0203 3013384
SUPPORT

Breaking down 9 key changes in the Data (Use and Access) Act

The Data (Use and Access) Act (DUAA) is here! As for the current timeline of the legislation, at the time of writing, we are waiting for the Keeling Schedules. In plain English, that means we know what is going to change, but we don’t know exactly when they will change.

While by no means an extensive breakdown of every change, this guide provides a snapshot into some of the key changes.

1: New legal basis

Firstly, we’ll mention the new legal basis. The DUAA will introduce “Recognised Legitimate Interests” (RLIs), which are a new list of specific activities where no balancing test is needed:

  • Sharing data with another organisation when it’s needed for them to carry out a task in the public interest or under official authority
  • Protecting national security, public safety, or fulfilling defence obligations
  • Responding to serious emergencies, as defined under the Civil Contingencies Act 2004
  • Preventing, investigating, or prosecuting criminal activity
  • Providing protection and support for vulnerable individuals

If one of the recognised legitimate interests (RLIs) applies, organisations can rely on the new Article 6(1)(ea) as their lawful basis for processing without needing to carry out a legitimate interest assessment or balancing test, unlike the process required under Article 6(1)(f) of the UK GDPR.

Public bodies won’t be allowed to use RLIs as a lawful basis when carrying out their usual duties, just like under the current rules. Also, if the processing involves sensitive (special category) data, the usual extra restrictions under Article 9 of the UK GDPR will still apply.

 

Examples of Legitimate Interests

The DUAA also adds new examples to Article 6 of the UK GDPR, listing types of data processing that might count as being in a legitimate interest, depending on the context:

  • Direct marketing
  • Ensuring the security of network and information systems
  • Sharing data within a company group when needed for internal administrative tasks

Unlike RLIs, these examples still need a legitimate interest assessment before they can be used as a lawful basis. They reflect situations that were previously only mentioned in the recitals (not the main text) of the UK GDPR.

2: Soft opt-in

Secondly, Clause 110 of the DUAA expands the definitions of ‘call’ and ‘communication’ under PECR 2003 to include all attempts at calls or communications sent, even if the call doesn’t connect. It also adds a definition of ‘direct marketing’ as any advertising or marketing message sent to specific individuals, which could even cover personalised online ads.

Currently, sending unsolicited marketing emails is generally banned unless the recipient consents or the ‘soft opt-in’ exception applies, meaning the person’s contact details were collected during a sale or sales negotiation. Fast forward to the introduction of the DUAA into law, and Clause 114 extends this ‘soft opt-in’ rule to charities, allowing them to send marketing messages (like fundraising appeals, for example) even if the contact details weren’t collected during a commercial transaction.

For charities to rely on this exemption, though:

  • The marketing must be solely to support their charitable goals.
  • The recipient must have previously shown interest or support (like making a donation).
  • The recipient must be given a simple, free way to opt out both when their details are collected and in every future message.

3: The right to complain to a controller

Clause 103 of the DUAA adds new rules to the Data Protection Act 2018 about how organisations must handle complaints under the UK GDPR or the Act. It encourages the use of electronic complaint forms and requires organisations to acknowledge every complaint within 30 days. They must also take appropriate action and let the complainant know the outcome.

Additionally, the Secretary of State may introduce regulations requiring organisations to report the number of complaints they receive to the ICO.

4: Reasonable and proportionate search

Clause 78 of the DUAA makes it clear that when responding to Data Subject Access Requests (DSARs), organisations only need to conduct a ‘reasonable and proportionate’ search for the requested information, not an overly broad or exhaustive one. So no need to go on an eternal hunt for data! This aligns with how the UK GDPR is currently enforced.

Unlike most DUAA provisions that come into effect later through additional regulations, Clause 78 takes effect immediately upon Royal Assent and is applied retroactively from 1 January 2024.

5: Consent for low risk-purpose cookies

Clause 112 of the DUAA changes the rules around cookie consent by removing the need for users to give explicit permission in certain cases. These include when cookies are used just to gather statistics to improve a website or service, to make sure the website displays correctly on a user’s device, or to identify a user’s location for emergency calls or help.

Even though consent isn’t needed for the first two uses, websites still have to clearly inform users about the cookies and offer a simple, free way to opt out. For statistics cookies, the data can only be shared with people directly involved in improving the service.

6: Increase in fines for breaches of ePrivacy rules

Clause 111 of the DUAA extends the deadline for service providers to notify the ICO about personal data breaches under PECR 2003 from 24 hours to 72 hours, aligning it with UK GDPR rules. If all the necessary information isn’t ready within 72 hours, providers can submit it in stages, explaining any delays. So there’s no need to know absolutely everything about the incident before you make the ICO aware.

Clause 115 updates the ICO’s enforcement powers by replacing old rules with new ones from the Data Protection Act 2018. This means fines for serious PECR breaches can now be much higher, up to £17.5 million or 4% of global turnover, matching UK GDPR levels.

Under Clause 116, the ICO is required to promote the use of codes of conduct and certification schemes to help organisations comply with PECR 2003, similar to what exists under the UK GDPR.

7: New “data protection test” for international data transfers

Schedule 7 of the DUAA 2025 introduces a new ‘data protection test’ under Article 45B of the UK GDPR. This test is used by the Secretary of State when deciding if a country or organisation offers adequate data protection for transferring personal data. It also applies when organisations rely on existing safeguards and assess transfer risks.

The test checks that the other country’s data protection rules aren’t significantly weaker than the UK’s, considering factors like:

  • Respect for human rights and rule of law
  • Existence of enforcement authorities to protect individuals
  • Ways for individuals to seek redress
  • Rules on onward data transfers
  • Any international obligations
  • The country’s culture and traditions

 

This risk-based approach is similar to the ICO’s 2022 transfer risk assessment but differs from the EU GDPR, which requires protection to be ‘essentially equivalent.’ For organisations subject to both UK and EU GDPR, this could mean they stick to the stricter EU standards to cover all bases, potentially limiting any simplification benefits.

The changes don’t apply retrospectively though, so transfers made before the new rules take effect remain valid.

8: Automated decision-making and profiling

Clause 80 of the DUAA will allow for wider usage of automated decision-making. It will generally be allowed unless special category data is involved or certain new legal bases are used. Even then, there are exceptions, such as when someone gives explicit consent, or the decision is needed for a contract, legal requirement, or a matter of public interest. When automated decisions do happen, organisations will still need to put safeguards in place to protect people’s rights, as required by new Article 22C.

These changes are reflective of the government’s desire to make the UK a more attractive place for businesses leveraging AI technologies. While these changes to Article 22 do allow more flexibility in regards to decisions made by AI, it’s somewhat concerning to see stricter protections relaxed. The ICO has announced plans for a statutory code to support this change, so that will be something to look out for.

9: New concept: significant decisions

Clause 80 also introduces a new Article 22A into the UK GDPR, which sets out important definitions regarding automated decision-making. According to this new article, a decision made solely through automated processing is defined as one that involves “no meaningful human involvement.” The article also clarifies that a significant decision for a data subject is one that produces a legal (or similarly significant) effect on them.

When assessing whether a decision involves meaningful human involvement, Article 22A specifically highlights the need to consider factors such as the extent to which the decision is based on profiling. This suggests that profiling itself is treated as a form of solely automated decision-making, contributing to a decision falling within the scope of the regulation. The DUAA does not explicitly state this, though.

To address this, the DUAA also introduces a new Article 22D, which empowers the Secretary of State to bring forward legislation to Parliament to define what constitutes “meaningful human involvement” and what kinds of decisions have a “similarly significant effect” from a legal perspective. This means that further detailed guidance and definitions are expected to emerge through secondary legislation, providing greater clarity on these key concepts in the near future.

Moving forward

The most important thing to understand about the DUA Act is that this is amending legislation, so don’t worry – you won’t need to add another lengthy piece of legislation to your ‘favourites’ bar. The UK data protection regime will still primarily consist of the UK GDPR and the Data Protection Act 2018, and PECR remains the go-to for all your privacy rights relating to electronic communications, marketing, and cookie goodness.

To better understand the new DUAA, consider signing up for our one-day course, ‘Understanding the Data (Use and Access) Act’. This course covers the key changes, what your obligations will be under the newly amended regulations, and other important topics like the new role of the Information Commission.

Enrol for only £395 per person, or get 20% off when you make multiple bookings.

Learn more about this course and book yourself a place here.

related posts

Get a Free Consultation

sign up

Want to receive a copy of our monthly Data Protection newsletter and news from the DPAS team?

Footer logo

Helping organisations access the value of their data, create a vision, embed the change and build the future.

QUICK LINKS

WHAT WE DO

COMPANY POLICIES

contact info

Book Your Call

Please note all information on this website is for your help and guidance. It should not be regarded as an authoritative or definitive statement of the law.

©2024 Gooding&Co Ltd Trading as Data Privacy Advisory Service. ALL RIGHTS RESERVED

Website Development by GSL Media