FEATURED

DUA Bill

February 18, 2025

DUA (Data Use & Access) Bill Expectations and its Importance in UK

The UK DUA (Data Use & Access) Bill was introduced in the UK House on 24th November 2024 to streamline the UK’s approach to governing and managing data regulation more effectively, with various amendments into the existing UK General Data Protection Regulation (GDPR) and the Data Protection Act (2018) for modernising the existing regulation aligning to EU GDPR and emerging technology trends. The DUA Bill significantly introduced to bring an impact on UK data protection to ease the regulatory burden on small and medium enterprises, simplify legitimate interests, data transfers, cookies management, data subject access requests (DSARs), and align with EU data initiatives. However, the decision on the bill amendment is expected in 2025 and it would be a critical evolution in UK’s data protection regime.

The King’s Speech during the meeting in November 2024 announced a comprehensive agenda on strengthening and enhancing the data protection of the individuals leading up to the DUA Bill. This proposed law advances a unique approach to data practices by streamlining the data sharing model and strengthens data rights. The proposed DUA Bill keeps in mind UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) to meet the adequacy of these regulations and strengthen the data protection.

The DUA Bill is envisioned to control the capacity of data for UK economic growth, to protect people’s personal data and to ensure adequacy to EU GDPR. Some of the key areas that DUA Bill looks closely into are –

Legitimate Interests – DUA bill brings out on no balancing test would be required, including direct marketing and security processing. Legitimate interests are most likely to be based on interest basis. The Bill gives more confidence to organisations about when they can rely on the legitimate interest’s lawful basis. The Bill also broadens the scope of legitimate interests for data processing for the purposes of direct marketing, internal data sharing and cybersecurity. This bill also focusses on restricting the potential overreach.

Automated decision making – Narrows the scope of restrictions to only explicitly prohibit automated decisions made using special category data. This bill works towards the right to be provided with information on automated decisions, and to request human intervention in the decision making to ensure adequacy of rights.

Cookies Management – Primarily focusses on reducing the frequency of cookie pop-ups for UK users by removing the cookie consent requirement for specified purposes and for exceptions. The exceptions are subject to various terms and conditions to practice, including around transparency, the right to object, and using the collected data for purposes beyond the scope of the specified purpose or exceptions.

PECR (Privacy and Electronic Communications Regulation) Fines – Maximum fines would be brought in line with the current UK GDPR thresholds in DUA Bill. Monetary penalties for certain breaches of PECR is currently at £500,000, however, will be brought in line with penalties under the UK GDPR and the DPA, up to a maximum of £17.5m or 4% of global annual turnover, whichever is greater.

DSAR (Data Subject Access Request) – Data controllers must respond to DSARs promptly and conduct ‘reasonable and proportionate’ searches to align with the regulatory requirements. Data subjects are only entitled to receive personal data found in a “reasonable and proportionate” search by the data controller. Existing ICO (Information Commissioner Office) guidance on response time frames for DSARs is added part of the DUA Bill.

International data transfers – The DUA Bill is designed to clarify the UK’s approach to the transfer of personal data internationally and the UK’s approach to conduct of adequacy assessments. It initiates a data protection test for assessing competence and ensuring the adequacy decisions are made by the secretary for the state. The DUA Bill amends the UK GDPR by empowering the Secretary of State to approve data transfers based on a new “data protection test” to strengthen the UK data security posture.

DUA Bill has primarily emended propositions in ensuring that the organisations should make sure there are appropriate adequacy practices in place to transfer personal data from the EU to the UK or vice versa. Organisations should be aware that there would be greater compliance costs, owing to the significant restrictions imposed on the international transfer of personal data under EU data protection law.

Till date, there have been two readings of the DUA Bill in the House of Lords, and it has also been discussed in detail in the committee on the key considerations while amending DUA Bill. The discussion over the Bill’s contents during the Lords committee stage exhibits the careful balancing act that the government is having to perform with EU-UK in place. Organisations are expected to consider their compliance programmes in preparation for the DUA Bill to meet the regulatory requirements and expectations to strengthen the current data protection posture. However, multi-jurisdictional organisations operating across both a UK and EU are likely to continue to align their practices with the EU GDPR expectations. However, organisations to keep in mind that the DUA Bill is at the early stages of the legislative process, and it could be amended as it passes through the House of Lords and House of Commons before being enacted in UK law. So, we need to ensure that the existing compliance practices, organisations legal and regulatory programs are evaluated to align with the emerging DUA bill expected to amend with the UK GDPR and Data protection act in 2025.

The DUA Bill is still in its initial stages, meaning everything is subject to change as it passes parliament post the last discussion in December 2024. The DUA Bill indicates a critical evolution in the UK’s data protection regime, ensuring a solid balance between regulatory compliance, data security and privacy. EU Financial Data Access regulation and the UK Data Use and Access (DUA) Bill, both expected to become law in 2025 strengthening the data security and ensuring adequacy to the EU GDPR standard requirements.

About the Author :

Tata Consultancy Services

Ms. Kavitha Srinivasulu is an experienced Cybersecurity and Data Privacy Leader with overall 21 years of experience focused on Risk Advisory, Data Protection and Business Resilience.

Ms. Kavitha Srinivasulu has demonstrated expertise in identifying and mitigating risks across ISO, NIST, SOC, CRS, GRC, RegTech and in emerging technologies with diverse experience across corporate and Strategic Partners.

Ms. Kavitha Srinivasulu possess a solid balance of domain knowledge & smart business acumen ensuring business requirements and organizational goals are met.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India