Data (Use and Access) Act gets Royal Assent

Look out for our insights on the implications for business of the DUA Act at our “on data” blog in the coming days.

In the interim, and by way of reminder, the DUA Act looks to make a number of data protection amendments to the UK GDPR and Data Protection Act 2018, with key changes including:

• New legal basis of ‘recognised legitimate interests’, with a (narrow and public sector focused) list of bases for processing personal data and power for the Secretary of State to amend the same.
• Clarity as to what constitutes legitimate interest, providing examples (subject to legitimate interest assessment) of direct marketing, intragroup transmission of personal data for internal administration purposes, and processing necessary for ensuring the security of network and information systems.
• Secretary of State power to designate additional special categories of personal data and additional processing categories under special category data.
• Clarity on scientific research definition, acknowledging the potential for privately funded, commercial activity to constitute scientific research.
• Clarity on the meaning of further processing and what constitutes compatible processing.
• Narrowing the prohibition on automated decision-making. 
• Addressing children’s “higher protection matters”, with a need to take account of the same when providing information society services that are likely to be accessed by children.
• Codifying the data protection test for assessing adequacy of third countries or international organisations and specifying that exporters of personal data should act reasonably and proportionately when making transfers subject to appropriate safeguards.
• Codifying ICO guidance that organisations need to conduct reasonable and proportionate searches when responding to data subject access requests.
• Adjusting transparency requirements (subject to safeguards) when it is impossible or involves disproportionate effort to inform data subjects of further processing for research purposes.

The DUA Act also updates the e-privacy regime in the UK, for example by allowing certain cookies (such as collecting statistics aimed at website improvement) to be set without consent and aligning fines with those under the UK GDPR (to a maximum of 4% of annual worldwide turnover or £17.5m).

The DUA Act addresses ICO reform, clarifying the ICO’s role, its enforcement powers and updating its structure to align with other UK regulators with a corporate structure. 

Whilst there was a long debate about the extent of any copyright and AI provisions that would be included in the DUA Act, the House of Lords failed to push through its desire for transparency requirements (e.g. providing copyright holders with information about which of their works had been used in AI training) and provisions require a government report on use of copyright works in the development of AI by reference to policy options, as well as an economic impact assessment of those policy options.

Further, the DUA Act includes key sections that look to establish smart data schemes (to enable businesses to share data with regulated and authorised third parties) and the legislative structure for digital verification services. Other provisions relate, amongst other things, to online safety research and data retention, national security, intelligence service and law enforcement use of data, National Underground Asset and Births and Deaths registers, information standards for health and social care, smart meters and overseas trust services.

Some provisions will come into force two months later, including for example amendments to the ICO’s information notice powers, enabling the ICO to require controllers and processors to provide it with documents as well as information.

The legislative progress of the DUA Act and amendments from both Houses of Parliament is available here.