The UK's data reform package in the form of the Draft Data (Use and Access) Bill (DUA) is nearing completion and is likely to be finalised imminently. In this article we look at the current shape of the Bill, the key reforms, how it could impact the EU Commission's review of the UK's adequacy decision and what you should be focussing on.
What is the DUA Bill?
On 23 October 2024, the DUA Bill was introduced to the House of Lords. Heavily based on the previous Conservative government's Data Protection and Digital Information Bill which failed at the end of the last Parliament, the DUA Bill is intended to modernise the UK's data regime regarding non-personal and personal data. It aims to help support the economy, improve public services, and make everyday life and business compliance easier, all crucially, without dismantling the key tenants of the UK GDPR.
What are the key reforms?
The Bill principally seeks to achieve its objectives through the following reforms.
Data sharing
The DUA Bill gives the government the ability to pass secondary legislation to enable business data sharing. This is intended to be used to implement smart data schemes in the UK to grow the economy, encourage competition and benefit consumers. The idea here is to implement open-banking type data sharing models in sectors such as energy, telecoms, healthcare, where data sharing has, to date, been limited. The Secretary of State will have powers to require data sharing of business and customer data by businesses supplying goods, services or digital content, and sets up a framework for this which is similar to but not the same as the EU's under the Data Act, the Data Governance Act and other data-related legislation.
UK GDPR reform
There are a number of reforms to the UK GDPR including regarding:
- Solely-automated decision-making
The DUA Bill will amend the UK GDPR to introduce a more flexible regime for using solely-automated decision making (ADM) with a stricter regime applying only to special category data, and the introduction of new terminology – a "significant decision" and "meaningful human involvement" - and a revised set of safeguards in relation to ADM involving any personal data.
- International data transfers
The DUA Bill's approach to international data transfers has attracted significant attention, particularly its potential impact on the UK's data adequacy status with the EU. At its core, the Bill proposes a subtle change to the way in which a country's adequacy should be assessed for the purposes of data transfers. The Secretary of State will be able to carry out a new data protection test against whether the destination country's standard of data protection is "not materially lower" than the standard in the UK.
Currently, UK law mirrors the EU, requiring that such transfers only occur when the destination country offers "essentially equivalent" protections to those provided under UK GDPR. This shift has sparked debate regarding its potential implications for the UK's adequacy decision from the European Commission.
The Commission is treating this matter with utmost seriousness. The current EU-UK adequacy decision was set to expire on 27 June 2025, however, the European Commission has granted an exceptional six-month extension to 27 December 2025 in order to assess the impact of the DUA Bill on EU citizens' data protection rights.
Commentators are divided on whether the DUA Bill genuinely endangers the UK's adequacy status. Some argue that even seemingly minor changes could alarm the Commission. Others maintain that the EU is unlikely to revoke adequacy so long as the fundamental UK GDPR architecture remains intact, particularly given the significant economic and political consequences such a decision would entail.
The UK remains adamant that nothing in the DUA Bill jeopardises the EU adequacy decision, however, the balance could be tipped not by the DUA Bill itself but by the Investigatory Powers Act. The UK government's ongoing dispute with Apple, over its reported issue of a Technical Capability Notice which would require Apple to give it access to encrypted communications worldwide, is unfolding alongside the DUA Bill. The Commission is particularly sensitive to how the UK manages security and intelligence agency access to personal data, especially considering that previous EU-US data transfer frameworks were invalidated primarily due to surveillance concerns.
- Compliance with new DSAR and complaint procedures
The Bill largely formalises the ICO's existing guidance on DSAR handling and response procedures. As most organisations already follow this guidance, the practical impact will be limited. However, one significant change is introduced: a new s164A is inserted into the DPA 18. This gives individuals the right to make a complaint to the controller if they consider there is an infringement of the UK GDPR or Part 3 of the Bill. The controller has to facilitate the making of complaints and acknowledge them within 30 days. On receipt of a complaint, the controller must, without undue delay, take appropriate steps to deal with it (including updating the complainant on progress) and inform the complainant of the outcome.
Read more.
Cookies and PECR Fines
The Bill introduces a more flexible approach to cookies by including additional exceptions to the consent requirements for specified types of low-risk cookies. Under the new provisions, organisations will no longer need explicit consent for these cookies, provided they: (i) supply users with clear information about the cookies being used; and (ii) offer a straightforward opt-out mechanism.
Where the Bill relaxes PECR in terms of cookie consents, it strengthens it in terms of penalties, introducing significantly harsher penalties for breaches of the marketing rules. The maximum fine will increase dramatically from the current £500,000 to: £17,500,000, or 4% of the organisation's total annual worldwide turnover from the preceding financial year, whichever is higher.
This substantial increase aligns PECR penalties with the existing UK GDPR enforcement framework, signalling a more rigorous approach to marketing compliance.
One thing that does not change is the GDPR-level of consent required but the ICO and government have earmarked this for further consideration.
Digital verification services
The Bill creates the framework for the introduction of digital verification services, enabling individuals to prove their identity without present a physical ID card or other form of documentation. This aligns with a similar initiative currently being rolled out in the European Union under the European Digital Identity Framework Regulation.
The Bill creates a regulated trust framework and mandatory “trust mark” for digital identity providers, which could open new avenues for identity-based innovation, particularly in the fields of fintech and online retail.
Are more changes expected?
The DUA Bill had enjoyed a relatively smooth passage through Parliament until it went back to the House of Lords after Committee. Somewhat unexpectedly, what is now holding the Bill up is the issue of AI and copyright. Amendments have repeatedly been introduced to the Bill since it went back to the Lords, and then taken out again in the Commons as part of the so-called 'ping pong' stage. These have largely centred around transparency requirements regarding copyright of AI training materials and a requirement to comply with UK copyright law when training or using AI. Although the Bill was not intended to deal with this, the House of Lords have used it to make a point regarding AI and copyright issues. The last remaining amendments to data elements of the Bill have fallen away but the AI issue remains for now.
When is the DUA Bill likely to pass?
In theory, the ping pong stage can go on indefinitely, but in reality it is unlikely to last much longer. At the time of writing, the Lords were set to re-introduce an already-tabled amendment which would require the government to to publish a draft Bill containing proposals to provide transparency to copyright owners on use of their work for AI training three months after the reports on the subject are published. These reports have to be published within a year after the DUA Bill gets Royal Assent under amendments introduced to the Bill previously. That would mean the draft legislation on copyright transparency would be published 15 months after DUA Bill Royal Assent. The same amendment was defeated on 3 June in the Commons but if it passes again in the Lords, the government must accept it or let the entire Bill fail. Baroness Kidron who has introduced the amendments, has suggested she would let the amendment drop if the government allowed for the introduction of backstop powers for the Secretary of State to introduce AI transparency requirements if necessary. It seems likely the government will agree to this rather than face the embarrassment of the Bill failing which means the Bill may pass imminently and achieve Royal Assent shortly after that.
Focus on:
It's worth underlining that much of the Bill (although not so much of the data protection element) is dependent on secondary legislation so it won't all come into practical effect immediately. The most immediately applicable elements to focus on include:
- DSAR response protocols: update complaints procedures in line with s164A DPA 18. Ensure internal processes allow for appropriate response times and handling. The ICO should be providing guidance in due course.
- Cookie compliance review: identify which cookies deployed on your platforms may qualify as "low-risk" and prepare to update cookie notices and banners to provide clear information about cookie usage.
- ADM use: review your use of solely automated decision-making in light of the revised definitions and permissions. Revise processes and policies as required.
Much of the rest of compliance will initially involve maintaining a watching brief on issues around data transfers and the secondary legislation that will bring non-personal data related aspects of the DUA Bill into application. See here for more detail on the DUA Bill.
