The Data (Use and Access) Bill (the Bill) has finally navigated the legislative process and is set to become law following Royal Assent. The Bill covers a range of topics but this post focuses on the Bill’s impact on the UK’s data protection and e-privacy framework. Here are our top 5 take aways:

For example:

1. 1. the Bill introduces a new legal basis for processing personal data, known as “recognised legitimate interests,” which allows processing for specific purposes without the need for a legitimate interest assessment. These purposes include detecting, investigating or preventing crime and safeguarding vulnerable individuals. For businesses in the video game industry, these provisions may be useful in the context of processing related to online safety of children and, for businesses in the gambling sector, these provisions may be useful for processing related to safeguarding problem gamblers and at-risk individuals.
   2. The (soon to be restructured) UK data protection regulator will be required to “have regard” to promoting innovation when carrying out its functions.
   3. DSARs can be a thorn in the side for many businesses: the Bill clarifies that data subjects are only entitled to information resulting from a “reasonable and proportionate” search.

Conversely, the Bill will introduce a new right for individuals to make a complaint to a controller if it considers that the controller is infringing the UK GDPR or the Data Protection Act 2018 (DPA 2018) and a controller must facilitate the making of complaints and respond to a complaint “without undue delay.”

This Bill has been drafted against the backdrop of a looming review by the European Commission (EC) of the UK’s adequacy status – which allows for seamless transfers of personal data from the EU to the UK. To maintain its status as an “adequate country” the UK’s data protection framework must be deemed to offer essentially equivalent protection to the EU GDPR. As a result, there are no seismic divergences from the current regime – although the provisions around automated decision making and those concerning the UK’s greater flexibility to make adequacy designations of its own will likely be held under the EC’s microscope.

PECR contains rules on direct marketing and cookie transparency and consent. If practices are not up to scratch, businesses will be exposed to a significantly higher liability – maximum fines will rise from the current £500,000 to match those under the UK GDPR: up to £17.5 million or 4% of global turnover.

Cookies (and similar technologies) used to collect information for statistical purposes to improve a website or service, or those used in connection with website appearance will no longer require consent. However, there will be no end to consent management platforms, since an opt-out must be offered and cookies used for advertising will still require opt-in consent. The Bill also provides examples of what falls under the ‘strictly necessary’ exception to cookie consent, clarifying that cookies used for security, to prevent fraud or technical faults, authentic users and maintain user selections are captured.

The Bill will relax restrictions on ADM that produces legal or similarly significant effects on individuals (which will be known as “significant decisions”), except when processing special category data. However, safeguards must still be in place for all ADM that determines significant decisions based on personal data, such as transparency and the ability for individuals to contest decisions and obtain human intervention. This opens the door to rely on legitimate interests as a lawful basis for ADM used for significant decisions not involving special category data.

If you’d like to explore the data protection and e-privacy implications of the Bill for your business, our data protection team would love to help – get in touch here.