The UK Government’s Data Use and Access Bill 2024 (DUA Bill) seeks to reform the UK GDPR and DPA 2018. We take a look at some of its key features.
The DUA Bill (the Bill) was first introduced into the House of Lords in October 2024 after its predecessor, the Data Protection and Digital Information Bill, failed to make it through Parliament.
The Bill recognises that data is a valuable economic commodity and so it aims to support modernisation and digitisation of the UK government, to make it easier for businesses to comply with regulations, and to enrich people’s lives through the use of emerging technology. The government is, however, mindful that the EU’s current adequacy decision (allowing the free flow of data between the EEA and the UK) only runs until 27 June 2025 and the Bill therefore needs to tread a fine line between relaxing some rules and avoiding prejudice to the renewal of the adequacy decision.
Some of the Bill’s key provisions propose the following:
- Various changes will be made to the UK GDPR and Data Protection Act 2018, in particular to provide greater clarity on legitimate interest processing, the purpose limitation principle and automated decision making (the latter relaxing some of the rules concerning automated decision making as long as it does not involve special category data).
- Changes to the Privacy and Electronic Communications Regulations 2003 (PECR), in particular in relation to the rules about website cookies and email marketing. The fines under PECR will also be increased to align with those permitted under the UK GDPR (greater of £17.5M and 4% of annual global turnover).
- Amendments to the flow and use of personal data for law enforcement and national security purposes.
- Amendments to the Counter-Terrorism Act 2008 on the retention of biometric data, (fingerprints and DNA profiles) by law enforcement authorities, to improve efficiency and limit risk to national security.
- The facilitation of data sharing in order to improve public service delivery.
- New smart data schemes which will give customers more control and increased access to the information (personal data and business data) that organisations hold about them.
- Patient access to healthcare information (such as a patient’s pre-existing conditions, appointments and tests) will be made more accessible across all NHS trusts, GP surgeries and ambulance services.
- Information standards for health and social care to ensure the security of special category data.
- Regulations will be introduced for the use of digital verification services which will be provided as an alternative to physical identity checks.
- Services for the provision of electronic signatures, electronic seals, timestamps and other trust services.
- The governance structure of the ICO will be reformed to ensure it remains independent and trusted as a regulator.
Although the Bill comprises a diverse collection of measures, it seems to be a realistic attempt to lighten the regulatory burden for businesses while retaining the overall direction of data protection since the GDPR was first introduced in 2018. The government itself has forecast that the Bill will bring an estimated £10 billion boost to the UK economy over 10 years and the ICO has welcomed the Bill as a ‘positive package of reforms’, commenting that the Bill should not represent a risk in terms of the transfer of personal data from the EEA to the UK or to the UK’s adequacy status.
We will continue to follow the progress of the Bill on its passage through Parliament and provide further updates in due course.
