It is International Data Protection Day and an excellent time to look ahead to 2025 and consider what it may bring. This article explores three critical Data Protection developments to look out for in 2025, particularly the new Data (Use and Access) Bill (the “DUAB”), the renewal of the UK/EU adequacy decision and the possibility of new artificial intelligence (“AI”) specific legislation.
The Data (Use and Access) Bill:
The multi-faceted Data (Use and Access) Bill was introduced to Parliament by the UK Government in late October 2024 in order to make targeted reforms to the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and other digital related laws. The Bill has now successfully completed the House of Lords Committee stage, and the report stage is scheduled to take place imminently. Rather than entirely replacing the current Data Protection framework, the new Bill seeks to refine and build on the existing provisions, representing a shift from the previous Data Protection and Digital Information Bill (DPDI), which lapsed under the Conservative-led government. Several elements of the previous Bill have been dropped and instead, the Labour government plans to make more gradual changes to the data protection landscape. A brief summary of key features include:
- PECR Enforcement: the new Bill seeks to align the enforcement powers under the UK GDPR and Privacy and Electronic Communications Regulation, which is relevant to cookie use and direct marketing practices. This means that fines that would normally be subject to £500K limit under PECR could not be subject to significantly higher limits under UK GDPR, immediately increase the risk profile of poor cookie management and electronic direct marketing practices.
- Automated Decision-Making: the new Bill softens the provisions in Article 22 UK GDPR with new provisions which expands the circumstances in which ADM systems can be used which will be welcomed by those who currently operate or look to use AI systems in particular. Although, restrictions will remain in place for special category data.
- International Data Transfers: data transfers to third countries are also addressed under the new Bill, with new provisions being introduced which sets a specific adequacy test that the Secretary of State will apply when determining the adequacy status of third countries. Instead of an adequacy decision being granted if third countries are considered to have an “adequate” level of data protection from the UK, the new test merely requires that third countries maintain protections which are “not materially lower” than those of the UK, thereby lowering the level of standard required. This is likely to lead to more third countries being deemed ‘adequate’, making it easier to transfer personal data out with the UK.
- Research: the new Bill also develops the existing research provisions of the UK GDPR by expanding the scope of scientific research definitions and introducing flexible consent for processing personal data in research contexts. This will essentially mean that a data subject’s consent can be used for the purposes of an existing research project as well as extensions of that particular research project if it evolves for new purposes, which will promote innovation and provide greater flexibility within the research sector.
- Recognised Legitimate Interests: the DUAB preserves the concept of “recognised legitimate interests” from the DPDI Bill and includes additional grounds, such as fraud prevention, business operations, and public interest, which have now been formalised as official grounds of legitimate interests. This will provide clarity to organisations on what would be considered a legitimate interest for processing and will make it easier for them to identify when it would be appropriate to use legitimate interests as a lawful basis for processing. Processing based on recognised legitimate interests will also not require a Legitimate Interest Test to be documented. The new Bill also allows the government to make further additions in the future, enabling flexibility to respond to emerging data protection advancements.
- Data Subject Access Requests (DSAR’s): Under the DUAB, the ICO’s current guidance on reasonable and proportionate responses have been directly incorporated into Article 15 UK GDPR. Not only will this further clarify the process for responding to requests, but it will also provide data controllers with more flexibility to respond with proportionate searches, which will particularly benefit data controllers when handling overly burdensome, complex or disproportionate requests.
- Special Category Data Additions: another significant addition to the DUAB is the power for the Secretary of State (subject to Parliamentary approval) to expand the list of special category types of data and make changes to the basis of which such data can be processed. This will consequently increase the burden on organisations as they will be required to closely monitor any new additions to the list and implement the necessary data protection safeguards should any additions affect their processing activities.
UK/EU Adequacy Decision:
In early summer of this year, the European Union is also expected to review the adequacy decision for the United Kingdom as part of its periodic review mechanism under Article 45(3) of the GDPR. The review will assess whether the UK continues to ensure an adequate level of data protection, equivalent to that within the EU, by evaluating the UK's legal framework, including its data protection laws, enforcement mechanisms, and any developments since the last review. Having an adequacy decision in place between the UK/EU is an efficient benefit to have as it means that EU businesses and organisations can seamlessly transfer personal data to the UK without having to put in place appropriate safeguards, such as the EU approved standard contractual clauses for international transfers of personal data or undertaking a Transfer Impact Assessment.
In the absence of an EU adequacy status, there is likely to be significant disruptions to data transfers between the two regions. In particular, maintaining data flows between the UK/EU could become less straightforward for organisations as it is likely to result in an increased compliance and administrative burden, with potential delays in data processing and increased costs due to additional legal requirements.
The UK still implements a retained version of the EU GDPR and so it would be surprising if it were to suddenly lose its adequacy decision given that it does not significantly diverge from the EU’s current approach. This is, however, subject to review and is therefore something to keep a close eye on in 2025, particularly if your organisation receives personal data from organisations in the EU.
New Artificial Intelligence Legislation:
In the Government’s latest response to the House of Commons Committee report on the governance of AI, it has advised of its intentions to introduce a specific piece of AI legislation. This is a considerable shift from the government’s earlier approach to AI governance, as rather than implementing AI legislation like the EU, it previously planned on leaving each regulator to develop their own sector-specific AI guidance.
This sits squarely with Sir Keir Starmer’s recent announcement that the UK Government has adopted an AI Opportunities Action Plan to position the UK as a future global leader for AI.
Clearly, real efforts are being made by the Government to develop effective and meaningful AI governance frameworks to address current concerns over the innovative technology. However, as always, the devil is in the detail and further comments can be made in due course when the full consultation is published.
