UK Government Tables New Data Bill

The UK Government has tabled the much-anticipated Data Use and Access Bill, which will form a key tenet of the UK’s data legislative infrastructure going forward.

The Bill, delivered by the Department for Science, Innovation, and Technology, is designed to “put technology and data protection at the heart of the economy,” and “promote growth, improve public services and make people’s lives easier.”

Ministers expect the measures to “generate approximately ￡10 billion towards the UK economy across ten years by legislating on data sharing to generate a host of benefits for both consumers and businesses.”

Key Issues that will be of interest to marketing professionals:

1. Legitimate Interests: Direct marketing has been included in the main text of GDPR as an example of a legitimate interest in Article 6.1.f. This provides greater certainty for our members when using legitimate interests as a lawful basis, especially when considered in the context of recent UK and EU case law that both confirmed that direct marketing and advertising could be legitimate interests subject to necessity and balancing tests (Legitimate Interest Impact Assessments)

2. Definition of Direct Marketing: The definition has been added to GDPR and PECR confirming a wide definition of direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to individuals.

3. Exemptions to consent for cookies: A range of exemptions to consent for cookies are listed in Schedule 12 of the Bill, including strictly necessary, statistical purposes, website appearance and emergency assistance being provided. Many websites that are not advertising-supported such as pure play ecommerce, B2B and corporate websites may be exempt from cookie consent pop-up banners.

4. Accountability framework in GDPR: Changes that were proposed in the DPDI have not been included in this Bill so the status quo of Accountability requirements such as Data Protection Officers and Records of Processing activity remain as is under GDPR.

5. Codes of Conduct: The legislation confirms the importance of Codes of Conduct developed by trade associations under GDPR Articles 40 and 41 and extends Codes of Conduct to include PECR issues. This confirms the co-regulation of data protection and enables the DMA to resume work on a Direct Marketing Code of Conduct with the ICO delegating authority for investigating breaches to the Data and Marketing Commission.

6. House of Lords: The bill will begin its legislative journey in the House of Lords where it had its First Reading on 23 October 2024 around 6 pm. The Second Reading has not been scheduled.