UK data protection law facing scrutiny and reform in 2025

The multi-faceted Data (Use and Access) Bill (DUA Bill) represents the UK Labour government’s attempt to enable data-related innovation and efficiencies in the economy in the pursuit of growth and comes after two failed attempts at reforming UK data protection law post-Brexit by the last government.

The enactment of the DUA Bill, as drafted, would signal some divergence between UK and EU data protection law in some important areas – including in relation to data subjects’ rights and automated decision-making in the age of AI. While both the UK government and the data protection authority, the Information Commissioner’s Office (ICO), have expressed confidence that nothing in the DUA Bill risks undermining the UK’s so-called ‘adequacy’, the issue has been the focus of concern during the Bill’s House of Lords committee debates.

The two adequacy decisions issued by the European Commission in respect of the UK are due to expire this summer. The Commission’s decisions, issued in June 2021, recognise the UK’s data protection framework as essentially equivalent to that of the EU and are of vital importance to enabling the free flow of personal data from the EU to the UK – which in turn is pivotal to everyday commercial operations and trade, as well as law enforcement activity.

Without the adequacy decisions being in place, organisations wishing to transfer personal data from the EU to the UK would face much greater compliance costs, owing to the significant restrictions imposed on the international transfer of personal data under EU data protection law. Whether or not the Commission decides to extend the application of its two UK adequacy decisions – issued under the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive, respectively – before they expire on 27 June 2025, is therefore of significant consequence. The content of the DUA Bill is likely to form a core part of the Commission’s assessment of the UK data regime as it decides what to do in the first half of the year.

Countries do not have to apply EU data protection laws to benefit from an adequacy decision – they must merely be assessed by the Commission as having a data protection framework that is essentially equivalent to that in place in the EU. This offers some scope to the UK government to make changes to the EU-derived regime that is currently in place, but in seeking reforms that can promote growth and make compliance easier and cheaper for businesses than it is now it must be careful not to diverge too far to avoid the UK losing adequacy status.

To-date, there have been two readings of the DUA Bill in the House of Lords and it has also been scrutinised in committee, with the report stage – where peers will assess, debate and vote on amendments brought forward by committee – due to begin before the end of this month. The Bill will then have its third reading in the Lords before it passes over to begin its progress through the House of Commons, where MPs will get their chance to input on the Bill’s contents.

The discussion over the Bill’s contents during the Lords committee stage reflects the careful balancing act that the government is having to perform with EU-UK adequacy in mind.

For example, speaking for the government, Baroness Jones of Whitchurch rejected an amendment proposed by liberal peer Lord Clement-Jones that would have deleted the requirement for controllers to carry out “reasonable and proportionate” searches to find information in response to data subject requests. Lord Clement-Jones suggested that an express reference to “reasonable and proportionate” searches would dilute data subjects’ rights and threaten the EU adequacy decision in favour of the UK.

In her response, Baroness Jones echoed the line that has been taken by the ICO, including in relation to web-scraping for the purposes of training AI, that there is no dilution of data subject rights, and that the principle of “proportionality” does not provide controllers – including those gathering large volumes of data to train AI models – with an escape route in respect of those rights.

Lord Clement-Jones’ proposed amendment was at least in part a probing amendment, designed to draw from the minister a statement of legislative intent for possible use in the future should the relevant provision be found by a court to be ambiguous. Until a House of Lords ruling in the early 1990s, records of parliamentary debates were not admissible as evidence of legislative intent. Since that case was decided, Hansard debates can be admitted if the court finds that the wording of a statutory provision is ambiguous, and the debate includes a statement made by a minister with responsibility for the Bill that clearly states the intended interpretation or effect of the provision.

In relation to searches in response to data subject requests, Baroness Jones said: “The government believe that transparency and the right of access is crucial. That is why they will not support a change to the language around the threshold for data subject requests, as this will undermine data subjects’ rights. Neither will the Bill change the current expectations placed on controllers. The Bill reflects the EU principle of proportionality, which has always underpinned this legislation, as well as existing domestic case law and current ICO guidance. I hope that reassures noble Lords.”

Data subjects’ rights to access data is not the only issue addressed in the DUA Bill on which the government is seeking to change the wording of current UK data protection law on the one hand while apparently seeking to stress that it will result in no practical differences for the exercise of individual rights or to business practices.

On proposed changes to the requirement to notify data subjects when personal data is obtained otherwise than directly from them – for example, through web-scraping – Baroness Jones said the proportionality test envisaged “provides an important safeguard for the existing exemption when data is collected from sources other than the data subject”.

She added: “The controller must always consider the impact on data subjects’ rights of not notifying. They cannot rely on the disproportionate effort exemption just because of how much data they are processing – even when there are many data subjects involved, such as there would be with web scraping.”

Baroness Jones went on to highlight how businesses would still require a lawful basis to reuse personal data collected indirectly of the data subject, such as in the case of a web scraper, and went on to highlight the views of the ICO that generative AI developers engaging in web scraping for the purposes of training their AI models are “likely to struggle to pass the balancing test” associated with relying on the legitimate interest ground for data processing “where insufficient transparency measures contribute to people being unable to exercise their rights”. The ICO described web scraping for generative AI training as “a high-risk, invisible processing activity”.

Lord Clement-Jones, among other peers, has pointed out to the government that it seems to be simultaneously insisting that the reforms proposed in the DUA Bill are necessary, but that it will change nothing. While that opens the door to new EU-UK adequacy decisions, it will not deliver the sort of streamlining of compliance burdens that businesses want to help them deliver on the government’s own growth missions in 2025 and beyond.