On 19 June, the Data (Use and Access) Act (DUAA) received Royal Assent. DUAA deals with a number of areas, such as digital verification services and smart-metering, but in this article we consider what changes it will bring in terms of data protection law and practice, and what the impact might be on both organisations and individuals.
The first thing to note is that this is an amending Act: the core pieces of data protection legislation in the UK will remain the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. The significance of DUAA lies in the changes it will make to those existing laws.
Although the Act will not introduce wholesale changes to data protection law, companies should certainly take note of certain aspects. The large majority of the data protection provisions are not yet in effect, and will require secondary legislation to bring them into effect. This secondary legislation (and associated guidance) may not emerge for some months yet.
However, we draw attention to the following key points:
- Changes to cookies rules – once the relevant provisions are commenced, those who operate websites and apps may be able to deploy some "analytics" cookies, without seeking visitors' consent. However, it is important to note that, although the UK law will change in this respect, the EU law will not (at least for the time being). This means that any organisation which is operating in the EU, or even simply making its website or app available in the EU, will have to consider whether there is any benefit to be gained from having different approaches according to the jurisdiction (or even whether it is technically practical to do so);
- Clarification that, when responding to a subject access request, data controllers only need to undertake a "reasonable and proportionate search" (the reference to "proportionality" may well mean that a small organisation, faced with a request of no obvious value for the requester, may need to do a less comprehensive search than a large company dealing with an obviously serious request). This change simply introduces onto the statute book something that the courts stated as long as 20 years ago, but, nonetheless, it may well be helpful to be able to point to the provision, in cases where requesters dispute how a controller has responded to a request. This is a provision which has commenced immediately upon enactment of DUAA.
- A requirement to have a "complaints procedure" for data protection matters. Data controllers will, once the provisions have commenced, have to acknowledge complaints within 30 days and respond to them "without undue delay". Those organisations who already have complaints procedures in place should be able to incorporate data protection matters into existing procedures (although they will need to be aware that, unlike with most consumer complaints, there are statutory deadlines when it comes to data protection matters).
- Charities will, once the provisions have commenced, now be able to avail themselves of existing provisions available to commercial organisations, and send "unsolicited" marketing emails and text messages to supporters (and those who have expressed an interest in the charity), as long as they offer an "opt-out". This has the potential to transform the fundraising market. However, charities should note that unlawful direct electronic marketing continues to be one of the areas that the Information Commissioner targets for enforcement: getting it wrong can be risky.
- Relatedly to the charities and marketing point, the Information Commissioner will (again, subject to commencement of the provisions) have increased enforcement powers: the maximum fine currently for direct marketing (and, indeed, cookies infringements) is £500,000 – this will increase to match the UK GDPR maximum fines of £17.5 million or (in the case of an undertaking) 4% of global annual turnover (whichever is higher).
These are by no means the only significant changes, and we will provide further information and updates as the changes take effect. However, organisations should certainly be reviewing their data protection compliance programmes and policies, both to ensure they will be (or remain) compliant, but also to consider whether there are any opportunities to use the data they have to deliver benefits to data subjects and to the organisations themselves.