When the Labour Party won the general election in July 2024, the previous government’s Data Protection and Digital Information (DPDI) Bill went out the window. 

The years the DPDI Bill progressed in parliament raised much commentary, with several discussions from our hosts at Data Protection People. With Labour in power, a new Bill has arrived – the Data (Use and Access) (DUA) Bill. 

Many have welcomed the changes proposed in the DUA, but how do they impact the existing data protection framework? Discover the key reforms set out in the DUA Bill in our guide.

What Is the DUA Bill? 

The Data (Use and Access) Bill aims to “unlock the secure and effective use of data for the public interest” while driving economic growth and improving people’s lives. The DUA Bill was published on 24 October 2024 to replace the previous government’s failed Data Protection and Digital Information (DPDI) Bill. 

This Bill carries over similar provisions set out in the DPDI Bill, including Smart Data schemes and digital ID. Some significant reforms have been dropped, such as changes to DPIAs and RoPAs. The controversial plan to remove the requirement for Data Protection Officers (DPOs) under certain criteria has been removed. 

For a complete list of its predecessor’s changes, read our summary on the DPDI Bill here. 

What Areas Are Subject to Change Under the Data Bill?

1. Data Subject Access Requests (DSARs)

The DUA Bill introduces a new article (12A) into the UK GDPR, setting clearer boundaries for managing subject access requests (SARs). Some notes include: 

• Organisations (controllers) can ask data subjects for more information in connection with a DSAR and have their time period for responding to the request paused until they receive the information. 
• A reasonable case for requesting further information is ‘where the controller processes a large amount of information concerning the data subject’. This can extend the applicable time period by two months.
• The personal data and other information provided in response to a SAR must be a ‘reasonable and proportionate search’ (clause 78). This gives controllers a legal basis for defining their search limits beyond relying on regulatory guidance. 

This provision varies from the DPDI Bill, in which data controllers no longer have the right to refuse SARs based on it being ‘vexatious or excessive’. The DUA Bill maintains the UK GDPR’s grounds for refusal if the SAR is ‘manifestly unfounded or excessive’. 

2. Legitimate Interests

The Bill proposes that controllers will be exempt from conducting a Legitimate Interests Assessment (LIA) if ‘recognised legitimate interests’ apply. These circumstances include processing necessary for national security, safeguarding vulnerable individuals or emergency response. (See Annex 1 in Schedule 4 of the Bill for all legitimate interests.) 

The DUA Bill also includes examples that may qualify as necessary for legitimate interests, including: 

• Direct marketing
• Processing to ensure the security of network and information systems
• Intra-group sharing of personal data for internal administrative purposes 

These examples are lifted from the EU GDPR (Recitals 47-49). Previously, organisations were uncertain whether these Recitals carried the same weight as the main text. By formalising these examples, the Bill delivers much-needed certainty for controllers about when they can rely on legitimate interests on a lawful basis. 

3. Automated Decision-making

Significant provisions surround automated decision-making. The DUA Bill intends to replace Article 22 with new Articles 22A—22D. The existing, stricter regime (Article 22) provides data subjects with the right to not be subject to a decision based solely on automated decision making unless certain conditions apply such as where the processing is –

• necessary for entering into, or performance of, a contract between the data subject and a data controller.
• required or authorised by domestic law which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
• based on the data subject’s explicit consent

Reducing this scope threatens individuals’ rights regarding automated decisions. Article 22C, however, sets out safeguards for protecting the individual’s rights, freedoms and legitimate interests. Measures include providing information about the decisions taken regarding the data subject and enabling them to contest such decisions.  

4. International Data Transfers

Like the DPDI Bill, the DUA Bill looks to amend the rules for international data transfers set out in Chapter V of the UK GDPR. Small changes include adapting the rules to a UK context, but most importantly, a ‘data protection test’ is introduced. 

The Secretary of State will assess whether a recipient country’s data protections provided to an individual are ‘not materially lower’ than UK standards rather than an exact likeness. This approach gives flexibility when conducting data transfers but requires organisations to be aware of the differing standards set internationally.  

5. Privacy Notices

The DUA Bill proposes that organisations are not required to provide privacy information under Articles 13 and 14 (e.g., via a privacy notice) if doing so is deemed ‘impossible or would involve a disproportionate effort’. 

This means controllers aren’t required to inform individuals about processing if the data is ‘de-identified’ or the notification would be impractical or unjustifiably costly. Watering down these transparency rules causes some concern, as it puts individuals’ rights at risk. 

Along with these five areas, the Data Bill proposes several other changes that impact data processing for research purposes, as well as an increase in PECR fines. 

What Are the Next Steps for the DUA Bill? 

The DUA Bill is still in its initial stages, meaning everything is subject to change as it passes parliament. As a close revision of the DPDI Bill, we expect it to progress quicker than its predecessor. 

Subscribe to the Data Protection Made Easy podcast for regular updates on the progression of the DUA Bill and expert commentary on industry events. 

Looking for Data Protection Support?

Our expert data protection services keep organisations compliant and their customers’ personal data safe. With years of sector experience, our GDPR consultants stay ahead of the latest regulatory changes, providing tailored advice to meet your compliance needs. 

Contact our team to find out how we can help you.