The UK Government has introduced the new Data (Use and Access) Bill to Parliament. I’m not going to lie - I don’t love it. Sadly, it borrows a great deal from the last failed attempt (although thankfully a lot less ambitious in terms of its changes to the GDPR).
There is still quite a lot to dig through, but here are a few initial highlights:
- As with the last Bill, a list of 'recognised legitimate interest' processing activities where you don't need to the balancing test which either: (1) are quite high risk so you should definitely do a balancing exercise (e.g. national security, crime, safeguarding vulnerable individuals); or (2) would definitely fit within another Article 6 condition and so are entirely redundant (e.g. legal obligation, vital interests or public task).
- As with the last Bill, it introduces some new exemptions from the cookie consent requirement in PECR. (I accept some of this could actually be quite helpful.)
- Power to the Secretary of State to add a description of processing to the prohibition in Article 9(1), or else remove it from Article 9(1). That'd be a big deal.
- Making it clear that data subjects are only entitled to personal data in response to a DSAR that "the controller is able to provide based on a reasonable and proportionate search". I think we can all get behind that.
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2025-09-29-13-48-10-128-68da8e1af6347a2c4b96de4e.png)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2025-12-17-15-54-48-694-6942d248c311190ddb9b477d.jpg)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2025-12-17-12-25-37-681-6942a1416438b978e7e7a62e.jpg)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2025-12-09-16-34-55-174-69384faf1b6076d9d899c3a5.png)