Data (Use and Access) Bill from a GDPR compliance perspective? (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Melvina Ondricka

Last Updated:

Views: 6361

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.