Data Protection Reforms: The Data (Use and Access) Bill - the final stages
The Data (Use and Access) Bill (or the DUA Bill as it is often called) was introduced to Parliament on 23 October 2024 and includes, amongst other things, the current proposals to reform UK data protection law. There have been a number of previous bills submitted to Parliament which included reforms to UK data protection law (such as the Data Protection and Digital Information Bill (DPDI) (numbers 1 and 2)) but these previous bills did not make it to the end of the parliamentary process and did not, therefore, become law.
It is important to note that the DUA Bill intends to amend UK data protection law, rather than replace it completely. Whilst there are some reforms to the UK data protection laws as we know them – notably:
- changes around cookies, automated decision making and international data transfers;
- clarifying the position around certain aspects of data subject access requests;
- expanding recognised legitimate interests under UK data protection law;
- the introduction of a defined data protection complaints process; and
- an increase in fines for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003
– the reforms proposed under the DUA Bill are not as extensive as those we have seen proposed previously, for example under DPDI. Many commentators believe that this is the case so as not to affect the adequacy decision for the UK, granted by the EU Commission, which is due to expire later this year.
The DUA Bill also includes provisions around smart data, the digitisation of births and deaths registers and regulation around those who provide digital verification services.
When might we hear more about the DUA Bill and do we need to do anything now?
The DUA Bill is in the final stages of its passage through Parliament, and is currently in the consideration of amendments stage. The sticking point is seemingly around copyright and AI, rather than any data protection reforms. Once this stage has completed, the DUA Bill will move to receive Royal Assent and will become law. Hopefully, the DUA Bill will become law by the end of this month, however we are keeping an eye on this.
In the meantime, we would suggest that you start to look at the data protection governance and practices that you have in place and ensuring that all records and information is up-to-date. This will make it easier once the DUA Bill becomes law, to update your data protection governance and practices, should you need to, to ensure your organisation can comply with the new legislation. In addition, if your organisation currently carries out marketing that falls within the scope of PECR, you should review and understand your marketing practices and any risk-based decisions that have been made as these may need to be considered should the DUA Bill (as currently drafted) come into force.
More tips and practical guidance will be discussed in our webinar on 12 June 2025 at 12:30pm.
If you would like to know more about the DUA Bill and how your organisation should be preparing for it to become law, please join us by signing up here.
More tips and practical guidance will be discussed in our webinar on 12 June 2025 at 12:30pm.”
