Skip to main content

Clifford Chance

Clifford Chance
Data<br />

Data

Talking Tech

UK data reform resurrected

How does the Data (Use and Access) Bill compare to its predecessor?

Data Privacy 4 November 2024

The UK Government introduced the Data (Use and Access) Bill (DUA Bill) to the House of Lords on 23 October 2024.

As noted in our short introductory briefing, in many respects the DUA Bill, although differently structured and with changes of emphasis, closely resembles the previous Government's Data Protection and Digital Information Bill (DPDI Bill), proposing:

  • a new smart data framework;
  • a new digital verification services framework to support the UK's digital identity ecosystem;
  • various clarificatory tweaks to the UK's data protection regime;
  • new powers for the UK's data protection regulator; and
  • limited but important amendments to other legislation to remove barriers to the effective sharing and use of data in the public interest, notably in the contexts of healthcare, underground infrastructure, online safety and law enforcement.

Numerous DPDI Bill proposals have been dropped, however. These include an attempt to narrow the definition of personal data, provisions to facilitate engagement between members of Parliament and other elected representatives, tweaks to an exemption allowing refusal to respond to data subject requests and other proposals to lower the overall compliance burden under the UK General Data Protection Regulation (UK GDPR). For the most part, these proposals appear to have been dropped with a view to protecting the UK's "adequacy" status under the EU GDPR.

In this article, for those who have been following the legislative process, we explore these similarities and differences between the DUA Bill and the most recent iteration of the DPDI Bill. We will follow up with an executive briefing with our commentary on the most important changes to UK law proposed in the DUA Bill and what they mean for global businesses.

A. What remains?

To a greater extent than many commentators expected, much of the DUA Bill is substantially similar to equivalent provisions in the DPDI Bill. We briefly summarise these similar provisions in this section.

Smart Data

Building on the Smart Data Working Group’s policy paper (published in Spring 2021), the DUA Bill, like the DPDI Bill, will lay out a framework for the establishment of smart data schemes in the UK. Such schemes are intended to promote competition between consumer services by building bridges over 'moats' that make it easier for providers in possession of more data to retain customers. By facilitating the transfer of, for example, usage data between competing providers, it should be easier for consumers to choose the best offering for their needs.

The DUA Bill will confer powers on the Secretary of State and Treasury to make regulations that require "data holders" (that is, traders supplying goods, services or digital content in the course of business) to:

  • provide customer and business data either directly to a customer, or to a person authorised by them to receive the data, at their request;
  • produce, collect or retain customer data;
  • make changes to customer data, including rectifying inaccurate data;
  • use specified facilities or services, including dashboard services, other electronic communication services or application programming interfaces (APIs), to facilitate data access and use; and
  • establish complaint-handling and dispute resolution procedures.

The scope of the data that could be subject to the incoming smart data framework is broadly defined:

  • "customer data" covers information relating to a customer of a trader, including information relating to transactions between the customer and the trader. There is no express limitation to individual customers, so the bill opens the door to the possibility of smart data schemes in a B2B context; and
  • "business data" covers: (a) information about goods, services and digital content supplied or provided by the trader; (b) information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about where they are supplied, the terms on which they are supplied or provided, prices or performance); and (c) information relating to feedback from customers about goods, services or digital content.

As in the DPDI Bill, these provisions will only establish the framework for smart data schemes. The operational detail will remain unclear until draft regulations made pursuant to the new framework emerge.

Given that the UK banking sector has operated a smart data scheme since 2018, and the central role played by the Financial Conduct Authority (FCA) in opening banking since then, the DUA Bill reserves an important role for the FCA in the administration of smart data regimes in the financial services sector. The DUA Bill provides for the Treasury to make regulations enabling or requiring the FCA to make specific rules governing how customer and business data is shared by financial services providers. Unlike the DPDI Bill, the DUA Bill empowers the Treasury to require the FCA to consult with the Payment Systems Regulator, the Bank of England and the Prudential Regulation Authority, with a view to ensuring a co-ordinated approach in the exercise of their respective functions with respect to the regulation of payment systems.

Digital Verification Services

To provide the legislative basis for the Government's ongoing work in building a digital identity ecosystem for the UK, the DUA Bill, like the DPDI Bill, proposes the introduction of a new regime for Digital Verification Services (DVS). The regime would consist of five components:

  1. Trust framework: The Secretary of State would, in conjunction with consultations with the Information Commission, prepare and publish a trust framework (that is, rules and standards for the provision of DVS). This is expected to build on the existing UK digital identity and attributes trust framework, released as a beta in Summer 2022.
  2. Supplementary codes: Sets of rules to supplement the trust framework are to be published following consultation with the Information Commission and others as appropriate. Different DVS may be subject to different supplementary codes and supplementary codes may come into effect at different times for different purposes.
  3. Register: The Secretary of State would establish and maintain a DVS register, listing bodies that provide DVS services, and making it publicly available. To be listed on the register, DVS bodies would need to satisfy certain criteria, including holding a certificate issued by an accredited conformity assessment body.
  4. Information gateway: The information gateway would allow public authorities to disclose information to a registered DVS provider for the purpose of digital verification.
  5. Trust mark: The Secretary of State would have the power to designate a trust mark to be used only by those organisations on the DVS register.

The DUA Bill's provisions on DVS are almost identical to those in the DPDI Bill, with only minor tweaks:

  • whereas the DPDI Bill provided for the preparation of supplementary codes both by the Secretary of State and by other persons to be approved by the Secretary of State, the DUA Bill only provides for the preparation of supplementary codes by the Secretary of State, with the codes then being subject to review at least annually. This suggests a more centralised determination of the operational workings of the overall DVS framework; and
  • unlike the DPDI Bill, the DUA Bill gives the Secretary of State explicit grounds for refusing an application for registration in the DVS register: (a) where necessary on national-security grounds; or (b) where the DVS provider is failing to comply with the DVS trust framework.

Coinciding with the introduction of the DUA Bill the Office for Digital Identities and Attributes (OfDIA) was launched within the Department for Science, Innovation and Technology. The OfDIA is envisaged to exercise the powers vested in the Secretary of State under the new DVS regime.

It is hoped that DVS will facilitate commerce by speeding up the processes by which individuals open accounts with service providers and engage in transactions – such as moving house, undergoing pre-employment checks and buying age-restricted goods and services – thereby reducing the burden on consumers and businesses.

Changes to the UK's data protection regime

Like the DPDI Bill, the DUA Bill:

  • (scientific research) defines the term "scientific research", as used in various provisions of the UK GDPR, so as to include "any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity". This brings the substantive provisions of the UK GDPR in line with existing recitals and regulatory guidance to encourage a broad interpretation of the concept of scientific research, so that the UK GDPR's purpose limitation principle, and its restrictions on the processing of special category data, are less likely to stand in the way of processing for what might broadly be considered to be scientific research purposes. Clarifications of a similar nature are proposed to references to "historical" and "statistical" research;
  • (consent to law enforcement processing) brings the conditions for the giving of consent by a data subject to the processing of their personal data for law enforcement purposes in line with the conditions for consent in Article 7 of the UK GDPR;
  • (legitimate interests – part one) introduces a list of recognised (i.e. deemed) legitimate interests for the purposes of satisfaction of a new lawful basis in Article 6(1) of the UK GDPR, either as listed in a new Annex 1 or as specified in regulations by the Secretary of State from time to time, including processing necessary: (a) to respond to certain requests made by bodies acting in the public interest; (b) for national security, public security and defence purposes; (c) for emergency response purposes; (d) for the detection, investigation or prevention of crime; or (e) for the safeguarding of vulnerable individuals. Processing necessary for any of these purposes will satisfy a lawful basis in the UK GDPR without the need to balance pursuance of the defined interest against the interests, rights or freedoms of the data subjects;
  • (legitimate interests – part two) clarifies that processing: (a) necessary for the purposes of direct marketing; (b) involving intra-group transmission of personal data where this is necessary for internal administrative purposes; or (c) necessary for ensuring the security of networks and IT systems, can be based on the legitimate interests lawful basis,  but subject to the usual balancing test – this essentially just imports clarificatory provisions already included in the recitals to the UK GDPR into its main text;
  • (purpose limitation) restates the UK GDPR's purpose limitation principle in a new Article 8A UK GDPR. The new article will govern how a controller determines whether a new purpose of processing is compatible with the original purpose of processing. The controller must at least take into account: (a) any link between the original purpose and the new purpose; (b) the context in which the personal data was collected, including the relationship between the data subject and the controller; (c) the nature of the processing, including whether it involves special category data or criminal offence data; (d) the possible consequences for data subjects of the proposed processing; and (e) the existence of appropriate safeguards (for example, encryption or pseudonymisation). The new article also provides that a new purpose is deemed to be compatible with the original purpose in certain circumstances (such as processing for research, archiving or statistical purposes, public security, emergency response, policing crime, protecting life and limb, safeguarding vulnerable individuals, the assessment or collection of tax or complying with a legal obligation or court / tribunal order), and empowers the Secretary of State to modify the list of circumstances of deemed compatibility;
  • (processing in reliance on international treaties) broadens the scenarios in which processing may be based on a legal obligation of the controller, to include not only UK domestic law but also relevant international law. For the time being, "relevant international law" refers only to the UK-USA Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, but the Secretary of State will be empowered to add other treaties ratified by the UK in the future;
  • (data subject rights) codifies rules that currently exist only in regulatory guidance as to: (a) when a controller can stop the 'clock' in calculating the applicable time period for responding to the exercise of a data subject's right; and (b) the obligation on the controller to perform (only) a "reasonable and proportionate search" for personal data in response to a subject access request;
  • (automated decision-making) narrows the general prohibition on the use of automated decision-making techniques to make decisions significantly affecting data subjects so that it applies only to decisions based entirely or partly on the processing of "special category" data, rather than personal data generally. Where significant decisions are made using personal data and based solely on automated processing, whether that personal data is special category data or not, the controller would be required to ensure that certain safeguards are in place is protect data subjects' rights. At a minimum, there must be measures in place to provide the data subject with information about decisions made by automated means, and enable them to respond to such decisions, obtain human intervention in relation to such decisions and contest them. The Bill also introduces a power of the Secretary of State, by regulation, to specify certain decisions as having the required significant effect for the data subject (thereby triggering the safeguards for automated processing) and add to or vary the requirements in relation to the safeguards;
  • (law enforcement processing) seeks to reduce the regulatory burden on the police by removing the requirement to record a justification each time they access or share personal data, and makes provision for expert public bodies to create codes of conduct for law enforcement processing;
  • (international transfers of personal data) reformulates the existing regime restricting the international transfer of personal data in Chapter V of the UK GDPR, for the most part by restating the existing provisions in a clearer manner. Most importantly, the DUA Bill, like the DPDI Bill, introduces a "data protection test" to be applied by the Secretary of State when deciding whether to approve an international transfer, including by way of recognising a third country's data protection regime as adequate. The Secretary of State will be required to assess whether the standard of protection in a third country or otherwise in place in respect of a transfer is "not materially lower" than the standard in the UK. This may amount to a departure from the "essential equivalence" test referred to in the European Data Protection Board's guidance, and in judgments of European Union courts, on risk assessments for international transfers of personal data – but it remains to be seen what the courts will make of this apparent distinction; and
  • (national security and intelligence services) provides new exemptions from data protection obligations in respect of data processed for national security and intelligence services purposes.

The Information Commission's role and enforcement

Like the DPDI Bill, the DUA Bill proposes to change the nature of the UK data protection regulator, seeking to make it more business-friendly (or, at least business-aware) while giving it additional enforcement powers and transferring first-instance complaint-handling responsibility to controllers. It also proposes to bring enforcement of the UK "ePrivacy" regime into alignment with UK GDPR enforcement:

  • Structure and operation: The DUA Bill, like the DPDI Bill, proposes the replacement of the Information Commissioner as the UK's data protection and freedom of information supervisory authority by an "Information Commission", which will be a body more closely resembling other statutory regulators such as Ofcom and the Competition and Markets Authority. Leadership responsibility, for example, will be allocated across a board comprising multiple individuals, including a chief executive and chair, rather than a single commissioner. In carrying out its duties, the Information Commission will be required to have regard to:

- promoting innovation;

- promoting competition;

- the importance of preventing, investigating, detecting and prosecuting crime;

- the need to safeguard public security and national security; and

- the fact that children may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing – this consideration was not identified in the DPDI Bill.

These considerations appear to be intended to promote a pragmatic, real-world approach to regulation and oversight.

  • New enforcement powers: The DUA Bill proposes to add to the Information Commission's regulatory toolkit by giving it new powers, to: (a) require that a controller or processor not only provide it with information, but specific documents, and/or require the preparation of a report, at the expense of the controller or processor being investigated; and (b) issue an interview notice, requiring a controller's or processor's manager or staff member to attend an interview and answer questions, where giving a false statement in response to an interview question would be an offence.
  • Complaints: The Information Commissioner's Office (ICO) currently provides the public with a mechanism for lodging complaints. It is common practice for the ICO to forward these complaints to the controllers or processors to which they relate. The DUA Bill would require controllers to maintain their own mechanisms for the receipt of complaints from data subjects, acknowledging each within 30 days and taking appropriate steps to resolve the complaint without undue delay. The hope is that this will have the effect of reducing the Commission's workload.
  • PECR enforcement: The DUA Bill updates the UK's ePrivacy enforcement regime, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), bringing it in line with the UK GDPR and Data Protection Act 2018. Notably, this increases potential PECR fines to UK GPDR levels.

Storing or accessing information on a device: cookies, trackers and similar technologies

Schedule 12 to the DUA Bill sets out changes previously included in the body of the DPDI Bill, clarifying the rules for the use of certain low-risk cookies, trackers and similar technologies.

At present, PECR's "strictly necessary" exemption permits the storage of, or access to, information within terminal equipment (e.g. phones, browsers) via cookies, trackers and similar technologies without user or subscriber consent (as applicable) only where: (a) they are "strictly necessary" for the user or subscriber to receive the service they have requested from the service provider; or (b) where their sole purpose is transmission of a communication across a network. The DUA Bill introduces new provisions that clarify and expand the circumstances in which it will not be necessary to obtain such consent to store or access information to include (what are colloquially referred to as):

  • statistical / analytics cookies – cookies that gather information about how a website or digital service is used with a view to making improvements to the website or service;
  • functionality cookies – cookies that are necessary to provide a digital service requested by the user or enable the way a website appears or functions. Some functionality cookies are already permitted by PECR without user consent where they are "strictly necessary"; and
  • personalisation cookies – cookies that automatically authenticate a repeat user of a digital service or repeat visitor to a website and/or maintain a record of settings or preferences that the user has set to save the user the effort of setting those settings or preferences each time they return.

In these cases, it will not be necessary to show that the use of the cookie for storage or access is "necessary" for some particular purpose, but users must be provided with clear and comprehensive information about the purpose of the cookies (as with all cookies) and given a simple means to object.

Storing or accessing marketing cookies, and other cookies outside the scope of PECR's express permissions, will continue to require prior user consent.

Storing or accessing information on a device out of necessity

Schedule 12 also expands the circumstances in which information can be stored on a device out of necessity, without the user's or subscriber's consent (as relevant), to include:

  • where storage or access is strictly necessary to ensure the security of a device (such as to install security patches to software on that device), to prevent or detect fraud in connection with the provision of a digital service, to prevent or detect technical faults relating to the provision of a digital service, or to authenticate the identity of the user or subscriber, which should at a macro level improve the cyber resilience of organisations that, like the NHS, rely heavily on critical IT systems; and
  • where information is stored or accessed in order to find the geolocation of the user or subscriber of a device in order to provide them with emergency assistance. This could improve the effectiveness of police, ambulance, search and rescue and similar public services.

The requirements to provide information, and to offer an opt-out, will also not apply in these circumstances. Given the recent expansive guidelines issued by the European Data Protection Board (EDPB) on what will constitute cookies and similar technologies within the scope of the EU ePrivacy Directive, and the fact the EU ePrivacy Regulation discussions have stalled, the changes described in this section and the previous section will alter the position in the UK as against the EU".

Information standards in the NHS

Currently, health and social care providers cannot readily access or share patient care-related information, due more to inconsistencies in data quality and the poor interoperability of NHS IT systems than to lack of data. Reforms included in the Health and Care Act 2022 made information standards mandatory and extended their application to private health and care providers. The DUA Bill, like the DPDI Bill, proposes to extend the scope of information standards further, so they apply also to IT suppliers of systems and services used in the health and care system. It provides for the Secretary of State to issue non-compliance notices where it has reasonable grounds to suspect that an IT provider is not complying with an information standard, require a response from the IT provider, and publicly censure IT providers who fail to comply.

The DUA Bill, like the DPDI Bill, also contemplates the establishment of an accreditation scheme for IT services used in health and social care.

Data for improving public service delivery

The DUA Bill, like the DPDI Bill, proposes to amend the Digital Economy Act 2017 to allow UK Government departments, local councils, public authorities and the like to disclose information in order to improve public services delivered not only to individuals and households (that is, to the UK public) but also to undertakings (that is, to private-sector businesses and charities).

Investigating children's deaths

The DUA Bill, like the DPDI Bill, proposes to amend the Online Safety Act 2023 to permit a coroner investigating the death of a child to notify Ofcom of their investigation, and empower Ofcom to require internet service providers or other relevant persons to retain information relating to the prior use of an internet service by the deceased child, so that the information can be used in the course of the coroner's investigation.

Retention of biometric data for domestic security

The DUA Bill, like the DPDI Bill, proposes to amend elements of counter-terrorism legislation that address the retention and use of fingerprints and samples for purposes relating to national security and the investigation of terrorism. Without these amendments, the legislation does not expressly permit UK law enforcement authorities to retain fingerprints and other materials obtained from foreign law enforcement authorities or via INTERPOL. The amendments provide for the indefinite retention of fingerprints and other material, but not DNA samples, by a UK law enforcement authority where it is received from a foreign law enforcement authority and promptly pseudonymised.

Underground apparatus on streets

The DUA Bill, like the DPDI Bill, provides a legislative basis to underpin the existing National Underground Asset Register (NUAR) of infrastructure below street level, such as electricity and utility cables and water pipes, which is operated by Ordnance Survey on behalf of the UK Geospatial Commission. The information included in NUAR is be prescribed in regulations and the 600+ owners of underground assets will be required to upload such information into NUAR.

Registers of births and deaths

The DUA Bill, like the DPDI Bill, proposes to support the complete digitisation of registers of births and deaths, currently still required to be maintained in hardcopy and stored in the registration district in which each birth and death occurred.

B. What's been added?

The DUA Bill introduces several changes that were not proposed in the DPDI Bill. We summarise these additions in this section.

Children's privacy

As noted above, the DUA Bill proposes to introduce a new consideration, to which the Information Commission must have regard in carrying out its data protection functions, "that children may be less aware of the risks and consequences associated with processing personal data and of their rights in relation to such processing". This mandatory consideration for the regulator should in principle raise the bar when it comes to privacy standards in respect of children's personal data, although it is fair to say that the ICO already puts a great emphasis on children's privacy, particularly in an online context.

Research into online safety

The DUA Bill also amends the Online Safety Act 2023, empowering the Secretary of State to make regulations requiring internet service providers to share information for independent research into online safety matters. Those regulations are to set out the criteria, application and handling requirements for the provision of such information.

Other additions

There are very few other substantive changes proposed in the DUA Bill beyond those proposed by its predecessor, and those additions will only have an impact in relatively specific circumstances. Of most note, the DUA Bill:

  • (processing of special categories of personal data) inserts a new Article 11A into the UK GDPR which allows the Secretary of State by regulation to alter what processing of special category data is prohibited. The DUA Bill also inserts an equivalent provision into the Data Protection Act 2018 and introduces into the Investigatory Powers Act 2016, which deals with bulk personal datasets warrants, the concept of "sensitive processing";
  • (fees and reasons for responses to data subjects' requests about law enforcement processing) (a) empowers the Secretary of State to require by regulation that law-enforcement controllers disclose the fees that they charge to respond to manifestly unfounded or excessive data subject requests; and (b) provides that, where a law-enforcement controller refuses to act on a data subject request, it must inform the data subject of its reasons and the data subject's right to lodge a complaint with the Information Commission;
  • (the Information Commission's fees) makes minor amendments to the UK GDPR and Data Protection Act 2018 to give effect to the principle that tasks performed by the Information Commission should generally be free of any charge for data subjects. It will remain the case that the Information Commission may require persons other than a data subject or a data protection officer to pay a reasonable fee for a service that the Information Commission provides to that person, but the DUA Bill also provides that such fees may only be charged where the requests are manifestly unfounded or excessive;
  • (co-ordination between financial regulators) (as noted above), empowers the Treasury to require the FCA to consult with the Payment Systems Regulator, the Bank of England and the Prudential Regulation Authority, with a view to ensuring a co-ordinated approach in the exercise of their respective functions with respect to the regulation of payment systems; and
  • (smart meter communication services) amends energy, gas and electricity laws to empower the Gas and Electricity Markets Authority to administer smart meter communication licences. These licences support the telecommunications networks to which smart meter devices connect.

C. What's been removed?

Data protection aficionados will recall concerns that the DPDI Bill could undermine the independence of the Information Commissioner's Office, weaken the strength of the UK's data protection regime from an EU perspective and in some cases, increase the compliance burden for organisations caught by both the EU GDPR and UK GDPR. In this section we briefly identify DPDI Bill proposals that did not make the cut.

Changes to the UK's data protection regime

Notable proposals that appear to have died with the DPDI Bill include:

  • The definition of personal data: The DPDI Bill had proposed to amend the definition of "personal data" in the UK GDPR by importing a consideration of whether the individual to which the data relates is identifiable "by the controller or processor by reasonable means at the time of the processing". This apparent attempt to narrow the scope of UK data protection law – although it was never quite clear whether it was an actual narrowing, or a mere clarification, of the scope of the law – may have been seen as risking material divergence from EU data protection law.
  • Democratic engagement and data relating to political opinions: The DPDI Bill proposed to introduce democratic engagement as both: (a) a deemed legitimate interest for processing; and (b) one of the conditions permitting the processing of special category data, by members of Parliament and other elected representatives to facilitate their engagement with their constituents and supporters. The DUA Bill scraps this proposal.
  • Data subject rights: The DPDI Bill proposed to amend the "manifestly unfounded or excessive" exemption for refusing to respond to (or charging a fee for responding to) the exercise of data subject rights under the UK GDPR, changing the formulation of the exemption from "manifestly unfounded or excessive" to "vexatious or excessive". This may have been intended to align the UK GDPR's data subject rights regime more closely with the UK's freedom of information regime, but attracted criticism for introducing ambiguity.
  • Information security: The DPDI Bill proposed to change references to "appropriate technical and organisational [information security] measures" to "appropriate measures, including technical and organisational measures". It is unclear what measures other than technical and organisational measures were intended to be captured by this broader notion of information security controls.
  • DPOs vs "senior responsible individuals": The DPDI Bill proposed to abolish data protection officers (DPOs) and replace them with "senior responsible individuals", who would be senior managers within an organisation. It would only be mandatory to appoint senior responsible individuals where processing was carried out by a public authority or where the organisation carried out high-risk processing activities.
  • Controllers' UK representatives: The DPDI Bill proposed to remove the requirement that organisations outside the UK caught by the UK GDPR should appoint UK-based representatives.
  • Records of processing: The DPDI Bill proposed to narrow the general requirement to maintain records of processing activities, so that it would apply only to processing likely to result in a high risk to individuals (high-risk processing), thereby reducing the compliance burden. On the other hand, it also proposed to require that records of high-risk processing be required to include the location where the personal data is stored. The DUA Bill disposes of these changes.
  • Data protection impact assessments: The DPDI Bill proposed to replace data protection impact assessments (DPIAs) with (broadly similar) "assessments of high-risk processing". Consulting the Information Commission where a DPIA indicates that processing will result in a high risk to individuals (but which appears rarely to happen in practice), would have become optional.

The UK Government's role in setting the Information Commission's priorities

The DPDI Bill had proposed to allow the Secretary of State to set strategic priorities which would be binding on the Information Commission. This would have permitted the government of the day to influence the way that data protection law is enforced, to ensure that enforcement would align with that government's agenda. Some commentators argued that these changes might undermine the independence of the Information Commission as a data protection supervisory authority, putting the UK's adequacy position under the EU GDPR in danger.

Electronic direct marketing

The DPDI Bill proposed to amend Regulation 22 of PECR to extend PECR's "soft opt-in" regime, which currently applies only to commercial marketing communications, to the sending of promotional communications for charitable, political and other non-commercial purposes. This could have opened the door to the sending of promotional text messages and emails by charities and political parties. The DPDI Bill also proposed to empower the Secretary of State to make regulations providing an exception from the direct marketing restrictions to allow direct marketing for purposes relating to democratic engagement.

Monitoring of social-security recipients' bank accounts?

The DUA Bill has (at least temporarily) scrapped controversial amendments to social security legislation proposed in the DPDI Bill, which would have allowed the Department of Work and Pensions to obtain information on the bank accounts of benefits claimants. These provisions, which were highly contentious, will likely re-appear in some form (although possibly with some additional privacy safeguards for claimants) in the forthcoming Fraud, Error and Debt Bill, as foreshadowed by the Chancellor of the Exchequer in her Autumn Budget.