Your No-Nonsense Guide to UK’s New Data Protection Law
Since Brexit in 2020, whenever we created a compliance program for global companies, the approach in the UK and EU remained practically identical… Until now! With the recent passage of the UK Data (Use and Access) Act (DUA Act), the UK is taking its first meaningful step away from its EU neighbors.
The DUA Act will come into force over the next few months as secondary legislation is introduced. For the first time, companies will need to consider whether they take a different approach in their UK operations from their EU ones.
Unlike most regulatory changes, the DUA Act may make your life easier. If your organization is already GDPR compliant, here’s how the DUA Act could simplify your compliance obligations in the UK, specifically in five key areas (plus one that may require some UK-specific adjustments):
Broader Grounds for Legitimate Interests
The DUA Act offers a recognized list of legitimate interests that don’t require a balancing test or legitimate interests assessment. At the moment these mainly relate to activities which are unlikely to be relevant to many commercial businesses, such as safeguarding national security or detecting crime. But, Parliament did leave the door open for an expansion of ‘recognized’ processing purposes by the UK government in secondary legislation.
The Act clarifies that processing purposes such as direct marketing, intra-group administration, and IT system security can be based on ordinary legitimate interests, contingent on a legitimate interest assessment.
Remember when we all got excited about Recital 47 of the GDPR – “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” – a promise which never materialized the way businesses had hoped? Hopefully we’ll see this recognized in the UK soon.
Bottom line: While not officially exempt from a balancing test, the law indicates that the UK might take a more lenient view towards certain processing for purposes like improving products and services, IT security, and perhaps even marketing, with an official recognition of additional purposes in the future.
Narrower Definition of Automated Decision Making
The DUA Act clarifies the scope of what counts as Automated Decision Making (ADM). Under the previous (UK GDPR) regime, the default was such that any decision which was based solely on automated processing, and which produces a legal or similarly significant effect on an individual, was prohibited, unless it met a series of narrow exceptions.
The DUA Act narrows this strict approach to apply on to ADM that is based on “special category” (read: sensitive) data.
As long as special category data is not involved, and a decision is significant, and solely automated (i.e. with no meaningful human involvement), the controller must put in place the following safeguards:
(i) provide the data subject with information about the decision;
(ii) enable the data subject to make representations about the decision;
(iii) enable the data subject to obtain human intervention on the part of the controller in relation to the decision;
(iv) enable the data subject to contest the decision.
As long as safeguards are in place, the decision is permitted.
Here too, government regulations may provide further exemptions for certain types of decisions. Practically, this removes the blanket prohibition against ADM in low-risk decisions (potentially on the basis of a legitimate interest), and data subjects will have fewer grounds to challenge automated outcomes.
Bottom line: A relaxation of the blanket prohibition approach we saw with GDPR, along with more room for more personalized automation.
More Flexible Data Transfers
Under the DUA Act, the UK Secretary of State can approve international data transfers to countries whose protections are “not materially lower” than the UK’s standard. That’s a lower bar than the EU’s “essentially equivalent” threshold.
This could allow UK organizations to transfer data to a broader list of countries without relying on SCCs or other safeguards. However, the UK will need to manage this carefully to protect its own EU adequacy status. On June 24th, the EU extended the UK adequacy decision until the end of 2025, to give the EU time to properly evaluate the new DUA framework.
Bottom line: The potential for more countries on the adequacy list and fewer SCCs.
Relaxed Cookie Requirements
The Act eases the rules around cookie consent for low-risk cookies, including:
(i) Website performance and analytics cookies
(ii) Emergency-use geolocation tracking
Opt-out is now permitted for these categories, meaning UK websites can enhance functionality and user experience without constant cookie pop-ups.
The ICO has also reported that it is looking into simplifying rules for what it calls “privacy-friendly online advertising”, so we may see relaxation of the rules in that realm soon as well.
Bottom line: Fewer cookie banners. More optimization. Perhaps more changes to come.
Refined DSAR Obligations
The DUA Act clarifies how to handle Data Subject Access Requests (DSARs) more efficiently:
(i) Controllers must perform only a reasonable and proportionate search;
(ii) The one-month response clock starts only after verifying identity and receiving necessary information.
Note that controllers still need to explain the data subject if they withhold their information because of legal privilege or confidentiality.
Bottom line: A reasonable search is enough, and a more breathing room on response times.
New Complaints Procedure
In conjunction with relaxing obligations around DSARs, the DUA Act eases the ability for individuals to make a complaint to companies about misuse of their data. Practically, this means that companies will need to establish a clear, easy complaints procedure, including a specific online complaints form, and a requirement to respond within 30 days.
Certain companies in “highly-regulated” sectors may be required to report the volume of privacy complaints they receive to the ICO within set reporting periods.
Bottom line: Online complaint forms will need to be created and privacy notices revised to outline these new rights and procedures, providing individuals with greater clarity on how to voice their concerns.
Bonus: A Promise for AI Regulation
Early versions of the DUA Act included transparency requirements for using copyrighted materials in AI model training, but those provisions didn’t make the final cut.
Instead, the Government promised to publish a report with proposals to “give copyright holders as much protection as possible via transparency, enforcement and remuneration.” Broader AI legislation is also under consideration. This fits into a general trend of countries trying to grapple with the limits and restrictions they want to place on the development of AI systems.
Bottom line: Nothing significant yet, but AI regulation is on the horizon.
Take Aways
If your organization is GDPR compliant, you’re still in good shape, but the DUA Act requires considerations in relation to your UK operations:
(i) Check your legal bases and see if any legitimate interests fall into the exemption or if any of your balancing tests can be simplified
(ii) More leeway in automated decision-making
(iii) Relaxed cookie consent requirements to optimize your website
(iv) Easier cross-border data transfers
(v) Respond to DSARs with less burden
(vi) Make sure you have an online complaints form and update your privacy notice accordingly
For many companies, maintaining a single GDPR-based global standard may still be the most efficient approach, since the EU largely remains the more stringent framework.
Many issues still remain unresolved, such as the future of AI regulation in the UK and recognition of additional legitimate interests. But the trend is clear – relaxed, streamlined obligations, that focus more on individual rights and sensible compliance, as opposed to strict, burdensome, obligations.
The article was co-authored with Noah Katz
