Rules Navigator

UK data law set for reform but doubts linger over Europe’s stance

Online privacy notice
Photo: Getty Images

Martin Cloake

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The Data Use and Access Bill is poised for royal assent, but worries remain about erosion of individual rights.

New UK legislation on the use of data is set to come into force on 19 July 2025. The government claims it will “unleash … a goldmine of data”, but civil society groups have expressed concerns about many of the changes.

They argue that the right of individuals not to be subject to automated decision-making has been diminished. The concerns may yet lead to the European Commission (EC) rescinding the UK’s data adequacy status – which was granted to allow for the free flow of data between the UK and EU following Brexit.

The Data Use and Access Bill was passed in the UK Parliament on 11 June 2025, and now awaits royal assent to become law. It amends UK implementation of the UK GDPR and the EU Law Enforcement Directive (LED), which is transposed into UK law via the Data Protection Act (DPA) 2018.

Key changes

When the Bill becomes an Act it will introduce some important changes to the application of GDPR.

  • Protections against automated decision-making (ADM) that currently exist under Article 22 have been removed, and now only apply to decisions that significantly affect individuals or that involve special category data.
  • A list of “recognized legitimate interests” can be introduced by organizations that want to process data without legitimacy assessments – those interests include national security, crime prevention and safeguarding.
  • A set of “purpose limitation” rules has also been introduced that make it easier for data to be processed outside the terms of its originally intended use.
  • Where data is used for service or website improvement, user consent to deploy cookies and other tracking technology is no longer required. The use of third-party tracking cookies will still require user consent.
  • Specifically regarding law enforcement, the Act will allow the routine transfer of data to offshore cloud providers, removes the requirement for police to log justifications for accessing data, and enables security services to share data outside LED rules.
  • The groundwork for more regulation of Smart Data Schemes has been laid. This aims to improve data portability between suppliers, service providers, customers and relevant third parties.
  • A statutory framework for Digital Verification Services will be introduced, setting up a register of certified providers and using trust marks.
  • Common standards for health records will be introduced to promote data sharing.
  • The Information Commissioner’s Office will be abolished and replaced by an Information Commission, which will be a run by a board. The Secretary of State will be given the power to appoint non-executive members of the commission, and to direct regulatory priorities.
  • Individuals will now have to raise complaints directly with organisations before going to the new Information Commission.

Growth and efficiency

The government is presenting the changes as part of its drive to promote growth for the business sector and deliver tangible change to ordinary people, emphasising efficiency gains and convenience. Technology secretary Peter Kyle said that the available “goldmine of data” was “a powerful resource which can be used to help families juggle food costs, slash tedious life admin, and make our NHS and police work smarter.”

Assessing the proposals, the Information Commissioner’s Office has said they were “pragmatic and proportionate amendments to the UK regulatory landscape.”

Groups such as the Open Rights Group, and European Digital Rights, are pressing the EC to re-evaluate its decision on UK data adequacy, arguing that  the DUA Bill is a “systemic weakening of privacy and data protection standards.” The EC has extended the deadline for its decision to the end of the year in order to allow it to assess the DUA changes.

Data transfers

This has particular significance for data transfers, as Debbie Heywood, senior counsel – knowledge at global law firm Taylor Wessing observes.

Noting a “subtle change to the UK data transfer regime,’ she writes: “The Secretary of State will be able to carry out a new data protection test to determine whether the destination country’s standard of data protection is ‘not materially lower’ than the standard in the UK. The current standard is that the destination country must offer ‘essentially equivalent’ protections.”

She advises organizations to “maintain a watching brief on issues around data transfers.”

, , , , , ,

You may also like