The UK’s New Amendments to the UK GDPR Become Law and Get a Nod from the EU. What happens now?

The UK’s Data (Use and Access) Act received Royal Assent last Thursday, June 19th, bringing into law some significant changes to the country’s post Brexit data protection framework, among an array of other, related rules (on matters ranging from financial conduct to smart meters and “underground assets,” which is more to do with pipes than spies, unfortunately). The Act is more of a selective nip and tuck than a complete makeover, intended to foster innovation by reducing and simplifying compliance burdens, while retaining the core principles and safeguards of UK GDPR and related regulations.

Chris Lawton, Unsplash

Implementation will be phased. If not reading further, the main takeaway is that it will be important to pay attention to further developments as most of the changes do not come into force until there is further implementing rulemaking.

This week (June 24^th), the European Commission officially extended its “adequacy decision” for the UK until 27 December 2025 as previously promised, in order to allow the Commission to carry out its assessment of the adequacy of the new framework. Given further extension (to ensure continued free data flows between the EU and UK) necessarily depends on some parity between the rules in place in both markets, it’s nice to see both sides playing nicely together. Without renewal, there will be additional burdens for businesses that transfer personal data from the EU to the UK, including those that are headquartered in a third country like the US.

We round up some of the tweaks below:

1. One Point Companies Should Immediately Evaluate: Complaints Handling. The Act specifies that controllers must facilitate complaints “by taking steps such as providing a complaint form which can be completed electronically and by other means.” Controllers must also acknowledge complaints within 30 days and act on them without undue delay. There is the notion that controllers may later be required to notify the regulator of the number of complaints received in a given period.
2. A new Trust Framework for digital verification services (DVS) is to be implemented. Although this is yet to be formalized, it will result in new enhanced rules to replace the current voluntary Digital Identity and Attributes Trust Framework overseen by the Department for Science, Innovation and Technology. A publicly available register of compliant DVS providers will be set up and a trust mark will be introduced to help users identify certified and trustworthy digital identity providers. Registered providers will be able to directly verify personal information with public authorities via an “information gateway.” For DVS providers, there will be some additional work required to get registered and stay compliant. For companies that want to utilize DVS providers, however, this will eventually be a welcome streamlining of certain verification processes, such as KYC, age verification and employer right to work checks, particularly when contrasted with undertaking these processes in-house. Happily, there is also recognition of overseas electronic signatures (provided certain criteria are met) which should help with related friction in international transacting (e.g., for overseas companies utilizing overseas signature products) – although globally speaking, the UK has always been relatively sensible on this front.
3. Some additional welcome clarity and flexibility for essential aspects of the UK GDPR, including:
   • Introduction of a New Lawful Basis: “Recognised Legitimate Interests.” This will be significant for some specific use cases (e.g., detecting, investigating and preventing crime), because this basis does not require the controller to balance the legitimate interests being relied on by the controller against the interests of the data subject whose personal data is being used, if such legitimate interests are “recognized” at law.
   • New Examples of the Ever Nebulous “Legitimate Interests”: including direct marketing, intra-group transmission of personal data of clients, employees or others, where necessary for internal administrative purposes or for ensuring the security of network and information systems – which are particularly helpful for US multinationals where business processes and decision-making is heavily matrixed or centralized.
   • Flexibility as to Seeking Consent for Scientific Research Purposes: Data subjects can give broad consent and organizations may not need to provide additional privacy notices or seek additional consent for the additional processing purpose of scientific research, (any research that can be reasonably described as scientific, whether publicly or privately funded or carried out as a commercial or non-commercial activity). We can expect this to be a favorite of business engaging in any kind of data heavy R&D.
   • Permitting Use of Tracking Technologies and Cookies without Consent: Consent is not required where strictly necessary to protect information related to the services requested, ensure security of the user terminal, prevent or detect fraud or technical faults and to enable automatic authentication of the user’s identity or maintain records of selections made or information provided by the user on the website. Note that fines related to unauthorized direct marketing activities have been increased to UK GDPR levels (from the relatively more modest levels set by PECR).
   • Increased Clarity with Regard to Automated Decision-Making (ADM): The Act provides for rules to clarify what activity is regulated as ADM (e.g., it defines a decision “based solely on automated processing” as one where there is no meaningful human involvement, etc.) and arguably lifts some limitations for business relying on such decisions (e.g., in AI applications and algorithmic processing).
   • Clarity as to Extent of Search Required in Response to DSAR. The Act clarifies that the data subject is only entitled to information the controller is able to provide based on a reasonable and proportionate This was not previously addressed, leading to frequent consternation among data controllers.
   • Increased Clarity as to the Existing Requirements for Transfers of Personal Data to Third Countries.

There are a few points of less clarity as well. Notably, with regard to:

1. Artificial Intelligence (AI). The Secretary of State has nine months to publish a Report on the Use of Copyright Works in AI Systems. We remain on tenterhooks.
2. Access to and Portability of Customer and Business Data / Smart Data Schemes. The Secretary of State has been given authority to regulate access and provision of customer and business data, including to third party recipients, including through standardized APIs or other means, in line with broader UK GDPR principles but with arguably broader coverage than under the corollary EU Regulation that will be applicable in the EU later this year (The EU Data Act). We will have to wait and see what these will actually look like.