New year, new data protection bill (2025)

Fox Williams the Business Law Firm

Services

  • Business immigration
  • Commercial
  • Corporate
  • Civil Fraud
  • Dispute resolution
  • Financial services regulatory
  • Intellectual property
  • Internal investigations
  • International
  • International Arbitration
  • Real estate
  • Securities Litigation

Sectors

  • Fashion
  • Financial services
  • FinTech
  • Professional services
  • Technology
  • Travel

Home / Insights

  • Articles
  • Events
  • Media
  • opens a new window
  • opens a new window
  • opens a new window
  • | Portfolio

20 Jan 2025

The Data (Use and Access) Bill 2024-25 (DUA Bill) had its second reading on 19 November 2024, following its introduction in the House of Lords on 23 October 2024. The Bill replaces the Conservative Government’s stalled Data Protection and Digital Information Bill (DPDI Bill) and proposes several similar reforms to the UK’s data protection framework.

Background

Since Brexit, the UK has sought to modernise its data protection laws to maintain high standards while easing administrative burdens on businesses. Previous efforts with the DPDI Bill failed, but the Labour Government has revived a more modest set of reforms under the DUA Bill. The goal is to modernise data laws while safeguarding the UK’s “adequacy” status, which is essential for seamless data flows between the EU and the UK.

Key updates to UK GDPR and DPA 2018

The DUA Bill introduces several significant changes:

  • Legitimate Interests: the Bill defines different types of processing that automatically qualify as “legitimate interest”, such as processing for “direct marketing” (widely defined), intra-group transfers and for network security.
  • Recognised legitimate interest: a new ground for lawful processing allows processing necessary for purposes like national security, public safety or emergency response, outlined in a new annex to UK GDPR.
  • Data Subject Access Requests (DSARs): A change that will be welcomed by many businesses on the wrong end of DSARs from a disgruntled or ex-employee is that a controller will only need to conduct searches that are “reasonable and proportionate.” However, an express exemption for “vexatious” requests—proposed in the DPDI Bill—has been omitted. It also confirms a procedure enabling the courts to inspect withheld material to determine whether it is exempt from disclosure.
  • Purpose Limitation: clarifies when personal data can be used for purposes beyond the original intent, with certain scenarios like public interest research or statistical analysis) deemed compatible.
  • Cookies: The Bill simplifies pop-ups by removing the need for consent for low-risk cookies, such as those used for statistical purposes or to improve websites. It also defines when a cookie is “strictly necessary” (e.g., for fraud prevention, user safety, or maintaining user preferences). Transparency requirements remain, but consent will often no longer be needed. On the other hand, GDPR-level fines (up to 4% of global turnover) will now apply to breaches of cookie rules, replacing the current £0.5m cap.
  • Automated Decision-Making (ADM): The Bill allows ADM with To facilitate increased use of AI for ADM (where there is “no meaningful human involvement in the taking of the decision”), the Bill provides that, apart from cases using “special categories” of data, ADM resulting in a legal or similarly significant effect will no longer be prohibited with exceptions. Instead, ADM will be possible regardless of the lawful basis, as long as suitable safeguards are in place. This includes reliance on legitimate interests as a lawful basis, except for cases involving “special categories” of data.
  • Scientific Research: provides a clearer definition of “scientific research” and guidance on when consent is needed.
  • Complaints Process: requires controllers to take “appropriate steps” to facilitate data subject complaints, such as by providing a complaints policy or online form. It also paves the way for regulations requiring controllers to notify the Information Commissioner of the number of complaints received.
  • International Data Transfers: Introduces a less stringent adequacy test for third countries, requiring protection to be “not materially lower” than the UK’s. This could allow more countries to achieve UK adequacy but may complicate the EU’s adequacy review of the UK in 2025.

What’s Missing?

The Bill excludes some of the more controversial proposals from the DPDI Bill, such as removing the requirement for Data Protection Officers (DPOs), redefining “personal data,” and relaxing Data Protection Impact Assessment (DPIA) obligations. These omissions likely aim to preserve the UK’s adequacy status with the EU.

Beyond Data Protection

At over 260 pages, the Bill covers more than data protection. As the title of the Bill indicates, it includes sections related to the use of and access to data more generally, including:

  • use of “smart data” (supporting open banking and the development of new smart data schemes such as in respect of utilities);
  • establishing a “trust mark” for approved digital verification services;
  • simplifying data use for law enforcement and the NHS, including enabling easier patient data transfers;
  • creating a national map of the UK’s underground infrastructure (pipes and cables).

This broader approach reflects aspirations similar to the EU’s Data Act, treating data as a shared asset for businesses and consumers alike.

The Government aims to “put technology and data protection at the heart of the economy” by simplifying rules to make data laws more business-friendly while maintaining high standards. Supported by the ICO (soon to be known as the Information Commission), the Bill seeks to modernise the UK’s data framework without jeopardising EU adequacy status, which comes up for review in June 2025.

The expectation is that the Bill will be finalised before this review. However, amendments may still arise, so watch this space for further updates.

Related News

New year’s resolutions: key 2025 dates and deadlines for professional services firms

Articles 9 Jan 2025

HRLaw webinar: An employer’s guide to managing DSARs

Webinars on demand 4 Mar 2024

Authors

Nigel MillerPartner

Related legal expertise

  • Data protection policies

Popular insights

Fox Williams team secures success in high-profile $13.8bn Russian conspiracy claim

January 21, 2025

The High Court delivered its judgment on Friday in one of the largest and most complex disputes of recent years, marking...

Clawing back bonuses – when is it enforceable?

Articles

April 22, 2024

It is increasingly common for bonuses to come with strings attached. Often there will be a contractual term requiring th...

Direct(or) responsibility: 10 ways a director could be held personally liable in 2022

Articles

March 1, 2022

A recently published case has shone a new light on the well-known fact of English company law – that a company has its o...

  • Home
  • Search
  • Portfolio
  • Menu

Search

Search

Close

  • Home
  • People
  • Services
  • Sectors
  • About us
  • Careers
    • Qualified lawyers
    • Training contracts
    • Solicitor apprenticeship
    • Business services
    • Life at Fox Williams
  • Insights
  • FAQs
  • Contact us
  • Payment portal

PortfolioClose

Portfolio list
TitleCVEmail

Remove All

Download

Need more information about the above people and legal expertise?
Talk to one of our lawyers: +44 (0)20 7628 2000

New year, new data protection bill (6)

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Read More

Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

CookieDurationDescription
_ga1 year 1 month 4 daysGoogle Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*1 year 1 month 4 daysGoogle Analytics sets this cookie to store and count page views.
CONSENT2 yearsYouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

CookieDurationDescription
VISITOR_INFO1_LIVE6 monthsYouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSCsessionYoutube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devicesneverYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-idneverYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

CookieDurationDescription
foxwilliams.vuture.net_VxSessionIdsessionNo description available.
intEmailHistoryId1 yearNo description available.
VISITOR_PRIVACY_METADATA6 monthsDescription is currently not available.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

CookieDurationDescription
__cf_bm1 hourThis cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent1 yearCookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Powered by New year, new data protection bill (7)

New year, new data protection bill (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 5979

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.