The data use and access bill: potential changes to UK data protection legislation

In this briefing we discuss key changes contained in the Data Use and Access Bill (the Bill) that are likely to be made to UK data protection legislation.

When is the Bill likely to come into force?

The Bill is likely to enter into force in early 2026. Most of the Bill’s provisions, including on changes to the UK GDPR and The Privacy and Electronic Communications Regulations 2003 (PECR) will not commence until a date(s) specified by further regulations, and it may be expected that there will be a period of time for organisations to adapt after the Bill has entered into force. The Bill is currently undergoing review and its text is awaiting a final outcome.

How did we get here?

The Bill replaces the Data Protection and Digital Information Bill (DPDI) introduced by the previous government. Much of the text of the DPDI’s proposed revisions to UK data protection law have been retained in the current Bill, but certain significant reforms have been dropped, including:

• The proposal to remove the requirement for controllers established outside the UK to appoint a UK representative – this will continue to be required.
• The proposal to limit the requirement to maintain records of processing to "high-risk" processing activities – records of processing will continue to be required to cover all processing activities.

What is the Bill?

The Bill addresses a diverse range of topics related to the use of and access to data, and is not limited to just personal data. In this briefing we discuss its key potential changes to the UK GDPR and PECR, as these will be of general importance for all organisations required to comply with UK data protection legislation. The Bill also includes provisions, amongst other things, on:

• Data access requirements – Whilst businesses may be familiar with data subject access requests and requests for portability of personal data, the Bill enables secondary legislation to be made that could give individuals access rights for other types of data e.g. on the performance or quality of goods or services sold by a business. Such rules may become significant if introduced, and we will continue to "watch this space".
• Digital verification – Certain businesses may be subject to new rules on the provision of digital verification services (DVS) – broadly online services that allow an individual to be identified at their request without needing to provide physical documentation. These include a requirement for the Secretary of State to publish a DVS trust framework including rules regulating the conduct of providers of such services, which may be supported by additional supplementary codes. A DVS register will also be established, which will allow persons on that register to receive personal information related to an individual from public authorities to allow them to provide digital verification services to that individual, and allow those persons to use a "trust mark".
• Information Commission – Establishing the Information Commission (IC) to replace the Information Commissioner’s Office (ICO) – this is largely a procedural change but the Bill does introduce some new duties on the regulator such as to have regard to the desirability of promoting innovation and competition where relevant in carrying out its functions.

What are the likely impacts for the UK GDPR and PECR?

• GDPR level fines for PECR breaches. The IC – which will replace the ICO – will have enhanced powers to enforce the PECR. Notably, it will have the power to apply maximum fines of £17.5m or 4% of annual turnover, whichever is higher, for breaches of the PECR rules, including on cookies. These fines will align with potential fines for breaches of the UK GDPR. This is significantly higher than the current fine limit of £500,000 for PECR breaches, and is likely to be significant given that PECR compliance is currently a significant area of regulatory scrutiny.
• Cookies. Under current rules opt-in consent must be obtained for the use of cookies, other than cookies that are strictly necessary for functionality. Under new rules opt-in consent will additionally not be required for cookies that collect information for statistical purposes, or that enhance the appearance or functionality of a website or allow its appearance or functionality to adapt to user preferences, if they meet certain conditions. Information on these cookies, and an opt-out in respect of these cookies, must however still be provided.
• Data Subject Access Requests (DSARs). Organisations responding to DSARs may obtain greater flexibility in how they respond. In particular, organisations may only be under an obligation to conduct a reasonable and proportionate search for personal data in order to respond to a request. They may also be able to "stop the clock" for responding to requests in certain circumstances, including where they reasonably require further information in order to identify the information or processing activities to which a DSAR relates.
• Data protection complaints. The Bill includes enhanced procedures to benefit data subjects making complaints. These include requirements to facilitate data subject complaints, for example by providing an online complaint form, and to ensure that complaints are appropriately investigated. As a result, controllers of personal data may be required in practice to have procedures to handle complaints that data subjects make alleging an infringement of the UK GDPR, in addition for procedures for dealing with DSARs.
• Legitimate interests. The Bill may simplify determining whether a business can rely on a legitimate interest to lawfully process personal data for a particular purpose:
  • It introduces a new concept of "recognised legitimate interests". If processing is being carried out for certain purposes specified in the Bill, such as the prevention of crime or safeguarding, then such interests cannot be overridden by the rights and freedoms of third parties. By implication a legitimate interest assessment would not be required if a recognised legitimate interest can be relied on. Nonetheless organisations may still need to conduct an assessment to demonstrate that their processing falls within the scope of a recognised legitimate interest.
  • Separately, the Bill also includes examples of certain purposes that are likely to be within an organisation’s legitimate interests. These include intra-group transfers of personal data for administrative purposes and processing necessary for ensuring the security of network and information systems. Whilst this may give organisations greater confidence that they will be entitled to rely on the existing legitimate interest ground when using personal data in this way, unlike the "recognised legitimate interests", there is no indication that it would not still be prudent to conduct a legitimate interest assessment.
• International transfers. New rules on international transfers may facilitate transferring personal data internationally. In particular, the new rules introduce greater flexibility for the UK government to make adequacy regulations in respect of third countries, which may result in a greater number of these being made. These in general allow for an organisation to transfer personal data to the country that benefits from an adequacy regulation without having to take further steps. However, where a third country does not benefit from an adequacy regulation it will still generally be necessary to use standard contractual clauses and conduct a data protection test (currently a "transfer risk assessment").
• Purpose limitation. The Bill contains new rules on how organisations can ensure that any new purpose that personal data is used for is compatible with the purpose for which it was collected, in compliance with the purpose limitation principle. In effect these rules closely align with existing ICO guidance, but place it on a statutory footing. When making a determination as to compatibility, organisations will be required to take into account a number of factors, for example the context in which the personal data was originally collected, and the existence of appropriate safeguards. In certain limited circumstances the new purpose will be deemed automatically compatible, such as where the data subject provides specified, explicit and legitimate consent to processing for the new purpose, or where the processing is necessary for protecting the vital interests of an individual. Care should be taken where consent was relied on to collect the personal data for the original purpose – in most circumstances it will still be necessary to obtain consent to processing for the new purpose.
• Automated decision making. The Bill signals a move away from the general prohibition on solely automated decision making, including profiling, which produce legal effects on data subjects or similarly significantly affect them, save in specific narrow circumstances (significant decisions). Under new rules this will now be generally permitted (unless a significant decision is based, at least in part, on the use of special category personal data). However it will need to be ensured that specific safeguards, such as providing data subjects with the ability to make representations about the decisions, are applied.
• Data protection by design and default for children. Controllers of personal data that provide information society services (a term which covers most online services) to children will be required to take into account children’s higher protection matters, such as how they can best be protected and supported in using such services, in determining whether they ensure data protection by design and default. This is consistent with a general legislative trend – typified by the Online Safety Act 2023 - to place greater responsibility on online service providers to ensure the safety of their services (see our briefing on the Online Safety Act here).

Next steps

Once the text of the Bill has been finalised, organisations should review the impact that it may have on its existing data protection compliance operations and prepare for any necessary changes ahead of its implementation. Prudent steps might include:

• Reviewing existing compliance with PECR in light of increased fines for breaches.
• Reviewing cookie consent procedures, in particular whether certain types of cookies used will no longer require consent.
• Amending DSAR policies.
• Implementing policies and procedures for responding to data subject complaints.