Shredding or shaping? How the DUAA recasts the UK GDPR

In an infamous campaign video from August 2022, Rushi Sunak passed piles of paper marked “EU Legislation”, “EU Red Tape” and “EU Bureaucracy” through a shredder to Beethoven’s Ode to Joy. Somewhere in this crude metaphor was the “UK GDPR”, which implemented the EU’s General Data Protection Regulation in the UK. 

The GDPR and its UK implementation are by no means perfect. Last year’s Draghi Report highlighted some common criticisms: its one-size-fits-all approach that places a disproportionate compliance burden on smaller organisations and the impact its restrictive processing and transfer rules have on innovation and competitiveness of EU businesses. When combined with the ePrivacy Directive, the stringent consent obligations have also been seen as leading to “consent fatigue” among internet users.

Reforming the UK’s privacy regime is, however, far more complex than shredding the GDPR and stamping “Made in Britain” on a freshly minted piece of legislation. UK privacy law shares its roots with the GDPR, so new legislation would either closely resemble it or signal a major shift in approach, at a time when more and more jurisdictions implement GDPR-style privacy legislation. In practice, UK businesses would likely resent wasted GDPR compliance efforts; reforms that jeopardise the UK’s EU adequacy status would be counterproductive by creating additional compliance burdens for EU-UK data flows.

Rather than overhauling the privacy regime in its entirety, the Data (Use and Access) Act (DUAA) aims to achieve a balance between protection for individual rights and promoting innovation through targeted reforms to specific provisions of the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). 

Key reforms

While the headline reforms read well, how consequential some of them are in practice is questionable. Some amendments simplify compliance in respect of specific processing scenarios while others largely codify existing guidance. 

The key amendments that appear likely to have a meaningful impact for most organisations in their day-to-day processing of personal data are:

Cookies

PECR required explicit user consent for most cookies or similar technologies, except for those “strictly necessary” for providing a requested service (e.g., session cookies for website functionality). The DUAA broadens the exemptions, allowing cookies without consent for additional purposes, including:

• Website analytics and low risk processing: Cookies used to collect aggregated, non-identifying data (e.g., for website performance or user behaviour analytics) no longer require consent, provided the information is not shared other than for improving the website or service and users are offered an opt-out.

• Low-risk processing: Cookies for purposes like fraud prevention and security enhancements are treated as “strictly necessary”.

• Website appearance: Cookies that enable websites or services to tailor their appearance to the user can be used without consent, provided that users are offered an opt-out.

These changes aim to reduce consent fatigue, align with technological advancements, and simplify compliance for organizations while maintaining user protections.

Of note, however, is an increase to the ICO’s fining powers in the DUAA in respect of breaches of PECR from £500,000 to GDPR levels. While the requirements have been made more permissive, the consequences of breach are potentially much greater.

International transfers

Transfers to jurisdictions outside of the UK are prohibited under the UK GDPR unless an exemption applies. Common bases for legitimising such transfers are:

• Adequacy: the recipient is in a country, territory or sector subject to adequacy regulations made by the Secretary of State; or

• Standard contractual clauses: the transfer is made subject to appropriate safeguards. In practice, this is achieved by controllers through entering into standard agreements approved for international transfers (i.e. standard contractual clauses).

Each of the above requires an assessment by the relevant authority (for adequacy decisions) or the data exporter (for transfers relying on standard contractual clauses) to establish that the level of data protection in the destination country is essentially equivalent to that in the UK, either on its own taking into account the requirements of the standard contractual clauses. 

International transfers have been a thorn in the side of many organisations since the CJEU’s judgment in Schrems II cast doubt on whether recipients in the US could ever provide an essentially equivalent standard of protection for personal data, given vast data collection powers granted to national authorities. A recent decision by the Irish Data Protection Commissioner against Tiktok raised the same issue around transfers to China. 

The DUAA lowers the threshold for the above assessment from “essentially equivalent” to “not materially lower”. It simplifies the adequacy assessment process, potentially expanding the list of countries eligible for adequacy decisions, and eases the burden on organisations transferring data internationally by reducing the complexity of transfer impact assessments. 

Automated decision-making

A key departure from the GDPR brought in by the DUAA is the treatment of automated decision-making, creating a far more permissive environment for the deployment of AI.

The GDPR prohibits the use of solely automated processing having legal or similarly significant effects on the data subject, subject to limited exceptions including contractual necessity and consent. Automated decision-making involving special categories of data is prohibited other than with the data subject’s explicit consent or where necessary for reasons of substantial public interest on the basis of national law.

The DUAA shifts automated decision-making to a more permissive framework, allowing organisations to use it for “significant decisions” (i.e. those having legal or similarly significant effects, consistent with the existing wording) in broader circumstances, provided they implement specific safeguards. These include specific transparency obligations, and rights to make representations, obtain human intervention and contest decisions. 

The relaxed rules do not, however, apply to processing of special category data, in respect of which the original GDPR restrictions still apply.

The ICO is expected to issue a statutory code of practice on AI and automated decision-making to support organisations in complying with the new rules. Additional clarificatory regulations may also be issued by the Secretary of State.

Compliance-easing and clarificatory reforms

As mentioned above, not all of the amendments are of equal consequence. While on the surface they meet the brief of pro-innovation and lower compliance burden, their practical impact is more limited. Key points to highlight are the following:

Purpose compatibility and recognised legitimate interests

The GDPR’s “purpose limitation” principle restricts further processing of personal data to purposes compatible with the original collection. It presumes compatibility for archiving, scientific, historical, or statistical research. 

The DUAA expands compatible purposes to include public interest tasks, public security, emergencies, crime investigation, vital interests, safeguarding, taxation, and legal obligations. Broadly similar purposes are also added as “recognised legitimate interests”, removing the need for a detailed balancing test when relying on the legitimate interest lawful basis under Article 6(1)(f). While not groundbreaking, these changes clarify permissible processing and reduce administrative burdens for controllers.

Research

The GDPR provides carveouts for “scientific research” but lacks a clear definition, with EDPB guidance still pending since at least 2021. 

The DUAA adds a definition that, crucially, explicitly includes commercial research. While this may be of interest to organisations looking to rely on the carveouts for their own internal technological development, note that this broadly reflects the ICO’s previous guidance.

The DUAA also allows broad consent for scientific research when specific purposes are unclear at the time of data collection, though the same provision already existed in the GDPR recitals and the DUAA simply moves this into the main body of the UK GDPR. 

Most significantly, the DUAA extends the “disproportionate effort” exemption for providing transparency information to data subjects to direct data collection in the research context, which was previously reserved for indirectly collected data only.

Data Subject Rights

The DUAA makes relatively minor changes to data subject rights, the key points effectively codifying what was already addressed in the ICO’s guidance:

• the clock for responding to the request is stopped until the data subject has provided information reasonably required by the controller to identify the individual and their data; and

• the controller’s obligation to provide data is limited to conducting a “reasonable and proportionate search”.

The balance between innovation and protection

The DUAA is undoubtedly a step forward in addressing some of the common criticisms of the GDPR and adapting the legislation for modern data use, particularly in the field of AI. Whether it achieves the right balance between innovation and protection will become evident over the next few months (or even years). The draft renewed adequacy decision from the EU suggests that at least the “protection” element of the balancing exercise appears to have been achieved. 

It is also unclear how much of an impact the reforms will have in practice. Many international undertakings are likely to continue to be steered by the more stringent obligations of the EU GDPR, a unified approach between the UK and EU is likely to be more commercially viable, at least for now.