#pecr Archives - Marcus Andreen

DUA: New Rules

16/06/25

Great – I’m a big fan. Although I’ve got a sneaking suspicion this isn’t going to be a chat about our favourite Dua Lipa tunes.

Correct. But now you’re here let me tell you about the other DUA you need to know about.

The Data (Use and Access) Bill (“DUA”) was introduced by the UK government in October 2024 as the pared-down successor of the previous government’s (now defunct) Data Protection and Digital Information Bill (“DPDI”), which itself was introduced in July 2022. Since the bulk of its provisions had already been discussed in relation to the DPDI Bill, the DUA Bill was expected to have an easy journey through Parliament to the statute book.

However, shortly after introducing the DUA Bill the government published its Copyright and AI Consultation Paper as part of its consultation on copyright and AI, and you will almost certainly have read about the opposition by numerous well-known musicians, authors and other artists (including Elton John and Dua Lipa) against one of the policy options in the Consultation Paper, the so-called opt-out mechanism which would entitle AI developers to access and use copyright material for training purposes unless the copyright owner has expressly opted out. And, although the DUA Bill as introduced by the government does not deal with the copyright and AI issue, the House of Lords decided to use it as a proxy to propose a number of legislative changes providing protection for the UK creative sector against AI developers. The government rejected all amendments proposed by the Lords, and after more than a month of ‘ping-ponging’ between the House of Commons and the House of Lords, the Lords eventually gave way and the DUA Bill was passed on 11th June 2025. The bill is expected to receive Royal Assent in the next few days.

So we’ve just got our heads around the UK GDPR and we’ve now got a new data protection law running to 147 clauses and 16 schedules? Really?

It’s not quite as bad as it looks. First, although the DUA Bill is a chunky piece of legislation, less than half of it deals with data protection and privacy. Plus I agree with commentators who have described DUA as an evolution not a revolution of data protection law; as we’ll see there are a couple of interesting changes but for the most part the impact of DUA on SMEs is likely to be minimal.

By way of a summary of the data protection and privacy-related changes:

There is clarification what constitutes ‘scientific research’ and confirmation that individuals can give their consent for their personal data to be used for more than one type of research, including types of research that can as yet not be identified.
The DUA Bill introduces a new concept of ‘recognised legitimate interests’ which dispenses with the need to carry out a legitimate interest assessment where the processing is carried out for one of the following ‘recognised interests’:
- responding to emergencies
- democratic engagement where there is a public interest in the dissemination of political opinions
- detecting, investigating or preventing crime
- safeguarding vulnerable individuals
In relation to legitimate interest assessments (LIAs) the DUA bill provides that certain types of processing purposes “may be processing that is necessary for the purposes of a legitimate interest”, i.e. they’re not automatically necessary but they’re likely to pass an LIA. The processing purposes are:
- direct marketing
- intra-group transfers for internal administration
- ensuring the security of networks and IT systems
The DUA Bill includes a list of purposes which are treated as being compatible with the original purpose for which personal data was collected, i.e. the controller does not a need a new lawful basis under the purpose limitation principle. The list of compatible purposes includes:
- performance of a task carried out in the public interest
- archiving in the public interest
- protecting public security
- responding to an emergency
- detecting, investigating or preventing crime
- complying with a legal obligation
The Secretary of State has the power to make changes to the types of data which constitute special category data. However, the Secretary of State cannot remove any of the types of ‘core’ special category data listed in Art 9(1) of the GDPR.
The DUA Bill confirms that when making a data subject request (DSR) data subjects are only entitled to information resulting from a “reasonable and proportionate” search by the business, and provides clarification on how time periods for replying to a DSR are calculated.
In relation to assessments whether a third country is adequate for data transfer purposes, the Secretary of State will now assess whether the standard of protection provided to individuals in the recipient country is “materially lower” than the standard of protection under UK law, replacing the existing requirement that the standard of protection must be “substantially equivalent”.
The rules relating to automated decision-making are made less strict where decisions are not made on the basis of special category data.
The DUA Bill amends the Privacy and Electronics Communications (EC Directive) Regulations 2003 (PECR) by removing the requirement for providers of most online services to obtain a user’s consent for placing of cookies and other tracking technologies which collect data for improving the functionality and performance of their website

Quite a list but I take your point about evolution rather than revolution. That said, the last two sound interesting. What’s happening with automated decision-making?

The current rules on automated decision-making (ADM) are set out in UK GDPR, Art 22. In short they provide that an automated decision which produces legal effects on an individual (or similarly affects the individual) is only lawful if the decision:

is necessary for entering into or performing a contract, or
is required or authorised by law, or
is based on the individual’s explicit consent.

Furthermore the data controller must implement “suitable measures” to safeguard the individual’s rights and freedoms, including the right for the individual to make representations about the decision, to obtain human intervention in relation to the decision, and to contest the decision.

The DUA Bill introduces additional flexibility by having different requirements depending on:

whether or not the decision results from processing any special category data and
whether or not the decision is a ‘significant decision’, defined in the DUA Bill as a decision which “produces a legal effect for the data subject” or has a “similarly significant effect”.

If a decision results from processing special category data then broadly speaking the existing ADM restrictions will continue to apply, i.e. the ADM is only lawful if the decision is necessary for entering into or performing a contract, or is required or authorised by law, or is based on the individual’s explicit consent.

However if the decision does not result from processing any special category data then the current restrictions will no longer apply. And as a result ADM could, for example, take place on the basis of legitimate interests, i.e. without obtaining any consents.

Separately, if automated processing (whether or not involving special category data) produces a significant decision, the controller must ensure safeguards are in place which ensure that the individual is provided with information about the decision and also enable the individual to:

make representations about the decision
obtain human intervention on the part of the controller in relation to the decision and
contest the decision.

It follows that if the automated processing does not produce a significant decision the controller is not required to put in place the safeguards, even if the decision resulted from the processing of special category data.

Two final points on the new ADM rules:

1. The DUA Bill provides that a decision is based solely on automated processing if there is no “meaningful human involvement”. Whether there is any meaningful human involvement will depend on, among other things, “the extent to which the decision is reached by means of profiling”. If the controller concludes that there is meaningful human involvement in the decision-making then the ADM rules do not apply.

2. The Secretary of State has the right to issue regulations:

to confirm specific decisions which do or do not involve meaningful human involvement
to provide a description of decision which do (or do not) constitute significant decisions
to impose requirements regarding safeguards for individuals who the subject of significant decisions.

The big change here is clearly not having to obtain individuals’ consent when ADM doesn’t involve special category data. Remind me what special category data is?

The types of personal data which constitute special category data are listed in UK GDPR, Art 9(1):

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

A couple of things to note: information regarding someone’s income, assets or their financial circumstances is not special category data; and as already mentioned the Secretary of State is entitled to add new categories to Art 9(1).

And finally what about the changes to cookies? Am I going to be able to get rid of my cookie banner?

The current rules are set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). In short they require a website provider to obtain user consent for all cookies except those which are “strictly necessary”.

The DUA Bill creates additional exceptions for cookies and other tracking technologies that are placed solely for the purposes of:

Determining how the website, or a service provided by the website, is used with a view to making improvements to the website or service. or
Enabling the appearance or functionality of the website to adapt to the user’s preferences. or
Enabling an enhancement of the appearance or functionality of the website when displayed on the user’s device

However website providers must still provide visitors with “clear and comprehensive” information about the purpose of the cookie, as well as a “simple means” of objecting to the cookie. In practice this may mean that cookie banners are here to stay but at least website providers can now pre-tick the consent box for functional/performance cookies.

Tags: #pecr, data protection, gdpr, ICO, privacy, third country, UK gdpr
Posted in Privacy, Updates | No Comments »

Direct marketing to business contacts

29/11/22 – The Information Commissioner’s Office (ICO) recently published new guidance on email marketing and phone marketing. The guidance is supplementary to the ICO’s Guide to the Privacy and Electronic Communications Regulations (PECR) and (124-page) draft Direct Marketing Code of Practice.

Direct marketing is a fiddly area, with different rules depending on whether you’re using email/text, phone, post or (perhaps less likely) fax, and also whether you’re marketing to companies, sole traders/partnerships, or individuals. This post takes a look at the rules for direct marketing by UK businesses of their own products and services, either by email or text/voice messaging services (such as WhatsApp or LinkedIn), or by phone. It is not exhaustive, and there are additional rules if for example you are selling pensions or claims management services, marketing to children etc.

What’s the relevant law?

The law applicable to direct marketing is set out in the Privacy and Electronic Communications Regulations 2003 (PECR) and to a lesser extent the UK GDPR and Data Protection Act 2018. The ICO provides extensive, plain English overviews of all areas of marketing law.

Direct marketing by email/messaging services

If you’re looking to market to a contact by email or using a text or voice messaging service then you either need to obtain the contact’s consent or you need to check if you can use the so-called ‘soft opt-in’ exemption.

Consent. For consent to be valid it needs to be freely given, specific, informed and unambiguous. In practice this means no pre-ticked checkboxes, and making sure the consent covers the type of communication you’re using – obtaining consent for marketing by email does not entitle you to send them a WhatsApp. The consent also needs to be separate from other consents, so you can’t include marketing consent in the tickbox wording used for accepting your terms of service.

Soft opt-in exemption. To use the soft opt-in exemption, you need to meet all of the following criteria:

You must have obtained the contact details yourself. You cannot for example use an email address obtained by someone in your marketing department.
The contact details must have been obtained as part of a sale or negotiation, i.e. the contact must either be an actual customer or a prospect who has previously expressed an interest in your products or services.
The marketing content must relate to products or services which are similar to the ones that your contact has previously purchased or been interested in.
The contact must have had an opportunity to opt-out of receiving marketing messages when you obtained their details, and they must continue to have that option, e.g by including a ‘click to unsubscribe’ link in the message.

A few things to bear in mind:

The direct marketing rules apply to individuals, which for these purposes include sole traders and partnerships. There are no restrictions on sending marketing messages to companies, LLPs, or other corporate entities such as local authorities.
Messages sent for customer service purposes (e.g. asking a contact to confirm their details, or providing product support) or for genuine market research purposes do not fall within the direct marketing rules. But the ICO have made it clear that if a customer service or market research message also contains a promotional element, then the whole message amounts to direct marketing. Halford’s discovered this to their cost when they emailed 498,062 customers with information about the Government’s Fix Your Bike voucher scheme, also suggesting that customers could use their vouchers at their local Halfords store – the ICO rejected Halford’s ‘service message’ argument and fined them £30,000.
The PECR direct marketing rules are separate from, and in addition to, the UK GDPR and Data Protection Act 2018. As well as the normal rules regarding the collection, storage and other processing of your contact’s personal data, you have to identify a lawful basis for using the contact’s information for marketing purposes.
When sending a message for direct marketing purposes, you must display identification information, provide clear information about the marketing, and provide a method to opt out.

Direct marketing by phone

In short, you do not consent for making direct marketing phone calls, whether to individuals or to businesses, unless either of the following applies:

The phone number is listed on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS).
Your contact or the business has previously objected to receiving marketing calls.

If the phone number is listed on TSP or CTPS you can still get consent to receive marketing calls. The ICO have suggested that any consent for overriding a TSP/CTPS listing should aim to meet the GDPR-style, opt-in standard that applies to direct marketing by email.

When making a direct marketing phone call, you must display your phone number (or a valid alternative number), say who is calling (and provide contact details if asked), provide clear information about the marketing, and make it easy for the recipient to object or opt out.

Tags: #marketing, #pecr, #softoptin, ICO
Posted in Commercial, Privacy, Updates | No Comments »

Posts Tagged ‘#pecr’

Direct marketing to business contacts

Search

Recent posts

Get in touch