The UK Government has introduced the new Data (Use and Access) Bill to Parliament. I’m not going to lie - I don’t love it. Sadly, it borrows a great deal from the last failed attempt (although thankfully a lot less ambitious in terms of its changes to the GDPR).
There is still quite a lot to dig through, but here are a few initial highlights:
- As with the last Bill, a list of 'recognised legitimate interest' processing activities where you don't need to the balancing test which either: (1) are quite high risk so you should definitely do a balancing exercise (e.g. national security, crime, safeguarding vulnerable individuals); or (2) would definitely fit within another Article 6 condition and so are entirely redundant (e.g. legal obligation, vital interests or public task).
- As with the last Bill, it introduces some new exemptions from the cookie consent requirement in PECR. (I accept some of this could actually be quite helpful.)
- Power to the Secretary of State to add a description of processing to the prohibition in Article 9(1), or else remove it from Article 9(1). That'd be a big deal.
- Making it clear that data subjects are only entitled to personal data in response to a DSAR that "the controller is able to provide based on a reasonable and proportionate search". I think we can all get behind that.
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-11-19-13-33-35-541-673c93af3578d9951b12158b.jpg)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-11-19-11-16-25-788-673c738925126ee9da09e654.jpg)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-08-01-13-11-10-549-66ab896ee543bf94f9636c73.png)