Thorntons’ Loretta Maxfield and Cara Collins explore three critical data protection developments to prepare for this year.
Significant changes to the data protection landscape are expected in 2025, thanks to the new Data (Use and Access) Bill, the renewal of the UK/EU adequacy decision and the possibility of new artificial intelligence legislation. It’s crucial to stay ahead of these shifts by considering their implications early.
The multifaceted Data (Use and Access) Bill (DUAB) was introduced to Parliament by the UK Government in late October 2024 to make targeted reforms to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 and other digital-related laws. The DUAB has successfully completed the House of Lords Committee stage, and the report stage took place at the end of January. Rather than entirely replacing the current data protection frameworks, the new Bill seeks to refine and build on the existing provisions, representing a shift from the previous Data Protection and Digital Information Bill (DPDI), which lapsed under the Conservative-led Government. Several elements of the previous Bill have been dropped and instead, the Labour Government plans to make more gradual changes to the data protection landscape by giving statutory footing to the following key provisions:
- PECR enforcement: The new Bill seeks to align the enforcement powers under the UK GDPR and Privacy and Electronic Communications Regulations (PECR), which is relevant to cookie use and direct marketing practices. This means that fines that would normally be subject to a £500,000 limit under PECR could now be subject to significantly higher limits under UK GDPR, immediately increasing the risk profile of poor cookie management and electronic direct marketing practices.
- Automated decision-making (ADM): The DUAB softens the provisions in Article 22 of the UK GDPR, with new provisions that expand the circumstances in which ADM systems can be used. It will be welcomed by those who currently operate or look to use AI systems in particular, although restrictions will remain in place for special category data.
- International data transfers: Data transfers to third countries are also addressed under the new Bill, with new provisions being introduced that set a specific adequacy test that the Secretary of State will apply when determining the adequacy status of third countries. Instead of an adequacy decision being granted if third countries are considered to have an “adequate” level of data protection from the UK, the new test merely requires that third countries maintain protections that are “not materially lower” than those of the UK, thereby lowering the level of standard required. This is likely to lead to more third countries being deemed “adequate”, making it easier to transfer personal data outwith the UK.
- Research: The new Bill also develops the existing research provisions of the UK GDPR by expanding the scope of scientific research definitions and introducing flexible consent for processing personal data in research contexts. This will essentially mean that a data subject’s consent can be used for the purposes of an existing research project as well as extensions of that research project if it evolves for new purposes, which will promote innovation and provide greater flexibility within the research sector.
- Recognised legitimate interests: The DUAB preserves the concept of “recognised legitimate interests” from the DPDI and includes additional grounds, such as fraud prevention, business operations and public interest, which have now been formalised as official grounds of legitimate interests. This will provide clarity to organisations on what would be considered a legitimate interest for processing and will make it easier for them to identify when it would be appropriate to use legitimate interests as a lawful basis for processing. Processing based on recognised legitimate interests will not require a Legitimate Interest Assessment (LIA) to be documented. The new Bill also allows the Government to make further additions in the future, enabling flexibility to respond to emerging data protection advancements.
- Data Subject Access Requests (DSARs): Under the new Bill, the ICO’s current guidance on reasonable and proportionate responses has been directly incorporated into Article 15 of the UK GDPR. Not only will this further clarify the process for responding to requests, but it will also provide data controllers with more flexibility to respond with proportionate searches, which will particularly benefit data controllers when handling overly burdensome, complex or disproportionate requests.
- Special category data additions: Another significant addition to the DUAB is the power for the Secretary of State (subject to Parliamentary approval) to expand the list of special category types of data and make changes to the basis on which such data can be processed. This will consequently increase the burden on organisations as they will be required to closely monitor any new additions to the list and implement the necessary data protection safeguards should any additions affect their processing activities.
In early summer 2025, the EU is expected to review the adequacy decision for the UK as part of its periodic review mechanism under Article 45(3) of the EU GDPR. The review will assess whether the UK continues to ensure an adequate level of data protection, equivalent to that within the EU, by evaluating the UK’s legal framework, including its data protection laws, enforcement mechanisms and any developments since the last review. Having an adequacy decision in place between the UK and the EU is an efficient benefit as it means that EU businesses and organisations can seamlessly transfer personal data to the UK without having to put in place appropriate safeguards, such as the EU-approved standard contractual clauses for international transfers of personal data or undertaking a Transfer Impact Assessment (TIA).
In the absence of an EU adequacy status, there is likely to be significant disruption to data transfers between the two regions. Maintaining data flows between the UK and the EU could become less straightforward for organisations, as it is likely to result in an increased compliance and administrative burden, with potential delays in data processing and increased costs due to additional legal requirements. Furthermore, not only could the absence of an EU adequacy status result in issues for security cooperation by restricting flows of data, but it could also result in legal uncertainty as data protection authorities are likely to scrutinise data transfers more closely, thereby affecting cross-border business operations.
That said, the UK still implements a retained version of the EU GDPR, so it would be surprising if it were to suddenly lose its adequacy decision given that it does not significantly diverge from the EU’s current approach. This is, however, subject to review and is therefore something to keep a close eye on in 2025.
In the Government’s latest response to the House of Commons Committee report on the governance of artificial intelligence (AI), it has advised of its intentions to introduce a piece of AI-specific legislation. This is a considerable shift from the Government’s earlier approach to AI governance, as rather than implementing AI legislation like the EU, it previously planned on leaving each regulator to develop its own sector-specific AI guidance.
This sits squarely with Sir Keir Starmer’s recent announcement that the UK Government has adopted an AI Opportunities Action Plan to position the UK as a future global leader for AI.
Clearly, real efforts are being made by the Government to develop effective and meaningful AI governance frameworks to address current concerns over the innovative technology. However, as always, the devil is in the detail and further comment can be made in due course when the full consultation is published.
Written by Loretta Maxfield, partner, and Cara Collins, trainee solicitor, Thorntons