What is the UK’s new Data Use and Access Act?

The UK’s Data (Use and Access) Act (‘DUAA’) recently received Royal Assent and is now law. The DUAA brings a number of important changes to data protection and privacy rules in the UK.

The core law covering data protection and privacy remain: the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). The DUAA will make amendments to the existing law, almost all of which will take effect only once secondary legislation (such as a regulation) is in place. In this Keynote, technology partners Robert Peake and James Tumbridge highlight some of the most important changes that the DUAA will bring in, and what organisations should be thinking about now in order to prepare.

Subject access requests (SARs): There was not, contrary to many comments, a real change. The only update that came into effect immediately under the DUAA was a codification of what the law already provided, namely, an explicit recognition that data controllers need to undertake ‘reasonable and proportionate’ searches to identify personal data in response to a SAR. This is merely a recital of the established common law position applied by the courts. Now that the position is stated in the statute, all should understand immediately that a controller is not required to carry out exhaustive and disproportionate searches.

Expanded list of legitimate interests: The lawful bases for processing personal data will be expanded to include to a list of ‘recognised legitimate interests’. These include processing that is necessary for: crime prevention; safeguarding vulnerable people; responding to emergencies; safeguarding national security; or assisting other bodies delivering public interest tasks that are sanctioned by law. Those processing purposes will not require a legitimate interests assessment balancing the interests of the controller and those of the data subject.

Cookies: The rules on cookies and similar technologies are contained in the PECR; their deployment other than where ‘strictly necessary’ has required the consent of the user of websites and apps. Many website operators had chosen to deploy analytics cookies without seeking user consent, having assessed the risk of regulatory action as being acceptably low. The risk of non-compliance with the PECR is now much increased (see below), but the use of some analytics cookies will now be allowed without user consent. For those who operate internationally, consent is still required for the use of cookies in the EU, so care will be needed if adopting different approaches depending on the location of website or app users.

Direct marketing fines increased: Electronic direct marketing which is subject to the PECR, and the ICO’s ability to issue fines for sending such communications without consent, has been capped at £500,000. The DUAA will align the ICO’s enforcement powers for direct marketing contraventions – and for breaches of the rules on cookies – with those under the UK GDPR, meaning that organisations sending direct marketing emails now face potential fines of up to the greater of £17M or 4% of global annual turnover.

Charities and direct marketing flexibility: Cold contacting has long been an issue for the non-profit sector, who are treated differently to the for-profit sector. Under the PECR there are preclusions on cold contacting. However, for-profit businesses were able to do so for marketing purposes, unhelpfully and colloquially called the ‘soft opt-in’ consent for marketing emails. This allowed the sending of marketing emails to those who have previously engaged with the business either as a purchaser or someone who had enquired about goods or services, provided that the recipient was given the opportunity to opt out of receiving those messages. The Bill that fell last year was going to level the playing field and let all non-profits enjoy the same right of cold contact. The Government did not keep that in the new Act, but there was some help for charities. Regrettably the wording of the relevant section does not do what everyone thinks. Most suggest charities will be able to rely on that form of consent going forward, but that is not what the section actually says; the change is more limited. It does not help that the ICO has suggested that ‘soft opt-in’ is now available to charities, but the reality is more nuanced and charities need to take advice before relying on it.

The new section only permits a charity to send electronic mail for the purposes of direct marketing where the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes. For example, if you want to communicate about fundraising, unless that is a charitable purpose, which is unlikely, then that is not within the exemption.

Automated decision making: Article 22 of the UK GDPR prohibits the use of solely automated decision marking for significant decisions about a data subject. The DUAA relaxes the restriction to those decisions where special category data is used (though existing exemptions also remain). Where solely automated decision making is permitted, the controller will be required to have in place certain safeguards, including: providing the data subject with information about the decision; enabling the data subject to make representations about the decision and to obtain human intervention in it; and to contest the decision.

Legal privilege concern for law enforcement processing: The DUAA added a new exemption for law enforcement bodies to the DPA 2018 when responding to a SAR. The exemption is understood to have been introduced in response to law enforcement concerns that, when applying other exemptions on an ad hoc basis, refusing to disclose personal data in response to a SAR could inadvertently waive legal professional privilege. The added exemption itself mirrors the existing exemptions to disclosure, but so too does the added mechanism for a data subject to challenge the decision not to disclose legally privileged information. The added recourse is to ‘request the Commissioner to check that the controller was entitled to rely on the exemption’ and the Commissioner may ‘take such steps as appear appropriate to respond to [such] request’. The concern with the ‘copy and paste’ replication of wording from other sections, which do not address legal professional privilege, is that law enforcement bodies may face requests to provide copies of legally privileged information in order for the Commissioner to ‘check’ that an exemption has been properly applied, but in doing so, risk the loss of that very privilege.

International data transfers: The threshold for the Secretary of State to issue adequacy decisions covering international destinations for personal data transfers will be recalibrated; whereas a foreign jurisdiction has required protections ‘essentially equivalent’ to those under UK law, the standard will require a level of protection which is ‘not materially lower’. The European Commission is due to review the UK’s adequacy finding and postponed its review in anticipation of DUAA becoming law. Whilst the UK is expected to retain adequacy, it can be anticipated that some observers will be questioning whether the change signals a divergence of UK law from the GDPR standard.

If you have questions about the DUAA, please contact Robert Peake and James Tumbridge.