Data law | UK Regulatory Outlook March 2025

UK updates

Progress update on the Data (Use and Access) Bill

The Data (Use and Access) Bill is speeding through the legislative process. It has passed the Commons committee stage and is at the report stage. Once the Commons has finalised its desired drafting, it will return to the House of Lords.

According to comments made at the IAPP UK conference this month, government ministers do not consider the bill to be the correct vehicle to resolve AI issues, or the Information Commissioner's Office (ICO) to be the default AI regulator (both things which are included in the current draft of the bill). However, the government acknowledges that there are strongly held views in the Lords on AI/copyright, and so it is difficult to predict how long the "ping pong" process between the Lords and Commons will last as these points continue to be debated. That said, the Department for Science, Innovation and Technology (DSIT) currently still expects the bill to receive Royal Assent this "Spring", possibly around Easter.

Once the bill is enacted, the DSIT expects a phased approach to implementation and is having conversations with the ICO about what it will look like, including on the publication of codes of practice and guidance.

Early implementation is now expected to focus on the structural changes, such as ICO duties. More complex changes or provisions requiring deeper compliance might then follow, with a longer lead in time for organisations to get ready – around 6-12 months.

ICO reveals plans on AI, online advertising and international data transfers

The ICO has announced an "ambitious set of commitments" to support the government's growth agenda. Key initiatives include:

• AI: introducing a statutory code of practice for businesses developing or deploying AI.
• Online advertising: simplifying the Privacy and Electronic Communications Regulations (PECR) consent requirements (which mainly relate to cookies and other tracking technology). The ICO has committed to (a) support the government in developing secondary legislation to amend PECR by creating an exemption for specific low-risk advertising purposes, and (b) publish a statement in the autumn identifying low-risk advertising activities unlikely to cause harm or trigger enforcement action. The ICO will consider safeguards it would expect to reduce risks to users and devices. The ICO considers that this shift would incentivise businesses to adopt less intrusive advertising techniques.
• International data transfers: publishing new guidance on international data transfers, "making it quicker and easier for businesses to transfer data safely". The ICO will work with government to review adequacy assessments for key trading partners.
• Data training: providing free data essentials training to help small businesses comply with data protection law.
• Experimentation regime: piloting a regime for businesses to trial innovative data-driven solutions under strict oversight. During the pilot, the participating businesses will have a degree of "comfort from enforcement" of certain data protection requirements, starting with consent rules for privacy-preserving advertising models.

The ICO has promised to provide further details over the coming months, so these are areas to look out for.

ICO Children's code strategy: progress update

The ICO has published a progress update on its Children's code strategy, which for 2024/25, is focused on the ways social media and video sharing platforms (SMPs and VSPs) protect children's information online.

The ICO's last update was published in August 2024 and included the high-level findings from its review of 34 SMPs and VSPs, as well as a related call for evidence – see this Regulatory Outlook. The regulator has now also published its response to that call for evidence.

The update contains examples of how some organisations have changed their children's data practices following ICO intervention. It also includes a comparison table of some of the account set-up practices of 29 of the 34 SMPs and VSPs that were the subject of the 2024 review.  

In this latest update, the ICO expresses concern at the amount and range of children's personal data used in recommender systems, and whether there are sufficient protections in place. It stresses that SMPs and VSPs using children's personal data in such systems must ensure that their approach is lawful, fair and transparent, and minimises data collection.

The ICO is also concerned that, as its 2024 review showed, many platforms rely on users' self-declaring their age, which the ICO says is unlikely to be effective if there are significant risks to children from data processing on that service. Some platforms also use profiling to identify users under 13, but there is limited evidence on whether this is effective. The ICO is therefore writing to these platforms to better understand their approach and will consider next steps based on the information received. 

The protection of children's data remains high on the ICO's 2025 agenda (see this Regulatory Outlook). All businesses processing children's data or offering their services to children must stay alert to the regulator's activity in this area.

ICO responds to government consultation on copyright and AI

See AI section

EU updates

EU Commission proposes to extend adequacy decisions for the UK by six months

The EU Commission has proposed extending the two 2021 adequacy decisions with the UK, due to expire on 27 June 2025, for a period of six months until 27 December 2025. This will allow time for the legislative process on the Data (Use and Access) Bill to conclude in the UK (see above). Once concluded, the Commission will assess the new legal framework and decide on its adequacy. In the meantime, the UK data protection rules that were found adequate in 2021 remain in place and continue to apply to data transferred from the EEA.

Assuming that the European Data Protection Board (EDPB) approves the draft extension decisions, the free flow of data from the EEA to the UK would be maintained until at least 27 December 2025. The government is thought to be keen to maintain the UK's current adequate status, so, given the size of its majority and the relatively limited nature of the changes proposed, it seems unlikely that it would allow any changes to the bill that might jeopardise the position.

GDPR to become part of EU's simplification drive

The EU Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath, has told an audience in Washington DC that the General Data Protection Regulation (GDPR) will be a part of the EU's simplification programme. In particular, the Commission wants to look at the recordkeeping obligations of firms and organisations with fewer than 500 people to "ease the burden". He said that the GDPR will be included in a future omnibus package.

EDPB adopts statement on age assurance

To ensure a consistent EU approach to age assurance, the EDPB has published a statement setting out ten high-level principles for the compliant processing of personal data when assessing a user's age. The principles primarily address the requirements in Article 5 of the GDPR and apply to various online use cases, including when a minimum age is prescribed by law in relation to:

• Purchasing products.
• Using services that are potentially harmful to children.
• Executing certain legal acts.
• When there is a duty of care to protect children (for example, to ensure that services are designed or offered in an age-appropriate way).

CJEU: data subjects have a right to understand how automated decisions about them are made

In Case C 203/22, the Court of Justice of the European Union (CJEU) held that under the GDPR, individuals have the right to clear, concise and transparent information about how their data is used in automated decision-making processes.

A mobile telephone operator had refused a customer's request to conclude or extend a mobile telephone contract based on an automated credit assessment, carried out by Dun & Bradstreet Austria GmbH (D&B), which stated that the customer was not sufficiently creditworthy. The customer complained to the Austrian data protection authority, which ordered D&B to provide meaningful information about the logic involved in the automated decision-making. D&B brought proceedings in the Austrian courts, arguing that this information amounted to a trade secret or involved third party personal data, and that as such, D&B was entitled to refuse to provide it.

The Austrian court ruled that D&B had breached Article 15(1)(h) of the GDPR, either by failing to: (a) provide the customer with meaningful information about the logic involved in the automated decision-making, or (b) sufficiently explain to her why it was unable to provide that information.

The Austrian court referred the matter to the CJEU, asking various questions on the correct interpretation of the GDPR and directive 2016/943 on the protection of trade secrets. The CJEU held that:

• In relation to "meaningful information about the logic involved", the data subject is entitled not only to an explanation of the procedure and principles used to make decisions based on their personal data, but also to additional information to allow them to verify that the data provided was correct and had been processed lawfully. This explanation must be clear, concise, transparent and easy to understand.
• Simply providing a complex mathematical formula, such as an algorithm, or a detailed description of the steps taken in the automated decision-making process will not meet the obligation. The explanation must be sufficiently concise and intelligible.
• If the controller believes that the information to be provided includes third-party data that is itself protected by the GDPR, or contains trade secrets, they must provide the allegedly protected information to the relevant authority or court, which must then balance the rights and interests of the data subject with those of the third parties whose data or trade secrets are involved to determine the extent of the data subject's right of access to that data under Article 15.

Businesses using automated decision-making processes based on customers' personal data must be prepared to provide clear and easy-to-understand explanations to their customers on how those decisions are made. They should also be aware that the fact that third-party personal data or trade secrets are involved will not necessarily protect them.