UK data reforms become law
The UK’s Data Use and Access Bill has become law, with the government claiming it will “save working people money and time” while injecting £10bn into the British economy over the next decade.
The bill attainted royal assent to become an act on 19 July 2025, and will now amend the country’s implementation of both the UK General Data Protection Regulation (GDPR) and the European Union (EU) Law Enforcement Directive (LED), which is transposed into UK law via the Data Protection Act (DPA) 2018 and represented in Part Three of the act, specifically.
The government has justified its changes to data protection law on the basis of the potential efficiency gains that can be made by cutting NHS and police bureaucracy, as well as the convenience benefits easier data sharing will bring to people’s lives.
“For too long, previous governments have been sitting on a goldmine of data, wasting a powerful resource which can be used to help families juggle food costs, slash tedious life admin, and make our NHS and police work smarter,” said technology secretary Peter Kyle.
“These new laws will finally unleash that power for hardworking people – putting cash back in pockets and boosting vital public services, all part of our plan for change.”
In terms of the changes to GDPR processing, the act will remove current Article 22 protections against automated decision-making (ADM) so that they only apply to decisions that either significantly affect individuals or involve special category data; or introduce a list of “recognised legitimate interests” that organisations can use to process data without the need to conduct legitimacy assessments, which includes things like national security, prevention of crime and safeguarding.
It will also create “purpose limitation” rules that make it easier to process data outside of its originally intended use.
Cookie consent
The act also removed the need for organisations to obtain user consent for cookies and other tracking technologies when the data collected is used for service or website improvement, tailor the site to a user’s preferences, or where the risk to the user is otherwise deemed to be low, if users have the option to opt-out.
However, active consent will still be needed for third-party tracking cookies, such as those used by social media platforms, and the penalty for failure to comply with new cookie rules have been significantly increased to GDPR-style levels (up to £17.5m or 4% of global turnover, whichever is higher).
Civil society groups have been highly critical of many of the data processing changes, arguing instead that the measures will diminish the right not to be subject to automated decision-making; delegate “extensive” legislative power to UK ministers that would allow them to circumvent Parliamentary scrutiny when making decisions around the legality of data processing or transfers; and otherwise grant government and law enforcement agencies “expansive access” to personal data.
Data sharing
In the law enforcement space, the act will specifically allow for the routine transfer of data to offshore cloud providers, remove the need for police to log justifications when accessing data, and enable police and intelligence services to share data outside of the LED rules.
While Computer Weekly’s previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with Part Three, the government’s changes to UK data protection law are seeking to solve the issue by simply removing the requirements that are not being complied with.
In early June 2025, seven civil society groups wrote to European commissioner Michael McGrath, calling on him to rescind the UK’s European data adequacy – which is needed to allow for the continued free flow of data between the two – given their serious concerns about the legislation’s role in the ongoing erosion of privacy and digital rights in the country.
In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the EU, but warned the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.
While the European Commission was originally set to make a new set of UK adequacy decisions in July 2025, the deadline has been extended to December 2025 for the UK to finalise its data reforms.
The act itself also only received royal assent following an extended period of legislative ping-pong between the House of Commons and the House of Lords over their disagreements on the use of copyrighted works to train artificial intelligence (AI) models.
While the enacted bill does not resolve the AI copyright issue – with the Commons defeating Lords amendments that would have forced AI firms to declare their use of copyrighted materials in their training data – the government has now agreed to publish reports on its proposals for this area in the next nine months.
Outside of data protection, the act also lays the groundwork for further regulation to be made for Smart Data Schemes, which aims to improve data portability between suppliers, service providers, customers and relevant third parties; and introduces a statutory framework for Digital Verification Services, which will essentially be used to establish a register of certified providers and issue “trust marks”.
It will additionally set up common standards for health records, intended to promote interoperability and further data sharing.
In terms of data protection regulation, the act also abolishes the Information Commissioner’s Office in favour of a new Information Commission, meaning its structure will be changed to be run by a board.
Under the act, the secretary of state will be granted powers to appoint non-executive members of the commission, including the commissioner, as well as issue policy directions to influence the regulator’s strategic priorities.
Before escalating complaints with the Information Commission, individuals will now be required to raise complaints directly with organisations first.
Source link
