Data law | UK Regulatory Outlook January 2025

Data (Use and Access) Bill

The much-anticipated draft data legislation, the UK's Data (Use and Access) Bill (DUA bill), introduced in October 2024, is currently progressing through Parliament. In the House of Lords, it has navigated the second reading and committee stages, and is scheduled to enter the Report stage - a further chance to closely scrutinise and make changes - on 21 January. After that, the amended bill will make its way through equivalent stages in the House of Commons, and is likely to become law in 2025.

The DUA bill is about a lot more than data protection. It is, fundamentally, about making better use of data across many sectors of the UK economy; be that energy, telecoms, infrastructure, health and social care or financial services. It does that, for example, by creating a framework for smart data schemes (similar to the open banking regime), which will then be introduced via secondary legislation across relevant sectors (such as energy or telecoms); by introducing a certification framework for digital identity verification systems; and by specific targeted reforms to UK data protection laws. It also includes a reform to the Information Commissioner's Office's (ICO) structure and powers.

It is a wide-ranging bill, with many intricate provisions, much of it amending existing legislation or setting up frameworks to be fleshed out later in secondary legislation. There are plenty of areas of controversy, with significant debate expected on provisions such as those easing restrictions on automated decisions making (which has implications for the use of some artificial intelligence (AI) systems). Several aspects of the DUA bill are likely to impact on organisations' data privacy compliance regimes. In particular, those who do business in EU countries will need to consider whether they can in practice take advantage of any easing in restrictions, or whether it will be easier to have one common approach which is compliant both with the DUA bill's provisions and the EU General Data Protection Regulation.

The DUA bill will be particularly interesting for sectors such as network and utility providers, science and statistical research teams, financial services, IT, telecoms, and healthcare system providers, as well as social media platforms and other digital service providers. However, some provisions, such as the changes to data protection law and cookie consents, are relevant to almost all organisations. Affected businesses should keep an eye on the bill as it moves forward, consider its potential impact on them, and ensure that compliance documentation, projects and contracts which might be affected are flexible enough to take account of its development.

See our Insight exploring the DUA bill (as first published) in more detail. Read the current draft of the bill.

ICO priorities

Artificial intelligence

AI is a key priority for the ICO due to the technology's potential to pose high risks to individuals' privacy if it is not developed and used in a responsible way. The ICO believes that public trust in AI is extremely important and is focussing on several areas of AI:

• fairness in AI
• dark patterns
• AI-as-a-service
• AI and recommender systems
• biometric data and biometric technologies, and
• privacy and confidentiality in explainable AI.

In December 2024, the ICO published a response to input it received in the course of its five-part consultation series on generative AI. The regulator set out its analysis, views and current expectations on how specific areas of data protection law apply to generative AI systems. See AI section for more information.

Organisations developing and/or deploying AI systems need to monitor the updates as well as follow the ICO's existing guidance as this is an important area for the regulator.

Children's data

The protection of children's data is another ongoing focus for the regulator. Last year, the ICO set out its 2024-2025 priorities for protecting children's personal information online as part of its children's code strategy. The ICO is particularly focused on social media and video-sharing platforms. The ICO outlined priority areas where further progress is needed, including:

• ensuring that children's profiles are private by default, and that geolocation settings are turned off by default;
• ensuring that profiling children for targeted advertisements is turned off by default unless there is a compelling reason to use profiling;
• the use of children's information in, and the design of, recommender systems, since algorithmically-generated content feeds can expose children to harmful content, as well as leading them to spend more time on a platform than they otherwise would, which in turn increases the probability of them giving away more personal information; and
• ensuring that parental consent is obtained for processing the personal data of children under 13 years old.

The ICO undertook a review of a sample of social media and video-sharing platforms, focusing on these priority areas, and specifically asked some of them to explain issues relating to default privacy settings, geolocation and age assurance. See this Regulatory Outlook for more information.

The ICO is dedicated to ensuring that the internet is a safe and privacy-friendly environment for children. A research report produced for the ICO shows that children often do not see entering personal information, posting updates, and interacting with algorithms as "data sharing" or consider their data rights. The ICO intends to provide further updates on its children's code strategy, and continue to engage with industry, so businesses need to make sure they follow the ICO's guidance in this area, and improve their practices where needed, as the regulator continues its drive to encourage compliance.

See also Digital Regulation.

Adtech and use of cookies

The ICO's work to crack down on misuse of cookies in advertising continues apace, with the regulator's recent actions and statements show its ongoing proactive approach to ensuring that organisations comply with data protection laws when using advertising cookies.

In 2023, the ICO asked 53 of 100 UK's top websites to make changes to their advertising cookie practices. The regulator was concerned that some websites did not give users fair choices over whether or not to be tracked for personalised advertising. The ICO also emphasised that it must be as easy to reject all non-essential cookies as to accept them. In January last year, the ICO confirmed that it had received a positive response to its call to action, and would be turning to the next 100 websites, and then the 100 after that. See this Regulatory Outlook for more details.

Further, in September 2024, the ICO reprimanded Sky Betting and Gaming for unlawfully processing people's cookie-derived personal data, and sharing it with advertising technology companies, before users had been asked for consent. See this Regulatory Outlook for more information.

The ICO's updated draft guidance on cookies and other tracking technologies was published on 20 December 2024, with a consultation running until 14 March 2025. It is notable that the updates to the existing guidance focus on areas such as online advertising, the wider range of tracking technologies beyond simply cookies, and on consent mechanisms We are also expecting to see the ICO's position on the cookie "consent or pay" business model during the course of this year.

While the ICO works to persuade organisations to change practices without the need for enforcement action and to set compliance expectations and standards, it is also prepared to apply the full range of regulatory powers to drive compliance.

The EU's regulators are also active in this space, for example:

• the European Data Protection Board (EDPB) recently adopted guidelines on the extent to which relevant provisions of the EU ePrivacy Directive (equivalent to provisions in the UK's Privacy and Electronic Communications Regulations 2003) apply to a wider range of tracking technologies than simply cookies;
• the EDPB also published an opinion on whether "consent or pay" models are compatible with the requirements for freely given consent to be required to use cookies and other tracking technologies; and
• the French regulator last month issued a formal notice reminding companies of cookie consent requirements, following the service of compliance orders on several website publishers. This was prompted by its investigation of multiple complaints about the use of "dark patterns" with cookie consent banners, aimed at making it less likely that users would reject cookies.

The ICO and EDPB approaches are in many respects similar, but are not identical. Businesses need to keep up to date with the approaches of the ICO, the EDPB and other relevant national regulators to this and other technology issues in order to stay compliant, avoid any enforcement action, and streamline their data privacy compliance and governance functions to take account of relevant regulatory regimes.

EDPB plans for 2025

The EDPB adopted its work programme for 2024-2025 in October 2024. This year we are expected to see various guidance and position papers from the EDPB, tackling issues such as cookie "consent or pay" models and the interplays between EU data protection law on the one hand, and the EU AI Act, the Digital Services Act and the Digital Markets Act on the other. See this Regulatory Outlook for more information.

In addition, we look forward to hearings, opinions and judgement in data cases from the EU Court of Justice (CJEU) and other EU courts over the course of 2025, including on areas such as:

• The appropriate legal basis for processing personal data where a transport provider collects a data subject's title (such as Mr or Mrs) for the purposes of that person buying a ticket (Mousse case, published 9 January 2025)
• Factors relevant when assessing whether a data processing authority can characterise a data subject's complaint as "excessive", and so refuse to deal with it, merely because a data subject has filed multiple complaints (Österreichische Datenschutzbehörde case, published 9 January 2025)
• Intermediary liability in EU GDPR compliance (Russmedia Digital and Inform Media Press, expected in February 2025)

EDPB opinion on AI models

The EDPB has (at the request of the Irish data protection regulator) issued an opinion on the processing of personal data in the context of AI models, which considers:

• how to assess and demonstrate (on a case by case basis) whether an AI model is anonymous, such that it would be considered not to involve personal data, including steps that can be taken during the model training phase of development;
• whether and how legitimate interest can be a legal basis for the training or use of AI models, including considering whether processing of the personal data is 'necessary' or whether there is a less intrusive way of pursuing the relevant legitimate interest; and
• whether the deployment of an AI model which has been trained with unlawfully processed personal data, but where the AI model itself is deemed to have been effectively anonymised, will be outside the scope of the data protection regime.

The EDPB's opinion is important for the major companies who develop their own large language models and other AI models trained on data which includes personal data, but it is also significant for many other organisations using such AI systems. For example, businesses incorporating these AI models into their own AI systems for internal deployment, or using them to provide services to third parties, should consider whether their risk and impact assessments properly assess the data privacy position, and whether the terms of contracts with suppliers and customers deal adequately with responsibility and liability for data privacy compliance in respect of AI model training.