The DUAA’s Impacts on Cross-Border Data Regulation

Irina Mechkarova

London, UK

Overview

Since coming into force last year, the Data Use and Access Act (DUAA) has become the UK’s first major post-Brexit reform of data protection law. Acting as an extension on the General Data Protection Regulation (GDPR), the DUAA has introduced a series of amendments that have both worrying and exciting implications for international UK businesses. We will explore these key changes and what this reflects about modern data policy:

1.  The introduction of ‘recognized legitimate interests’ – certain data processing will be permitted without full documentation, which was previously required.

2.  The formal right for individuals to complain directly to businesses – this includes a requirement on the behalf of businesses to demonstrate a clear complaints process.

3.  Relaxation on automated decision-making regulations – this allows for AI-driven decisions, including ‘special category’ data like health and ethnicity, if accompanied by human review.

4.  Streamlined compliance documentation for businesses in certain contexts.

Notably, these changes do not mark a wholesale rewrite of previous data protection given the EU’s limitations on how far the UK can deviate in their regulations. However, they do mark an important shift in how willing we are to implement looser data restrictions.

Cross-Border Incompatibility

The DUAA has been criticized for creating inefficiency for cross-border businesses, given the multiple layers of compliance they have added. Commercially, firms must choose between efficiency and scalability, where they either adopt EU GDPR as their standard – thus sacrificing the advantages of the UK’s looser restrictions – or fragment their operations – which would increase costs. Whilst this may not be a problem for the largest businesses, who may in fact benefit more from this latter strategy, this may be less viable for mid-market businesses who now must reconsider their global expansion strategy. This uneven leverage distribution creates a dual-market structure where UK firms are at an advantage and EU firms lag behind due to higher data protections. Along with greater access to user data is a massive advantage, and lighter documentation reducing upfront compliance costs, the increased complaint obligations it may help avoid or more quickly resolve litigation disputes. This comes with the promise of encouraging firms to upkeep a high legal standard, reflecting a greater commitment to managing the risks that may otherwise accompany looser data protections.

Automated Decision-Making and Public Image Implications

On the note of relaxed restrictions, DUAA’s increased permissions on automated decision-making is arguably its most significant shift.

Whilst this creates an undeniable competitive advantage for UK businesses by lowering the barriers to AI integration. Yet, this leaves us with a critical question as to whether the requirement for ‘human review’ is as high of a safeguard as it presents itself to be. If the original reviewing mechanisms are, presumably, weak – even if they are strong overall, we must account for design flaws – then liability merely increases if human review systems are not robust enough. Thus, whilst firms can act more freely in some cases, we may want to acknowledge the risk of reputational damage if flawed AI systems undermine a firm’s public credibility. Since consumers will be more aware of how their data is being used due to increased access requests and stricter complaint obligations, even a firm’s legal practices can amplify public scrutiny in the face of higher consumer expectations.