Fox Williams the Business Law Firm
Services
- Business immigration
- Commercial
- Corporate
- Civil Fraud
- Dispute resolution
- Financial services regulatory
- Intellectual property
- Internal investigations
- International
- International Arbitration
- Real estate
- Securities Litigation
Sectors
- Fashion
- Financial services
- FinTech
- Professional services
- Technology
- Travel
Home / Insights
- Articles
- Events
- Media
- opens a new window
- opens a new window
- opens a new window
- | Portfolio
20 Jan 2025
The Data (Use and Access) Bill 2024-25 (DUA Bill) had its second reading on 19 November 2024, following its introduction in the House of Lords on 23 October 2024. The Bill replaces the Conservative Government’s stalled Data Protection and Digital Information Bill (DPDI Bill) and proposes several similar reforms to the UK’s data protection framework.
Background
Since Brexit, the UK has sought to modernise its data protection laws to maintain high standards while easing administrative burdens on businesses. Previous efforts with the DPDI Bill failed, but the Labour Government has revived a more modest set of reforms under the DUA Bill. The goal is to modernise data laws while safeguarding the UK’s “adequacy” status, which is essential for seamless data flows between the EU and the UK.
Key updates to UK GDPR and DPA 2018
The DUA Bill introduces several significant changes:
- Legitimate Interests: the Bill defines different types of processing that automatically qualify as “legitimate interest”, such as processing for “direct marketing” (widely defined), intra-group transfers and for network security.
- Recognised legitimate interest: a new ground for lawful processing allows processing necessary for purposes like national security, public safety or emergency response, outlined in a new annex to UK GDPR.
- Data Subject Access Requests (DSARs): A change that will be welcomed by many businesses on the wrong end of DSARs from a disgruntled or ex-employee is that a controller will only need to conduct searches that are “reasonable and proportionate.” However, an express exemption for “vexatious” requests—proposed in the DPDI Bill—has been omitted. It also confirms a procedure enabling the courts to inspect withheld material to determine whether it is exempt from disclosure.
- Purpose Limitation: clarifies when personal data can be used for purposes beyond the original intent, with certain scenarios like public interest research or statistical analysis) deemed compatible.
- Cookies: The Bill simplifies pop-ups by removing the need for consent for low-risk cookies, such as those used for statistical purposes or to improve websites. It also defines when a cookie is “strictly necessary” (e.g., for fraud prevention, user safety, or maintaining user preferences). Transparency requirements remain, but consent will often no longer be needed. On the other hand, GDPR-level fines (up to 4% of global turnover) will now apply to breaches of cookie rules, replacing the current £0.5m cap.
- Automated Decision-Making (ADM): The Bill allows ADM with To facilitate increased use of AI for ADM (where there is “no meaningful human involvement in the taking of the decision”), the Bill provides that, apart from cases using “special categories” of data, ADM resulting in a legal or similarly significant effect will no longer be prohibited with exceptions. Instead, ADM will be possible regardless of the lawful basis, as long as suitable safeguards are in place. This includes reliance on legitimate interests as a lawful basis, except for cases involving “special categories” of data.
- Scientific Research: provides a clearer definition of “scientific research” and guidance on when consent is needed.
- Complaints Process: requires controllers to take “appropriate steps” to facilitate data subject complaints, such as by providing a complaints policy or online form. It also paves the way for regulations requiring controllers to notify the Information Commissioner of the number of complaints received.
- International Data Transfers: Introduces a less stringent adequacy test for third countries, requiring protection to be “not materially lower” than the UK’s. This could allow more countries to achieve UK adequacy but may complicate the EU’s adequacy review of the UK in 2025.
What’s Missing?
The Bill excludes some of the more controversial proposals from the DPDI Bill, such as removing the requirement for Data Protection Officers (DPOs), redefining “personal data,” and relaxing Data Protection Impact Assessment (DPIA) obligations. These omissions likely aim to preserve the UK’s adequacy status with the EU.
Beyond Data Protection
At over 260 pages, the Bill covers more than data protection. As the title of the Bill indicates, it includes sections related to the use of and access to data more generally, including:
- use of “smart data” (supporting open banking and the development of new smart data schemes such as in respect of utilities);
- establishing a “trust mark” for approved digital verification services;
- simplifying data use for law enforcement and the NHS, including enabling easier patient data transfers;
- creating a national map of the UK’s underground infrastructure (pipes and cables).
This broader approach reflects aspirations similar to the EU’s Data Act, treating data as a shared asset for businesses and consumers alike.
The Government aims to “put technology and data protection at the heart of the economy” by simplifying rules to make data laws more business-friendly while maintaining high standards. Supported by the ICO (soon to be known as the Information Commission), the Bill seeks to modernise the UK’s data framework without jeopardising EU adequacy status, which comes up for review in June 2025.
The expectation is that the Bill will be finalised before this review. However, amendments may still arise, so watch this space for further updates.
Related News
New year’s resolutions: key 2025 dates and deadlines for professional services firms
Articles 9 Jan 2025
HRLaw webinar: An employer’s guide to managing DSARs
Webinars on demand 4 Mar 2024
Authors
Nigel MillerPartner
Related legal expertise
- Data protection policies
Connect with us
Popular insights
Fox Williams team secures success in high-profile $13.8bn Russian conspiracy claim
January 21, 2025
The High Court delivered its judgment on Friday in one of the largest and most complex disputes of recent years, marking...
Clawing back bonuses – when is it enforceable?
Articles
April 22, 2024
It is increasingly common for bonuses to come with strings attached. Often there will be a contractual term requiring th...
Direct(or) responsibility: 10 ways a director could be held personally liable in 2022
Articles
March 1, 2022
A recently published case has shone a new light on the well-known fact of English company law – that a company has its o...
- Home
- Search
- Portfolio
- Menu
Search
Search
Close
- Home
- People
- Services
- Sectors
- About us
- Careers
- Qualified lawyers
- Training contracts
- Solicitor apprenticeship
- Business services
- Life at Fox Williams
- Insights
- FAQs
- Contact us
- Payment portal
PortfolioClose
Title | CV |
---|
Remove All
Download
Need more information about the above people and legal expertise?
Talk to one of our lawyers: +44 (0)20 7628 2000
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Read More
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie | Duration | Description |
---|---|---|
_ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
_ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
CONSENT | 2 years | YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data. |
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie | Duration | Description |
---|---|---|
VISITOR_INFO1_LIVE | 6 months | YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface. |
YSC | session | Youtube sets this cookie to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt-remote-device-id | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Cookie | Duration | Description |
---|---|---|
foxwilliams.vuture.net_VxSessionId | session | No description available. |
intEmailHistoryId | 1 year | No description available. |
VISITOR_PRIVACY_METADATA | 6 months | Description is currently not available. |
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie | Duration | Description |
---|---|---|
__cf_bm | 1 hour | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category. |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |