DUA vs. DPDI: Spot the Difference

It’s been a few days since the Data Use and Access (DUA) Bill was presented to parliament. For those catching up, this legislation isn’t entirely new. It’s partly a “labour-ised” evolution of the Data Protection and Digital Information (DPDI) Bill, initially proposed by the Conservative government.

When the change in government occurred, all previous bills not yet passed lapsed, leaving it to the new government to decide if and in what form that legislation would reappear. Thankfully, all major parties broadly agreed on the fundamentals of the DPDI, so, after discussions between the Government, the DMA, and key industry stakeholders, a Starmer-stamped version of the legislation re-emerged under the new name: the DUA Bill.

So, what are the changes between the old and the new?

Legitimate Interest

The government heeded calls to give greater certainty to "legitimate interest" as a lawful basis for data processing under GDPR. The DUA Bill offers illustrative but not definitive examples of data types eligible for public or individual benefit processing, such as direct marketing, intra-group data transfers, and cybersecurity measures which were identified in Recitals 47, 48 and 49 of GDPR. Organisations have never had absolute certainty that the examples contained in the Recitals had the full force of main text, and therefore this technical change provides the certainty the market needs, especially the specific reference to direct marketing.

Codes of Conduct

The DUA Bill extends Codes of Conduct established in Article 40 and 41 of GDPR by establishing Codes of Conduct under PECR and notes that a GDPR and a PECR Code of Conduct can be contained in the same document.This expansion, created specifically in the Bill following the DMA’s advocacy, will permit the creation of a code tailored to unique data and marketing industry processing, establishing co-regulation for the first time ever. These codes are subject to rigorous approval processes by the Information Commissioner’s Office (ICO), ensuring they align with GDPR principles and enhance PECR’s privacy protections. When it is established, Codes will be approved by the new data protection regulator outlined by the DUA Bill.

Smart Data Schemes

The DUA Bill builds on the DPDI Bill’s smart data framework, facilitating data sharing with authorised third parties. This resembles the open banking model, where customer and business data sharing enhances market competition and innovation. The DUA Bill grants the Secretary of State regulatory powers for sector-specific applications, benefiting sectors that heavily rely on IoT and public sector data. However, organisations that rely on proprietary data may face challenges adjusting to these data-sharing requirements.

Digital Identity Verification

The DUA Bill continues support for digital verification services, promoting broader digital identity adoption. It retains the DVS (Digital Verification Services) register concept, requiring providers to certify against a trust framework overseen by the Secretary of State. A crucial addition is the Secretary of State’s authority to refuse certification on national security grounds, bolstering data security practices. These advancements in digital identity are part of a broader government initiative to promote secure, standardised identity verification.

Key Data Protection Provisions Retained from DPDI Bill

Several key data protection provisions from the DPDI Bill remain in the DUA Bill, ensuring continuity in data governance and compliance standards:

Automated Decision-Making (ADM)

ADM is allowed in low-risk situations with mandatory human oversight for sensitive data, maintaining UK data adequacy and aligning with UK GDPR standards.

PECR Fines and Cookie Rules

PECR penalties now align with GDPR levels, with fines of up to 4% of global turnover or £17.5 million. Cookie rules from the DPDI Bill also persist, permitting cookies for service improvements or user preferences without explicit consent, subject to specific conditions.

Purpose Limitation and Scientific Research

Retaining the ‘purpose limitation’ principle, the DUA Bill defines conditions for data processing with new purposes. In scientific research, it allows flexibility with consent when purposes can’t be defined in advance, provided safeguards protect data subjects.

Adequacy and DSARs

Codifying the “data protection test,” the DUA Bill enables the Secretary of State to assess foreign data protection standards against UK levels. It also clarifies that only a “reasonable and proportionate” search is necessary for DSARs, establishing a practical response standard.

Privacy Notices

The DUA Bill revises transparency rules, stating that data controllers aren’t required to inform subjects about processing for specific research or statistical purposes if data is de-identified, or notification would be unfeasible or disproportionately costly.