DUA (Lipa) Bill – Hotter Than Hell or just a few New Rules?

How did we get here?

The original Data Protection and Digital Information (DPDI) Bill was the genesis of post-Brexit data reform in the UK but during the political upheaval in 2022 it was withdrawn from Parliament. It later returned in the form of the DPDI (No.2) Bill and made its way steadily through the legislative system before disappearing again, in equally Houdini-like fashion, ahead of the General Election in July 2024. Whilst the election brought about the end of an era for one administration, the DUA Bill represents the new UK Government’s attempt to stir up a potion of new reforms that it claims will grow the economy, improve public services and make people’s lives easier. On the face of it, these are ambitious claims that might blow your mind, but do the provisions stand up to scrutiny? Or is the DUA (Lipa) Bill just the DPDI Bill in disguise?

If you’re mainly here to count up the Dua Lipa song references, don’t worry, there are plenty more to come – but first a focus on the key legal changes!

What’s new? Not much!

At 262 pages, the DUA Bill is lighter than its predecessor but still a physical and mental challenge to wade through. You could be forgiven for thinking that the new bill represents a wholesale change to the proposals of the previous administration, but this is somewhat of an illusion – many provisions from the DPDI Bill have been retained, often with text moved around, tweaked or supplemented but without meaningful changes to the concepts in question.

Nonetheless, the DUA Bill has been welcomed in a number of quarters with techUK commenting that “[t]his Bill marks the start of a welcome effort from the new Government to unlock the power of data, through initiatives on digital ID, Smart Data, digitising key public registers and assets, and reforming the data protection laws.”

With its new structure and name, the DUA Bill places greater focus on provisions relating to data sharing and digital verification, but these concepts were covered in the DPDI Bill. From a data protection perspective there are a couple of important new additions:

• Potential for new special categories of personal data? The DUA Bill includes provisions that allow the Secretary of State to designate additional special categories of personal data and additional processing activities that are subject to the prohibition on processing of special category data in Article 9(1) UK GDPR; the Secretary of State can also stipulate to what extent organisations can rely on the exemptions in Article 9(2) in order to process these additional data categories or perform those additional processing activities.
• Narrowed scope of ‘recognised legitimate interests’ – The proposed DPDI Bill gave the Secretary of State broad powers to specify ‘recognised legitimate interests’ that organisations could rely upon as a valid lawful basis under Article 6 UK GDPR. These provisions have survived (as have the majority of the initial list of ‘recognised legitimate interests’) but a new provision has been added to the DUA Bill which means any new ‘recognised legitimate interest’ must be necessary to safeguard an objective under Article 23(1) of the UK GDPR. This means any new recognised legitimate interest must be needed to safeguard objectives such as national or public security, defence, crime prevention/investigation, public health, data subject rights, regulatory functions or civil law claims. Whilst this change will help the UK retain its adequacy status from the EU, it does close the door somewhat to the UK Government recognising specific AI use cases as meeting a ‘recognised legitimate interest’. Whilst this change may have been the stuff of dreams, it would have greatly assisted AI developers and deployers and encouraged innovation in this space.

In addition, the DUA Bill proposes to amend the Online Safety Act to enable the Secretary of State to issue regulations requiring providers of regulated services (under the OSA) to give researchers access to information relating to online safety, provided this will not require those providers to share personal data in a way that would contravene data protection legislation. This will bring the UK’s online safety regime closer to the EU approach under Article 40 if the Digital Services Act.

Similar to the provisions relating to open data sharing and digital identities (discussed below), all of these new changes give notable power to the administration to create new rules via secondary legislation. Whilst there are other new provisions in the draft, the majority of these build on what was there before; the draft is low on surprises, and we expect this will be welcomed by large global organisations who want to minimise unnecessary disruption to their existing compliance programmes.

What stays? Sharing is caring

A key focus of the UK Government’s press release for the new bill has been on two concepts that survive from the DPDI Bill:

• Smart data schemes – The DUA Bill aims to create a framework that will support new smart data schemes facilitating the sharing of information by businesses with regulated and authorised third parties. This builds on the approach to open banking and will be achieved by giving the Secretary of State broad powers to issue regulations governing access to customer and business data. It is these regulations, that are likely to be sector specific, that will provide the key details of how the schemes will work in practice, and they will require further scrutiny by businesses. Interestingly, the proposals go further than similar provisions in the EU’s Data Act and Data Governance Act which focus on internet-of-things devices and public sector data sharing more specifically. As in the open banking space, these proposals have great potential to encourage innovation and increase competition, but the impact on existing market participants, who place great value on the data they hold, remains uncertain. 
• Digital identity verification – Similarly, the bill creates a framework to support the development of digital verification services enabling broader and controlled use of digital identification. Again, this will be achieved via secondary legislation and, as with its predecessor, the DUA Bill includes the concept of DVS registers and certification for providers of digital verification services against a trust framework. New additions to the bill include a right for the Secretary of State to refuse certification on national security grounds and a requirement for it to consult the Information Commissioner in relation to regulations laid down in this area. Again, these regulations will set out the details of how the trust framework will be implemented in practice.

In addition, the UK Government’s statement accompanying the DUA Bill places great emphasis on the potential benefits to the National Health Service and adult social care more broadly. The bill, like its predecessor, provides for information standards to be issued under the Health and Social Care Act, opening the door to single medical records that can be used and accessed across all health and social care services.

In the data protection section of the DUA Bill many aspects of the DPDI Bill have been retained. In particular:

• Automated decision-making: The DPDI Bill’s approach to automated decision-making remains. This allows ADM to be used in lower-risk situations, whilst ensuring significant decision-making involving special category personal data is subject to human oversight and provides safeguards to protect data subjects’ rights and interests. This change poses the greatest challenge to ongoing UK adequacy given it is a clear departure from the GDPR position.
• PECR fines: The penalties under PECR will be aligned to GDPR levels meaning the maximum penalty is the higher of 4% of total annual worldwide turnover and £17.5 million.
• Cookie rules: The DUA Bill retains many of the cookie reforms proposed in the DPDI Bill. In particular, the proposals would allow, subject to certain conditions, cookies to be dropped without consent for the purpose of (i) making improvements to a website or the service in question; (ii) maintaining the security of the individual’s device or the service itself; (iii) providing emergency assistance to the individual; or (iv) perhaps most interestingly, to adapt the website / application’s appearance to the preferences of the user or enhance the appearance or functionality of the website / application when accessed by the user.
• Purpose limitation: The DUA Bill retains provisions outlining what is meant by ‘further processing’.
• Scientific research: Subject to certain safeguards, the DUA Bill expands the definition of consent to provide flexibility enabling further processing where consent is given for processing in relation to scientific research and, at the time the consent is sought, it is not possible to identify fully the purposes for which personal data is processed.
• Adequacy: The DUA Bill codifies the “data protection test” to be used by the Secretary of State to assess whether a third country or international organisation has a standard of data protection not materially lower than that in the UK.
• DSARs: The DUA Bill clarifies that a “reasonable and proportionate” search is required when responding to data subject access requests, putting guidance onto a statutory footing for the first time.
• Privacy notice: The DUA Bill proposes to amend the UK GDPR transparency provisions such that controllers are not required to inform data subjects of further processing to the extent (i) it is only carried out for scientific or historical research, archiving or statistical purposes; (ii) the processing involves de-identification of the personal data such that it can be processed in a manner which doesn’t permit re-identification of a data subject; and (iii) would be impossible or involve a disproportionate effort. Factors determining disproportionate effort include the number of data subjects, the age of the personal data and whether any safeguards have been applied to the processing.

You can find our previous blogs on the DPDI Bill here and here.

What has disappeared?

Whilst the data protection section of the DUA Bill includes a number of provisions that survived from the DPDI Bill, others have not. For example:

• Data subject requests: The basis on which controllers can refuse to comply with a data subject request will no longer be amended to include the concept of ‘vexatious or excessive’ requests - the UK GDPR test of ‘manifestly unfounded or excessive’ survives;
• DPO: No goodbyes need be said to your Data Protection Officer - the DPDI Bill concept of replacing the DPO role with a senior responsible person is no more;
• DPIAs: The requirement to carry out Data Protection Impact Assessments will also remain unchanged - the rebrand to “Assessment of high-risk processing” did not survive the redraft;
• UK Representatives are still required – the UK Government has shelved plans to scrap the requirement for controllers based outside of the UK (who are otherwise subject to UK data protection law) to have a representative with a physical presence in the UK;
• Personal Data definition remains unchanged, meaning the DPDI Bill concept of identification ‘by reasonable means’ has been dropped; and
• Records of processing must continue to be maintained by organisations with the UK Government abandoning the DPDI Bill provision limiting the duty to maintain records to high-risk processing activities.

What do the proposals mean for EU adequacy?

The proposals are likely to be good news for EU adequacy. The House of Lords EU Affairs Committee recently wrote a letter to the UK Government emphasising the importance of retaining EU adequacy status and of providing reassurance to the EU in respect of the Government’s proposed data protection reforms, particularly in respect of the proposals on legitimate interests and the independence of the Information Commissioner.

The letter was written with the DPDI Bill in mind and, helpfully for many organisations, the DUA Bill does not increase the risk to EU adequacy. Conversely, the risk of EU adequacy falling away in June 2025 (when it is up for review) is lessened following publication of the DUA Bill which narrows (i) the scope of GDPR reforms; (ii) the proposed expansion of legitimate interests; and (iii) the provisions on the ICO’s independence.

No love again for AI?

A reading of the DUA Bill leaves us wanting a little more. We appreciate the UK Government is somewhat of a prisoner trapped by the threat of losing EU adequacy whilst trying to work with the advanced proposals of the DPDI Bill. However, our new love, artificial intelligence, with all of its promise and opportunity, is left wanting by the current draft.

Whilst a separate AI Bill focussing on the safety of the most powerful large language models is expected at a later stage of this legislative cycle, the DUA Bill did, with its promise to unlock economic growth, present an opportunity for the administration to provide regulatory clarity (and address widespread uncertainty) about the interaction between the UK GDPR and AI.

Whilst we wouldn’t expect the UK Government to just do anything for love, with its growth agenda in mind, many businesses would appreciate certainty on questions of lawfulness, accuracy and whether large language models are, in and of themselves, considered personal data. Instead, this void is left to be filled by regulatory guidance, and, whilst we recognise there has been extensive consultation recently on the ICO’s guidance relating to generative AI under existing laws, legislative reform aimed at supercharging economic growth would have been most welcome.

Given the challenges that broader UK GDPR reform poses to adequacy, we suggest that the Government seriously considers an amendment to the DUA Bill to require the ICO to consult on and issue, a statutory code as to how the UK GDPR is to be interpreted for the purpose of AI. This approach would support innovation and the Government’s growth agenda and would build on the success of the Age Appropriate Design Code which formed the basis of similar rules in other major jurisdictions, such as California. The ICO would then be required to take the statutory code into account when interpreting the UK GDPR in respect of AI, giving the industry sensible direction and confidence in how the rules will be interpreted in practice.

What will the changes mean for business?

The launch of the DUA Bill, accompanied by ambitious promises of societal and economic impact, give it a demeanour of extensive change. Whilst ambitions are high, and reform is welcome, much of the systemic change promised by this bill will only be fully understood once secondary legislation is published and more detail is available.

We expect many large organisations will be:

• cautious about the impact of broader data sharing – whilst the proposals could greatly benefit public services, organisations who have invested heavily in, and place great value on, the data they hold, will be keen to see the secondary legislation that brings these provisions to life;
• be a little underwhelmed by the fact an opportunity hasn’t been taken to make specific amendments to address regulatory uncertainty and increase investment in AI within the UK; and
• be otherwise relieved that data protection amendments remain limited and targeted:
• the abandonment of changes to DPOs, DPIAs and ROPAs will leave a feeling of ‘if only’ for some domestic UK organisations; for multinationals who compete with those UK-only business, and already adopt a European-wide approach to data protection compliance, the lack of divergence from the EU approach in this area will be welcomed; and
• thankfully the reforms are, as you would expect, unlikely to impact the UK’s adequate status for international transfers from the EEA, with the changes to automated decision-making the key potential area of challenge.

In short, the ambition of the bill is Hotter than Hell, but from a data protection perspective, it represents just a few New Rules.

What next?

These proposed legislative changes don’t start now; the DUA Bill only had its first reading in the House of Lords on Wednesday 23 October, and we would expect it to proceed to second reading fairly quickly. The DPDI Bill, on which much of the new bill is based, was close to completing its journey through Parliament before running out of time and falling forever to its demise pre-election. Whilst the new UK Government is still in training season, given it has a large majority and the DUA Bill is based upon the DPDI Bill, we expect it won’t be long after the House of Lords says ‘we’re good’ that the bill has its last dance in parliament before levitating its way on to the statute books.

Watch this space!