In the second of our three-part series, we brought some clarity to the timelines and current status (ahem… confusing chaos) of three legislative bills related to data protection and digital information. We also gave you the lowdown on the ambitious changes proposed by the Data (Use and Access) Bill (DUA Bill) to modernise the UK’s data laws.
Now, in this final blog, we’re zooming in on how the DUA Bill stacks up against its dead in the water predecessor, the Data Protection and Digital Information Bill (DPDI Bill). We’ll break it down, highlight the key differences, and wrap up with a handy table at the end for quick answers.
A quick recap
The DPDI Bill was introduced by the Conservative government and aimed to streamline data protection laws while maintaining alignment with EU GDPR. However, it didn’t survive the 2024 general election. Enter the Labour government’s DUA Bill, which builds on some DPDI ideas while forging its own path.
Let’s dive into the details.
Legitimate Interests: narrower but clearer?
Both bills take a stab at clarifying legitimate interests under UK GDPR. The DPDI Bill listed examples like direct marketing and IT security. The DUA Bill goes a step further with a whitelist of recognised legitimate interests, like tasks in the public interest.
But there’s a twist: the DUA Bill’s list was shorter, though the Secretary of State can expand it. Flexibility or just more bureaucracy? You decide.
Special Categories of Personal Data: new powers for the government
The DUA Bill introduces powers for the Secretary of State to define new special categories of personal data and adjust processing rules. This was missing from the DPDI Bill and has stirred debate about balancing flexibility with oversight.
Automated Decision-Making: green light for AI (with safeguards)
The DPDI Bill started loosening restrictions on automated decision-making. The DUA Bill continues this trend, allowing businesses more freedom to use AI, provided there are safeguards like human review and compliance with equality laws.
Privacy advocates are wary, but businesses are cheering.
Cookies and tracking tech: A bit sweeter
Both bills addressed cookies, but the DUA Bill takes the lead by clarifying exemptions for security and analytics. It also bans cookie paywalls, so you won’t have to fork out cash just to read a webpage. Bonus!
The Information Commission: rebranding and independence
Goodbye ICO, hello Information Commission. Both bills proposed this rebrand, but the DUA Bill ensures the regulator isn’t bound by government priorities, a win for independence.
NHS Data Standards: a DUA exclusive
The DUA Bill tackles NHS data systems with provisions for real-time access to patient records and unified IT standards. The DPDI Bill didn’t go near healthcare, making this a standout feature of the DUA Bill.
Children’s Data: raising the bar
Both bills aim to protect children’s data, but the DUA Bill ups the ante by requiring the Information Commission to consider children’s vulnerabilities when making decisions.
Data Subject Rights: more clarity, less drama
The DUA Bill streamlines data subject access requests (DSARs):
- Only “reasonable and proportionate” searches are required.
- The one-month clock starts after identity verification or fee payment.
Unlike the DPDI Bill, the DUA Bill drops the controversial “vexatious” label for refusing DSARs, keeping things fairer.
International Data Transfers: looser strings
The DPDI Bill stuck with the EU’s strict “essential equivalence” standard. The DUA Bill opts for a “not materially lower” test, potentially making non-EU data deals easier but raising questions about the UK’s adequacy status with the EU.
What Got Dropped?
The DUA Bill leaves out some of the DPDI Bill’s more eyebrow-raising ideas, like:
- Narrowing what counts as personal data.
- Replacing Data Protection Officers with “senior responsible individuals.”
- Simplifying ways to reject DSARs.
These exclusions might make the DUA Bill more palatable for lawmakers (We can hope, right?)
So, now what?
The DUA Bill builds on the DPDI Bill but takes a more public service-oriented approach. It aims to balance innovation with privacy while cutting red tape for businesses.
Whether it’s a step forward or sideways depends on your perspective, but one thing’s for sure: UK data laws are evolving fast.
For now – we suggest you breathe deeply and follow our practical steps suggested, here. If all else fails, pray and reach out to us. We can help with the legals…not the breathing.