DUA: New Rules

16/06/25

Great – I’m a big fan.  Although I’ve got a sneaking suspicion this isn’t going to be a chat about our favourite Dua Lipa tunes.

Correct.  But now you’re here let me tell you about the other DUA you need to know about.

The Data (Use and Access) Bill (“DUA”) was introduced by the UK government in October 2024 as the pared-down successor of the previous government’s (now defunct) Data Protection and Digital Information Bill (“DPDI”), which itself was introduced in July 2022.  Since the bulk of its provisions had already been discussed in relation to the DPDI Bill, the DUA Bill was expected to have an easy journey through Parliament to the statute book.

However, shortly after introducing the DUA Bill the government published its Copyright and AI Consultation Paper as part of its consultation on copyright and AI, and you will almost certainly have read about the opposition by numerous well-known musicians, authors and other artists (including Elton John and Dua Lipa) against one of the policy options in the Consultation Paper, the so-called opt-out mechanism which would entitle AI developers to access and use copyright material for training purposes unless the copyright owner has expressly opted out.  And, although the DUA Bill as introduced by the government does not deal with the copyright and AI issue, the House of Lords decided to use it as a proxy to propose a number of legislative changes providing protection for the UK creative sector against AI developers.  The government rejected all amendments proposed by the Lords, and after more than a month of ‘ping-ponging’ between the House of Commons and the House of Lords, the Lords eventually gave way and the DUA Bill was passed on 11th June 2025. The bill is expected to receive Royal Assent in the next few days.

So we’ve just got our heads around the UK GDPR and we’ve now got a new data protection law running to 147 clauses and 16 schedules?  Really?

It’s not quite as bad as it looks.  First, although the DUA Bill is a chunky piece of legislation, less than half of it deals with data protection and privacy. Plus I agree with commentators who have described DUA as an evolution not a revolution of data protection law; as we’ll see there are a couple of interesting changes but for the most part the impact of DUA on SMEs is likely to be minimal.

By way of a summary of the data protection and privacy-related changes:

• There is clarification what constitutes ‘scientific research’ and confirmation that individuals can give their consent for their personal data to be used for more than one type of research, including types of research that can as yet not be identified.
• The DUA Bill introduces a new concept of ‘recognised legitimate interests’ which dispenses with the need to carry out a legitimate interest assessment where the processing is carried out for one of the following ‘recognised interests’:
  • responding to emergencies
  • democratic engagement where there is a public interest in the dissemination of political opinions
  • detecting, investigating or preventing crime
  • safeguarding vulnerable individuals
• In relation to legitimate interest assessments (LIAs) the DUA bill provides that certain types of processing purposes “may be processing that is necessary for the purposes of a legitimate interest”, i.e. they’re not automatically necessary but they’re likely to pass an LIA. The processing purposes are:
  • direct marketing
  • intra-group transfers for internal administration
  • ensuring the security of networks and IT systems
• The DUA Bill includes a list of purposes which are treated as being compatible with the original purpose for which personal data was collected, i.e. the controller does not a need a new lawful basis under the purpose limitation principle. The list of compatible purposes includes:
  • performance of a task carried out in the public interest
  • archiving in the public interest
  • protecting public security
  • responding to an emergency
  • detecting, investigating or preventing crime
  • complying with a legal obligation
• The Secretary of State has the power to make changes to the types of data which constitute special category data. However, the Secretary of State cannot remove any of the types of ‘core’ special category data listed in Art 9(1) of the GDPR.
• The DUA Bill confirms that when making a data subject request (DSR) data subjects are only entitled to information resulting from a “reasonable and proportionate” search by the business, and provides clarification on how time periods for replying to a DSR are calculated.
• In relation to assessments whether a third country is adequate for data transfer purposes, the Secretary of State will now assess whether the standard of protection provided to individuals in the recipient country is “materially lower” than the standard of protection under UK law, replacing the existing requirement that the standard of protection must be “substantially equivalent”.
• The rules relating to automated decision-making are made less strict where decisions are not made on the basis of special category data.
• The DUA Bill amends the Privacy and Electronics Communications (EC Directive) Regulations 2003 (PECR) by removing the requirement for providers of most online services to obtain a user’s consent for placing of cookies and other tracking technologies which collect data for improving the functionality and performance of their website

Quite a list but I take your point about evolution rather than revolution. That said, the last two sound interesting.  What’s happening with automated decision-making?

The current rules on automated decision-making (ADM) are set out in UK GDPR, Art 22.  In short they provide that an automated decision which produces legal effects on an individual (or similarly affects the individual) is only lawful if the decision:

• is necessary for entering into or performing a contract, or
• is required or authorised by law, or
• is based on the individual’s explicit consent.

Furthermore the data controller must implement “suitable measures” to safeguard the individual’s rights and freedoms, including the right for the individual to make representations about the decision, to obtain human intervention in relation to the decision, and to contest the decision.

The DUA Bill introduces additional flexibility by having different requirements depending on:

• whether or not the decision results from processing any special category data and
• whether or not the decision is a ‘significant decision’, defined in the DUA Bill as a decision which “produces a legal effect for the data subject” or has a “similarly significant effect”.

If a decision results from processing special category data then broadly speaking the existing ADM restrictions will continue to apply, i.e. the ADM is only lawful if the decision is necessary for entering into or performing a contract, or is required or authorised by law, or is based on the individual’s explicit consent.

However if the decision does not result from processing any special category data then the current restrictions will no longer apply. And as a result ADM could, for example, take place on the basis of legitimate interests, i.e. without obtaining any consents.

Separately, if automated processing (whether or not involving special category data) produces a significant decision, the controller must ensure safeguards are in place which ensure that the individual is provided with information about the decision and also enable the individual to:

• make representations about the decision
• obtain human intervention on the part of the controller in relation to the decision and
• contest the decision.

It follows that if the automated processing does not produce a significant decision the controller is not required to put in place the safeguards, even if the decision resulted from the processing of special category data.

Two final points on the new ADM rules:

1. The DUA Bill provides that a decision is based solely on automated processing if there is no “meaningful human involvement”. Whether there is any meaningful human involvement will depend on, among other things, “the extent to which the decision is reached by means of profiling”.  If the controller concludes that there is meaningful human involvement in the decision-making then the ADM rules do not apply.

2. The Secretary of State has the right to issue regulations:

• to confirm specific decisions which do or do not involve meaningful human involvement
• to provide a description of decision which do (or do not) constitute significant decisions
• to impose requirements regarding safeguards for individuals who the subject of significant decisions.

The big change here is clearly not having to obtain individuals’ consent when ADM doesn’t involve special category data. Remind me what special category data is?

The types of personal data which constitute special category data are listed in UK GDPR, Art 9(1):

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

A couple of things to note: information regarding someone’s income, assets or their financial circumstances is not special category data; and as already mentioned the Secretary of State is entitled to add new categories to Art 9(1).

And finally what about the changes to cookies? Am I going to be able to get rid of my cookie banner?

The current rules are set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  In short they require a website provider to obtain user consent for all cookies except those which are “strictly necessary”.

The DUA Bill creates additional exceptions for cookies and other tracking technologies that are placed solely for the purposes of:

• Determining how the website, or a service provided by the website, is used with a view to making improvements to the website or service. or
• Enabling the appearance or functionality of the website to adapt to the user’s preferences. or
• Enabling an enhancement of the appearance or functionality of the website when displayed on the user’s device

However website providers must still provide visitors with “clear and comprehensive” information about the purpose of the cookie, as well as a “simple means” of objecting to the cookie. In practice this may mean that cookie banners are here to stay but at least website providers can now pre-tick the consent box for functional/performance cookies.

Tags: #pecr, data protection, gdpr, ICO, privacy, third country, UK gdpr
Posted in Privacy, Updates | No Comments »