I have just realised that the Data (Access and Use) Bill (DAUB), which returns for its Commons Report stage today, degrades two Data Protection Principles in Article 5 of the UK_GDPR; namely the Principles dealing with lawfulness and incompatibility [A.5(1)(a) and A.5(1)(b)].
Indeed, the revised wording of the Purpose Limitation Principle [A.5(1)(b)] does not meet the requirements set 45 years ago in the Council of Europe Convention No 108, in 1981. This blog goes into this new wording in detail.
With respect to Principle dealing with lawfulness [A.5(1)(a)], although Parliament can define “lawful” processing of personal data in anyway it wants (e.g. by the introduction of Recognised Legitimate Interests), the Government is clearly specifying certain processing of personal data as lawful in circumstances not envisaged by our partners in Europe.
It goes without saying, the variation of these two Principles facilitates either the Government’s wider data sharing or economic priorities; objectives that take precedence over those related to the protection of personal data or personal privacy.
Remember also, a House of Lords Committee has already concluded that DUAB’s proposals with respect to lawfulness and compatibility are not justified (see references). The changes mentioned in this blog are additional to that lack of justification.
Finally, with the Home Office again toying with the idea of changing the human rights regime to modify the requirements to respect private or family life (i.e. A.8 ECHR) in the context of immigration, then questions about renewing the Adequacy Agreement between the European Commission and UK could again rear its ugly head (as it did with the DPDI Bill; see references). Such renewal of the Adequacy Agreement is due later this year.
The current Purpose Limitation Principle
Disregarding the second part of the current Principle in A.5(1)(b) of the UK_GDPR (this specifies how further processing of personal data for scientific research can be compatible with the purpose of obtaining), the Purpose Limitation Principle states:
“Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”.
Note that the target of this Principle is the controller that has collected the personal data about a data subject and wants to further process those personal data for something else. In further detail:
- specified means the purpose of collection is specified to the data subject (e.g. in a Privacy Notice as required by A.13 or A.14 – subject to any applicable exemption).
- explicit - means any specification should be unmissable (in the same way as “explicit” is used to distinguish “explicit consent” (as used in A.9) from “consent” (as used in A.6).
- legitimate purposes means the Controller’s purpose has to be lawful (and if A.6(1)(f) applies, the purpose is recognised as being reasonable following CJEU judgements in C-621/21 and C-252/21).
- not further processed in an incompatible manner means not further used, disclosed, retained, transferred etc, usually for a very different purpose, where incompatibility is assessed using the options specified in A.6(4).
This incompatibility assessment in A.6(4) has one of three options. The further processing of personal data is not incompatible with the purpose of obtaining, if that processing:
- has the consent of the data subject (where consent satisfies the requirements of A.7).
- is required by law for an exemption specified in A.23(1), for instance, disclosure of personal data for law enforcement, immigration and taxation purposes, or
- considers how the conditions specified in A.6(4) apply to that further processing. These considerations include weighing factors such as the further purpose as compared with the purpose of obtaining, the nature of the personal data that are further processed, the relationship between data subject and controller etc.
Note the controller might have an A.6 lawful basis for the further processing but such processing can still be in breach of the Purpose Limitation Principle. The corollary is also true: the fact that the processing is compatible in terms of the Purpose Limitation Principle does not make it lawful in terms of A.6.
The revised Principle upends all the above.
The revised Purpose Limitation Principle
The new Principle, changed by DUAB [Clause 71(2)], reads as follows (additions in bold italics):
“Personal data shall be collected (whether from the data subject or otherwise) for specified, explicit and legitimate purposes and not further processed by or on behalf of a controller in a manner that is incompatible with the purposes for which the controller collected the data.
I shall argue that there could be three controllers involved with the revised Principle: a Controller that collects personal data, a Controller that discloses personal data, and a third Controller that processes personal data on behalf of the other two Controllers (as well as the data subject).
My argument is that, whereas the current Principle protects the data subject from inappropriate further processing, the revised Principle protects the Government’s economic priorities or data sharing objectives from challenge. I will now show how this is achieved.
Deconstructing the new Principle
The segment “Personal data shall be collected (whether from the data subject or otherwise)…” means the personal data can be collected by a Controller from the data subject or from anybody, anywhere (e.g. from another Controller).
It can be seen that if the collection of personal data is from the data subject, there is no change of the effect of the Principle from the current arrangements. It is the or otherwise that causes the potential problem.
If the intent of the inclusion of “(whether from the data subject or otherwise)” is to clarify the intent of the Principle (i.e. the processing subject to the Principle is restricted to the Controller’s collection of personal data, about the data subject, from the data subject or from other sources) then there would be no need to divert from the original Principle’s text (as explained above).
In other words, DUAB’s modification (“whether from the data subject or otherwise”) is otiose.
Indeed, if there had been a demand for clarity from confused controllers with respect to the intent of this Principle, then surely this would have surfaced in the intermediate four decades since the enactment of the DPA1984 or from any of the 46 Member State has acceded to CoE Convention No. 108 since 1981.
Afterall, the unchanged Purpose Limitation Principle has been applied without difficulty to protect the interests of three quarters of a billion data subjects for at least thirty years.
Additionally, if the intent was to clarify the original Principle, the revised text should have said something like: “Personal data shall be collected about the data subject ( whether from the data subject or from otherwise)…”.
But the text does not say that. That is why, I think, the use of “or otherwise” has the potential to aid a different interpretation.
Application of the new interpretation
In summary, I think the revised Principle can be interpreted as applying to the circumstances when a collecting Controller obtains personal data, about the data subject, from a disclosing Controller as in any data sharing. In these circumstances, the obligations arising from the Principle are not directed at protecting the data subject but to legitimizing the processing of the collecting and disclosing Controllers.
For instance, the segment “specified, explicit and legitimate purposes” raises questions concerning “specified” or “explicit” TO WHOM?”.
For example, suppose a collecting public sector Controller requests personal data from a disclosing Controller for any of the former’s public tasks. The new Principle is satisfied if the obtaining Controller (the public body) reassures the disclosing Controller by explicitly specifying the legitimate purposes associated with the request.
In other words, no breach of the new incompatibility arrangements if a disclosure of personal data satisfies the requirements in paragraph 1 of Annex 1. In other words, any disclosure of personal data to any public body for any public task is very likely to be both lawful and compatible.
The third Controller
The segment “not further processed by or on behalf of a controller”, via the use of “a controller”, could introduce a third processing Controller who processes personal data on behalf of either the collecting Controller or disclosing Controller.
If the legislation had stated “not further processed by a processor” then this would have excluded any involvement of a third Controller.
I think this is an example of careless drafting, so I will drop it now.
More undermining
The Purpose Limitation Principle is also undermined by the deeming of some purposes as always being compatible (e.g. further disclosure or use of an existing set of personal data for use in AI training for any purpose is compatible if the processing is to check how the AI system complies with the Principles (new A.8A(3)(c) as introduced by DUAB).
Oh I forget to say. If you consent to the processing of your personal data by a controller, there is no breach of the Purpose Limitation Principle, if these personal data were further used or disclosed for checking AI training algorithms in order to test whether the processing satisfies the A.5 principles in general.
Under DUAB, it does not matter what the final purpose of the AI training is, or what the final AI system is to be used for.
What about fairness and transparency?
The transparency arm of the first Principle in A.5 (i.e. A.5(1)(a)) is additionally undermined by the new exemption for private and public scientific research (which is defined to include some AI training/development research) subject to the application of dubious/dodgy “appropriate safeguards” specified in A.84B of DUAB.
For those who have not followed this scientific R&D saga, DUAB allows existing personal data collections to be used or disclosed for any scientific research project without informing the data subject directly about the research purpose itself so long as these appropriate safeguards apply (see references).
Unfortunately, although the A.84B appropriate safeguards are explicitly referenced in the modified A.13 requirements, they are not explicitly linked to A.84B in the new A.14 requirements. The result thar a different set of “appropriate safeguards” could apply depending on whether a controller obtains personal data from data subjects or from another controller.
So much for consistency.
Concluding comment
You have to congratulate the Government. The last Conservative administration, with its DPDI Bills, managed to turn the data protection clock back to 1984 by using a sub-standard definition of “personal data”. This Government has bested that record by three years; its legislation cannot meet a DP standard set in 1981.
In addition, when you look at the UK’s new data protection landscape, what do you see? A data protection law, in relation to the lawful and compatible processing of personal data (excluding special category personal data) that:
- makes lawful and compatible, any personal data sharing with any public sector controller for any public task;
- allows any existing personal database to be used for AI training purposes without being deemed incompatible irrespective of the final purpose of the AI system;
- allows any existing personal database to be secretly processed for any further scientific research purposes without any regard for the final objective of the research, assuming some inconsistent and dodgy appropriate safeguards apply;
- negates the prohibition on automated decision taking and permits unfettered automated decision taking via AI techniques;
- is subject to a government and two opposition parties that are actively considering amendment to (or withdrawal from) the UK’s commitment to Article 8, ECHR; and
- is regulated an invisible Commissioner who has eschewed his powers of enforcement.
And this is not the complete list of DUAB issues (see references for a complete list).
Under such circumstances would you renew the UK’s Adequacy Agreement? My answer is between “a reluctant YES for a very limited period” or a straight “NO”.
Summer courses for DP specialists
Amberhawk is holding a workshop on the changes to the UK’s data protection regime arising from the DATA (USE AND ACCESS) BILL, by Zoom, on Thursday 19th June 2025: (10.00am-4.30pm; £275+VAT).
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection FOUNDATION Course: London on JUNE 24-26 (Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Data Protection PRACTITIONER Course: London on JUNE 30-JULY 4 (5 days: Monday to Friday: 9.30am to 5.30pm).
More details on the Amberhawk website: www.amberhawk.com or email [email protected]
References
Article 5(b) of CoE No 108 states that personal data shall be “stored for specified and legitimate purposes and not used in a way incompatible with those purposes”
Powers defining lawfulness/compatibility (Annex 1 and 2 of DUAB) not justified: House of Lords Delegated Powers and Regulatory Reform Committee, 9th Report of Session 2024–25, HL Paper 49 (28 November 2024).
Blog on Research: Data Bill legislates for expansive degradation of data subject protection; https://amberhawk.typepad.com/amberhawk/2025/02/data-bill-legislates-for-expansive-degradation-of-data-subject-protection.html
Blog on interaction between Adequacy, Human Rights and Data Protection; DPDI No 2 Bill should be paused until the UK Bill of Rights position is resolved; https://amberhawk.typepad.com/amberhawk/2023/03/dpdi-no-2-bill-should-be-paused-until-the-uk-bill-of-rights-position-is-resolved.html
Blogs on the problems with DUAB: Parts 1 and 2 published on 25th and 27th Feb 2025 (e.g. Part 1 is on https://amberhawk.typepad.com/amberhawk/2025/02/data-bills-problems-exposed-as-government-rush-duab-through-parliament-part-1.html and Part 2 is on https://amberhawk.typepad.com/amberhawk/2025/02/data-bills-problems-exposed-as-government-rush-duab-through-parliament-part-2.html)
Blog on the DPDI’s definition of personal data below DPA1984 standard: https://amberhawk.typepad.com/amberhawk/2022/08/new-data-protection-bill-defines-personal-data-below-dpa1984-threshold.html