DUA vs. DPDI: Spot the Difference

It’s been a few days since the Data Use and Access (DUA) Bill was presented to parliament. For those catching up, this legislation isn’t entirely new. It’s partly a “labour-ised” evolution of the Data Protection and Digital Information (DPDI) Bill, initially proposed by the Conservative government.

When the change in government occurred, all previous bills not yet passed lapsed, leaving it to the new government to decide if and in what form that legislation would reappear. Thankfully, all major parties broadly agreed on the fundamentals of the DPDI, so, after discussions between the Government, the DMA, and key industry stakeholders, a Starmer-stamped version of the legislation re-emerged under the new name: the DUA Bill.

So, what are the changes between the old and the new?

Legitimate Interest

The government heeded calls to refine "legitimate interest" as a lawful basis for data processing under GDPR. Previously, legitimate interest allowed data processing if balanced against individual rights, promoting a fair use principle. The former policy was flexible yet lacked detailed criteria for appropriateness. The DUA Bill narrows this scope, adding guidelines on data types eligible for public or individual benefit processing, such as direct marketing, intra-group data transfers, and cybersecurity measures. These specified purposes simplify compliance, helping organisations apply legitimate interest with confidence under clearer parameters.

Additionally, the bill mandates that such processing should not infringe upon individuals' rights and freedoms, prioritising transparency and accountability. Further, it introduces a review mechanism to amend legitimate interest categories based on societal and technological changes, assisting organisations in managing lawful data processing while bolstering data subjects’ rights.

Codes of Conduct

Under PECR and GDPR The DUA Bill strengthens Codes of Conduct to encourage GDPR and PECR compliance and improve sector-specific data processing standards. Previously, Codes of Conduct were recommended but optional under GDPR (Article 40).

The DUA Bill now provides these codes with more authority. Sector-specific bodies are encouraged to create codes tailored to unique industry needs, like telecommunications and marketing, where electronic communications intersect with personal data use. These codes are now subject to rigorous approval processes by the Information Commissioner’s Office (ICO) or similar entities, ensuring they align with GDPR principles and enhance PECR’s privacy protections.

This development is promising for the DMA, as it can continue creating a code of practice for the industry, validated by the ICO and monitored by the Data and Marketing Commission. This will be a cornerstone of industry compliance with regulations, and the DMA is keen to engage further with the revamped regulator to advance these standards.

Smart Data Schemes

The DUA Bill builds on the DPDI Bill’s smart data framework, facilitating data sharing with authorised third parties. This resembles the open banking model, where customer and business data sharing enhances market competition and innovation. The DUA Bill grants the Secretary of State regulatory powers for sector-specific applications, benefiting sectors that heavily rely on IoT and public sector data. However, organisations that rely on proprietary data may face challenges adjusting to these data-sharing requirements.

Digital Identity Verification

The DUA Bill continues support for digital verification services, promoting broader digital identity adoption. It retains the DVS (Digital Verification Services) register concept, requiring providers to certify against a trust framework overseen by the Secretary of State. A crucial addition is the Secretary of State’s authority to refuse certification on national security grounds, bolstering data security practices. These advancements in digital identity are part of a broader government initiative to promote secure, standardised identity verification.

Key Data Protection Provisions Retained from DPDI Bill

Several key data protection provisions from the DPDI Bill remain in the DUA Bill, ensuring continuity in data governance and compliance standards:

Automated Decision-Making (ADM)

ADM is allowed in low-risk situations with mandatory human oversight for sensitive data, maintaining UK data adequacy and aligning with UK GDPR standards.

PECR Fines and Cookie Rules

PECR penalties now align with GDPR levels, with fines of up to 4% of global turnover or £17.5 million. Cookie rules from the DPDI Bill also persist, permitting cookies for service improvements or user preferences without explicit consent, subject to specific conditions.

Purpose Limitation and Scientific Research

Retaining the ‘purpose limitation’ principle, the DUA Bill defines conditions for data processing with new purposes. In scientific research, it allows flexibility with consent when purposes can’t be defined in advance, provided safeguards protect data subjects.

Adequacy and DSARs

Codifying the “data protection test,” the DUA Bill enables the Secretary of State to assess foreign data protection standards against UK levels. It also clarifies that only a “reasonable and proportionate” search is necessary for DSARs, establishing a practical response standard.

Privacy Notices

The DUA Bill revises transparency rules, stating that data controllers aren’t required to inform subjects about processing for specific research or statistical purposes if data is de-identified, or notification would be unfeasible or disproportionately costly.