The UK is poised to reshape its data protection landscape with the introduction of the UK Data (Use and Access) Act (the "DUA Act"). As one of the most significant reforms in UK data law since the GDPR came into effect, the DUA Act reflects Britain’s ambition to assert regulatory independence post-Brexit while fostering innovation and reducing compliance burdens.
Introduced in 2023, the DUA Act has progressed through Parliament with many contentious issues being raised in relation to its AI provisions. Overall, the reform seeks to simplify data protection requirements, enhance flexibility in data usage, and encourage innovation, particularly benefiting small and medium-sized enterprises (SMEs). For many businesses, this new legislation signals an opportunity — but also a necessity — to reassess their data compliance frameworks.
After the lengthy and contentious legislative process, the DUA Act has received Royal Assent and has become law, coming into force over the next few months as further, specific regulations are passed (the text of the Act will be available here once published).
What does the DUA Act do?
- Updates certain provisions in the UK GDPR and Data Protection Act 2018. The amendments are a trimmed-down version of the original proposals in the now-abandoned Data Protection and Digital Information Bill.
- Secretary of State’s Increased Powers: The Information Commissioner’s Office (ICO) will see increased oversight by the Secretary of State, potentially leading to shifts in enforcement priorities.
- Broader Legitimate Interest Grounds: The DUA Act expands scenarios where businesses can rely on legitimate interest rather than explicit consent, significantly simplifying compliance for activities such as fraud prevention.
- Flexibility in Data Transfers: New “data bridge” mechanisms aim to facilitate smoother international data transfers, enhancing global business agility.
- New Statutory Definition of Scientific Research. These definitions help clarify how the various provisions in the UK GDPR are intended to be applied.
- Cookies Reforms. Updates the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”) to exclude analytics and user experience cookies from consent requirements.
- Sets Up “Smart Data” Schemes. The DUA Act sets up a framework for “open banking” style data sharing arrangements covering both consumer and business data, in a similar manner to the EU’s Data Act and Data Governance Act (though the DUA Act is not a like for like mirror of the relevant EU provisions).
- Reduces Administrative Burdens on SMEs and Smaller Companies. SMEs and certain processors may be exempt from extensive record-keeping, thus freeing resources for operational activities.
- AI & Copyright: The Government and the House of Lords had been at loggerheads over the inclusion of provisions in the DUA Act that would have regulated compliance with UK copyright law by AI operators. The House of Lords eventually conceded to dropping the AI and copyright amendments they had proposed in January, allowing the DUA Act to pass without them. As a compromise, the Government has agreed to publish a report within nine months of the DUA Act receiving Royal Assent which contains their proposals to “give copyright holders as much protection as possible via transparency, enforcement and remuneration.”
Who is impacted
Any business or organisation that handles data (including both personal and non-personal data) should proactively assess their compliance programs and policies in light of these reforms. Broadly speaking, the amendments to the UK’s data protection regime provide greater flexibility for controllers, rather than creating an additional compliance burden.
The Road Ahead
While the DUA Act promises greater operational ease, it remains crucial for organisations to navigate the transition period carefully. As part of our ongoing series, Orrick will next provide an in-depth comparison between the DUA Act and the EU GDPR, highlighting specific areas of divergence and impact as well as where AI regulation is going in the UK in comparison to the EU AI Act. The lower burden on companies operating in the UK compared to the EU may not have as much of an impact as envisaged by the UK Government, as it is most likely that most UK businesses also conduct business within the EU and will therefore have to comply with the stricter standard anyway.
[View source.]
