data protection Archives - Marcus Andreen

Posts Tagged ‘data protection’

DUA: New Rules

16/06/25

Great – I’m a big fan. Although I’ve got a sneaking suspicion this isn’t going to be a chat about our favourite Dua Lipa tunes.

Correct. But now you’re here let me tell you about the other DUA you need to know about.

The Data (Use and Access) Bill (“DUA”) was introduced by the UK government in October 2024 as the pared-down successor of the previous government’s (now defunct) Data Protection and Digital Information Bill (“DPDI”), which itself was introduced in July 2022. Since the bulk of its provisions had already been discussed in relation to the DPDI Bill, the DUA Bill was expected to have an easy journey through Parliament to the statute book.

However, shortly after introducing the DUA Bill the government published its Copyright and AI Consultation Paper as part of its consultation on copyright and AI, and you will almost certainly have read about the opposition by numerous well-known musicians, authors and other artists (including Elton John and Dua Lipa) against one of the policy options in the Consultation Paper, the so-called opt-out mechanism which would entitle AI developers to access and use copyright material for training purposes unless the copyright owner has expressly opted out. And, although the DUA Bill as introduced by the government does not deal with the copyright and AI issue, the House of Lords decided to use it as a proxy to propose a number of legislative changes providing protection for the UK creative sector against AI developers. The government rejected all amendments proposed by the Lords, and after more than a month of ‘ping-ponging’ between the House of Commons and the House of Lords, the Lords eventually gave way and the DUA Bill was passed on 11th June 2025. The bill is expected to receive Royal Assent in the next few days.

So we’ve just got our heads around the UK GDPR and we’ve now got a new data protection law running to 147 clauses and 16 schedules? Really?

It’s not quite as bad as it looks. First, although the DUA Bill is a chunky piece of legislation, less than half of it deals with data protection and privacy. Plus I agree with commentators who have described DUA as an evolution not a revolution of data protection law; as we’ll see there are a couple of interesting changes but for the most part the impact of DUA on SMEs is likely to be minimal.

By way of a summary of the data protection and privacy-related changes:

There is clarification what constitutes ‘scientific research’ and confirmation that individuals can give their consent for their personal data to be used for more than one type of research, including types of research that can as yet not be identified.
The DUA Bill introduces a new concept of ‘recognised legitimate interests’ which dispenses with the need to carry out a legitimate interest assessment where the processing is carried out for one of the following ‘recognised interests’:
- responding to emergencies
- democratic engagement where there is a public interest in the dissemination of political opinions
- detecting, investigating or preventing crime
- safeguarding vulnerable individuals
In relation to legitimate interest assessments (LIAs) the DUA bill provides that certain types of processing purposes “may be processing that is necessary for the purposes of a legitimate interest”, i.e. they’re not automatically necessary but they’re likely to pass an LIA. The processing purposes are:
- direct marketing
- intra-group transfers for internal administration
- ensuring the security of networks and IT systems
The DUA Bill includes a list of purposes which are treated as being compatible with the original purpose for which personal data was collected, i.e. the controller does not a need a new lawful basis under the purpose limitation principle. The list of compatible purposes includes:
- performance of a task carried out in the public interest
- archiving in the public interest
- protecting public security
- responding to an emergency
- detecting, investigating or preventing crime
- complying with a legal obligation
The Secretary of State has the power to make changes to the types of data which constitute special category data. However, the Secretary of State cannot remove any of the types of ‘core’ special category data listed in Art 9(1) of the GDPR.
The DUA Bill confirms that when making a data subject request (DSR) data subjects are only entitled to information resulting from a “reasonable and proportionate” search by the business, and provides clarification on how time periods for replying to a DSR are calculated.
In relation to assessments whether a third country is adequate for data transfer purposes, the Secretary of State will now assess whether the standard of protection provided to individuals in the recipient country is “materially lower” than the standard of protection under UK law, replacing the existing requirement that the standard of protection must be “substantially equivalent”.
The rules relating to automated decision-making are made less strict where decisions are not made on the basis of special category data.
The DUA Bill amends the Privacy and Electronics Communications (EC Directive) Regulations 2003 (PECR) by removing the requirement for providers of most online services to obtain a user’s consent for placing of cookies and other tracking technologies which collect data for improving the functionality and performance of their website

Quite a list but I take your point about evolution rather than revolution. That said, the last two sound interesting. What’s happening with automated decision-making?

The current rules on automated decision-making (ADM) are set out in UK GDPR, Art 22. In short they provide that an automated decision which produces legal effects on an individual (or similarly affects the individual) is only lawful if the decision:

is necessary for entering into or performing a contract, or
is required or authorised by law, or
is based on the individual’s explicit consent.

Furthermore the data controller must implement “suitable measures” to safeguard the individual’s rights and freedoms, including the right for the individual to make representations about the decision, to obtain human intervention in relation to the decision, and to contest the decision.

The DUA Bill introduces additional flexibility by having different requirements depending on:

whether or not the decision results from processing any special category data and
whether or not the decision is a ‘significant decision’, defined in the DUA Bill as a decision which “produces a legal effect for the data subject” or has a “similarly significant effect”.

If a decision results from processing special category data then broadly speaking the existing ADM restrictions will continue to apply, i.e. the ADM is only lawful if the decision is necessary for entering into or performing a contract, or is required or authorised by law, or is based on the individual’s explicit consent.

However if the decision does not result from processing any special category data then the current restrictions will no longer apply. And as a result ADM could, for example, take place on the basis of legitimate interests, i.e. without obtaining any consents.

Separately, if automated processing (whether or not involving special category data) produces a significant decision, the controller must ensure safeguards are in place which ensure that the individual is provided with information about the decision and also enable the individual to:

make representations about the decision
obtain human intervention on the part of the controller in relation to the decision and
contest the decision.

It follows that if the automated processing does not produce a significant decision the controller is not required to put in place the safeguards, even if the decision resulted from the processing of special category data.

Two final points on the new ADM rules:

1. The DUA Bill provides that a decision is based solely on automated processing if there is no “meaningful human involvement”. Whether there is any meaningful human involvement will depend on, among other things, “the extent to which the decision is reached by means of profiling”. If the controller concludes that there is meaningful human involvement in the decision-making then the ADM rules do not apply.

2. The Secretary of State has the right to issue regulations:

to confirm specific decisions which do or do not involve meaningful human involvement
to provide a description of decision which do (or do not) constitute significant decisions
to impose requirements regarding safeguards for individuals who the subject of significant decisions.

The big change here is clearly not having to obtain individuals’ consent when ADM doesn’t involve special category data. Remind me what special category data is?

The types of personal data which constitute special category data are listed in UK GDPR, Art 9(1):

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

A couple of things to note: information regarding someone’s income, assets or their financial circumstances is not special category data; and as already mentioned the Secretary of State is entitled to add new categories to Art 9(1).

And finally what about the changes to cookies? Am I going to be able to get rid of my cookie banner?

The current rules are set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). In short they require a website provider to obtain user consent for all cookies except those which are “strictly necessary”.

The DUA Bill creates additional exceptions for cookies and other tracking technologies that are placed solely for the purposes of:

Determining how the website, or a service provided by the website, is used with a view to making improvements to the website or service. or
Enabling the appearance or functionality of the website to adapt to the user’s preferences. or
Enabling an enhancement of the appearance or functionality of the website when displayed on the user’s device

However website providers must still provide visitors with “clear and comprehensive” information about the purpose of the cookie, as well as a “simple means” of objecting to the cookie. In practice this may mean that cookie banners are here to stay but at least website providers can now pre-tick the consent box for functional/performance cookies.

Tags: #pecr, data protection, gdpr, ICO, privacy, third country, UK gdpr
Posted in Privacy, Updates | No Comments »

EU-UK data transfers – final update

05/07/21 (updated) – As part of the Trade and Cooperation Agreement the EU and the UK agreed a six-month ‘bridging period’, allowing transfers of personal data from the EEA to the UK to continue freely until 30^th June 2021, to give the European Commission enough time to adopt the adequacy decisions which are necessary to allow personal data to continue to flow from the EEA to the UK. (If you’re not sure what I’m talking about, then you catch up here and here.)

Anyway, good news. With a full two days to spare, the Commission formally adopted the adequacy decisions for the UK on 28th June – one for transfers of personal data under the GDPR and the other under the Law Enforcement Directive. As a result personal data continues to flow freely from EEA countries to the UK after the end bridging period.

Unlike the adequacy decisions adopted by the Commission for other third countries, the ones adopted for the UK have ‘sunset clauses’ which means that, unless renewed by the Commission, the decisions automatically expire in four years’ time. Furthermore, the Commission can intervene at any time during the four-year period if it considers that changes to UK law reduce the level of protection currently in place.

Tags: adequacy decision, data protection, gdpr, SCCs, sunset clause, third country, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »

What’s happening with SCCs? – Part 1

05/05/21 – If your organisation does not transfer personal data to ‘third countries’, i.e. countries outside the EEA that do not have a UK adequacy finding, then breathe a sigh of relief and feel free to go and do something else. If, however, your organisation does transfer personal data to a ‘third country’ (which for these purposes includes the U.S.), then this is likely to be relevant to your data processing arrangements.

During an IAPP/LinkedIn Live event last week, the European Commission’s Head of International Data Flows and Protection, Bruno Gencarelli, explained that the delay to the adoption of the EU’s new Standard Contractual Clauses (New EU SCCs) is principally due to the volume of feedback that the European Commission has received since the publication of the draft New EU SCCs last November. However, according to Mr Gencarelli, it is now ‘a question of weeks‘ until the New EU SCCs are adopted by the Commission.

Most privacy lawyers – including me – have been assuming that once the New EU SCCs are adopted by the Commission, then the UK’s ICO will adopt pretty much identical standard contractual clauses for UK data exporters. This assumption has been based in part on the ‘copy & paste’ approach that the UK has so far taken to incorporating the EU GDPR (and for that matter the existing EU SCCs) into UK law, and in part on the fact that the UK is currently looking to secure a ‘clean’ EU adequacy decision while fully aware of the importance that the EU attaches to maintaining ongoing alignment of the EU and UK data protection frameworks.

It therefore came as a bit of a surprise when the ICO’s Deputy Information Commissioner, Steve Wood, announced today that the ICO ‘is working on bespoke UK standard clauses for international transfers, and intend to go to consultation on them in the summer‘. No details yet, but the message is clear – if you’re expecting the UK’s new SCCs to be a ‘copy & paste’ of the EU’s New SCCs, then don’t. And in terms of timing, it looks like UK data exporters may have to wait for another few months before they have access to updated SCCs for their transfers.

Part 2 to follow as soon as we have some more detail.

Tags: adequacy decision, data protection, gdpr, SCCs, Standard Contractual Clauses
Posted in Privacy, Updates | No Comments »

How to draft a privacy policy

Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information. The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one. The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).

Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.

Information audit

The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:

What personal data your organisation collects, including from customers, suppliers, employees, visitors, job applicants etc.
How the personal data is collected.
Where the personal data is stored, and what technical and organisational measures are in place to ensure security.
What your organisation does with the personal data.
Whom the personal data is shared with, including data storage and SaaS providers.
Whether the personal data is transferred to locations outside the UK, and if so where.
Whether the personal data includes any ‘special category data’, and if so whether any additional safeguards have been put in place.
How long the personal data is kept.

Privacy notice

The next step is then to create the privacy notice by documenting the output of your information audit. The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:

Name of and contact details for the organisation(s) collecting the personal data, i.e. the identity of the controller providing the privacy notice.
The types of personal data the controller collects, and how the personal data is collected.
Whether any of the personal data constitutes special category data.
What the controller intends to do with the personal data.
The lawful basis for processing the personal data.
Whom the controller shares the personal data with, and why.
Whether the controller transfers any personal data outside the UK, and if so details of the relevant transfer mechanism.
How long the controller keeps the personal data.
How the controller keeps the personal data secure.
If the individual is required by law or by contract to provide the personal data, consequences of not providing it.
Whether the controller uses automated decision-making, including profiling, and if so details of logic involved and consequences of processing for the individual.
What rights the individual has in relation to their personal data.

Final thoughts…

When drafting a privacy notice, it’s tempting to take a broad, catch-all approach – “we will or may use your information for some or all of the following purposes…”, followed by a long list covering pretty much everything you can think of. Although strictly speaking accurate, the broad brush approach is likely to struggle to satisfy the “concise, transparent, intelligible” requirement. Put yourself in the data subject’s shoes: having read the privacy notice, would you understand how your personal information will in fact be used, stored, shared, etc?
Because of the amount of information that you may need (or want) to include, consider adopting a ‘layered’ approach for the privacy notice. This is where you have a high-level, top-layer notice with the key privacy information, with links enabling the data subject to click through a second layer with a bit more detail, and then from the second layer there may be further links to a third layer with the full detail. This layered approach may be particularly useful for mobile or smart devices with small screens.
There is no requirement for all the privacy notice content to be provided to the data subject in one go, and it may make sense for you to provide the data subject with privacy information at the time that they are actually providing you with their personal data – so-called ‘just-in-time’ notices.
As your organisation evolves through the use of new technologies and/or you offer of new products and services, it’s likely that personal data will be collected and used in different ways. Put in place a process which ensures that your privacy notice is updated in line with these changes, and then for the updated notice to be communicated to your data subjects.

Tags: data protection, gdpr, information audit, layered privacy notice, privacy notice, privacy policy
Posted in Privacy, Updates | No Comments »

European Commission publishes new draft SCCs for consultation

19/11/20 – By way of background, transfers of EU citizens’ personal data to locations outside the European Economic Area (EEA) require a GDPR-permitted transfer mechanism. (more…)

Tags: data protection, modular SCCs, privacy, SCCs, Schrems II, Standard Contractual Clauses, transfer mechanism
Posted in Privacy, Updates | No Comments »

Demise of the EU-U.S. Privacy Shield

23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. (more…)

Tags: data protection, essentially equivalent, FISA, gdpr, privacy shield, SCCs, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »

Posts Tagged ‘data protection’

European Commission publishes new draft SCCs for consultation

Search

Recent posts

Get in touch