The Data (Use and Access) Bill (DUA) is the new Bill positioned to update the UK’s data protection legislation. It replaces the Data Protection and Digital Information Bill (DPDI), which failed to make it through parliament before the Conservative government called the General Election.
The DUA builds on the DPDI, and unusually began its progress in the House of Lords before being passed back to the House of Commons, where it is currently at the Committee Stage.
While there have been some fairly dramatic reviews of the DUA within the privacy community in recent times, in reality it is much less controversial than DPDI ever was. DPDI introduced rules that would allow the Department for Work and Pensions to access the bank accounts of benefits claimants and significantly reduced the number of organisations that needed to appoint Data Protection Officers – these ideas do not feature in the DUA.
What the DUA does is move the balance slightly between commercial and privacy interests. It does this in three key ways:
- Marketing becomes a legitimate interest. While it has always been possible to send direct marketing on the basis of legitimate interests, in practice most marketers have considered this risky and so most direct marketing relies on Consent. Under GDPR, marketing is specified as a legitimate interest in a recital, but the DUA brings this into the main text, which should reassure marketers that they can consider options to expand their direct marketing activities. It also restores the ability for charities to fundraise on the basis of legitimate interests, which was withdrawn over a scandal in which excessive charity marketing was initially implicated in the death of an elderly lady.
- Research and development exemptions are relaxed. Under current UK data protection legislation, research exemptions are only really available for ‘big-S’ Science projects. DUA will relax this somewhat, with vaguer wording saying the exemptions can apply to research ‘that can reasonably be described as scientific’ regardless of how it is funded. This could mean that corporate research conducted by professional researchers with a decently scientific approach could be conducted under the exemption – useful for organisations like Talan that publish market research from time to time.
- Automated decision-making rules are relaxed. Current UK data protection legislation states that individuals have the right not to be subject to solely automated decisions with ‘legally or similarly significant’ consequences. The DUA relaxes this so that the rules only apply where special category data is being processed. This change is designed to make it easier to develop and deploy AI tools.
There are other changes too – the changes to the Information Commissioner’s Office are still going ahead, for example, but these are the with the most obviously commercial rationale. It is unsurprising that the Labour party, with its stated focus on growth, would be making these kinds of changes.
In my opinion, these changes are likely to be broadly positive for businesses if they are adopted, which is far from certain. As mentioned above, it is already possible to market on the basis of legitimate interest but there is much less of that activity than there could be for very sound reasons ranging from operational complexity to simply worrying that the marketing would be less expected and therefore less welcome.
Similarly, with AI, most responsible organisations will want to be sure that their tools are working as intended and that necessitates a level of human oversight and – at this early stage in the adoption journey – consumer understanding and acceptance.
At present it looks like the Bill will pass into law in early Summer, so we would recommend organisations look now at whether they want to make any changes to take advantage of the relaxed rules coming their way.
