Data law | UK Regulatory Outlook April 2025

UK updates

ICO publishes new guidance on anonymisation and pseudonymisation

The Information Commissioner's Office's (ICO) has published new guidance, which among other things:

• Discusses what organisations should consider when anonymising personal data.
• Provides good practice advice and case studies for anonymising personal data.
• Outlines technical and organisational measures to mitigate the risks when using these techniques.

Our Insight provides more information.

The ICO will host a webinar on 22 May 2025 to support the launch of its guidance – you can register here.

ICO review of children's data in financial services

The ICO's review is based on information on the processing of children's data received from a range of organisations in the financial services sector that offer products and services to children. The review focused on governance, transparency, use of information, individual rights, age verification and marketing.

The ICO summarises evidence of good practice and of risks to data protection compliance, as well as instances where improvements may be necessary. Some problematic areas revealed in the findings include:

• Only half of organisations provide age-appropriate privacy information and some shift transparency responsibilities to parents. This risks children agreeing to terms and conditions or privacy information that they do not understand. Privacy information is often given once and not updated as children grow and their understanding evolves.
• Consent for processing is sometimes obtained from parents on behalf of their child in the first instance, but not reviewed as the child matures. This means the original consent is likely to become invalid as the child's understanding increases. Instead, consent should be refreshed at regular intervals and obtained directly from the child once they are able to understand.
• Decisions on accepting requests for children's information are sometimes based on a predetermined age limit rather than assessing the child's understanding and competence.
• Most organisations have policies in place preventing marketing to children, but communications often do not distinguish between parents and children, leading to a high risk of non-compliance with marketing requirements in the UK GDPR.

In certain aspects, the ICO's review identified practices that exceed the standards typically regarded as good practice in other sectors. However, it is important to recognise that the financial services sector, being already heavily regulated, places a greater emphasis on compliance than many other industries. Consequently, it is likely that businesses within this sector will take steps to address the concerns highlighted.

Government call for evidence on data intermediaries, and data brokers and national security

The government has launched two consultations with the aim of gathering evidence on the role of these parties, with a broad goal of looking at what role they have in fostering innovation and economic growth through improved data management and sharing practices.

Data intermediaries

Data intermediaries are organisations that facilitate data access and sharing on behalf of and in the interests of individuals. The government believes they can be instrumental in enabling the UK to use its data more strategically and drive innovation and economic growth in a trusted and secure way. While some data intermediary models are already operating in the UK, there is a range of barriers preventing further development in this area.

The call for evidence looks at data subject rights, delegation of those rights to third parties and the activity of data intermediaries. It seeks to assess the reasons why some data subject rights are not being exercised, particularly the right to data portability, and whether rules around the delegation of these rights should be more explicit. It also seeks to define the nature and activities of data intermediaries, invites contributions to help develop a common understanding of the current barriers and seeks to understand any risk factors associated with the wider exercise of data subject rights by third parties.

Data brokers and national security

Data brokers, which are different to data intermediaries, facilitate access to UK data, including on individuals, businesses and infrastructure, through data brokerage, where pre-packaged or bespoke datasets can be obtained at speed and scale. Although this data sharing is beneficial to the economy, there are also risks that hostile actors, for example cyber criminals, can acquire UK data, resulting in potential national security harms.

Through the call for evidence, the government wants to understand more about data brokers and the wider industry to support policy development. The call for evidence explores how data brokers should be defined, the national security risks associated with the industry, the effectiveness of current security and governance frameworks used by data brokers, and consumer awareness of the industry.

Both calls for evidence close on 12 May 2025.

ICO and the CMA publish joint statement on AI foundation models

See AI section.

EU updates

European Commission's expert group on B2B data sharing and cloud computing contracts publishes final report

Under Article 41 of the EU Data Act, the EU Commission was required to develop and recommend:

• Non-binding model contractual clauses (MCTs) for business-to-business (B2B) data sharing. Covering on data access and use, including terms on reasonable compensation and the protection of trade secrets.
• Non-binding standard contractual clauses (SCCs) for cloud computing and other data processing services contracts between the providers of these services and their business customers, to assist parties in drafting and negotiating contracts with fair, reasonable and non-discriminatory contractual rights and obligations.

The Commission appointed an expert group to assist in the preparation of these documents, and the group's final report sets out the group's drafts of the MCTs and SSCs. They have been drafted so they can be adapted by the parties according to their contractual needs. They are mainly for B2B contracts, but they can be used in business-to-consumer contracts, provided that additional provisions are added to ensure compliance with consumer protection laws. It will now be for the EU Commission to decide whether it wishes to adopt the drafts prepared by the expert group.

The use of the MCTs does not affect any of the rights and obligations the parties have under the Data Act or under other EU or national laws (including those under the EU GDPR). The MCTs consist of entire contracts under four headings:

• Data holder to user of a connected product or related service, where the data holder wishes to use data generated using the product/service.
• User of a connected product or related service to a third party data recipient business (where the user of a product/service has requested a data holder to make data available to the data recipient under Article 5 of the Data Act).
• Data holder to a third party data recipient business (where the user of a product/service has requested a data holder to make data available to the data recipient under Article 5 of the Data Act).
• Data sharer to data recipient (where the data sharer wishes to make data available to a data recipient independently of any request by a user or similar party).

The SCCs apply to both customers and providers and consist of six standard clauses covering the main contractual issues identified (switching and exit, termination, security and business continuity, non-dispersion, liability, and non-amendment) plus one general clause, all intended to be added into data processing services agreements. They are best practice guidance to assist the contractual implementation of the rights and obligations stemming from the Data Act and their use is voluntary.

Businesses involved in the EEA in the distribution or operation of connected products and related services, or in providing and utilising cloud services, will wish to review their relevant contracts in the light of the draft MCTs and SCCs, which are likely to be influential on the courts and regulators involved in interpreting the EU Data Act.

EDPB publishes guidelines on blockchain

The guidelines explain how blockchains work, the different possible architectures, and their implications for personal data processing. Aspects covered include:

• Challenges assessing roles and responsibilities across multiple actors.
• The need for appropriate security measures, including taking into account the possibility of encryption algorithms being broken.
• Data minimisation techniques.
• Obligations on individual rights of transparency, rectification and erasure.

The European Data Protection Board makes the point that some blockchain architectures create serious issues for data protection compliance, such as in relation to data minimisation, storage limitation, and individual rights, and so organisations need to assess this risk at an early stage, before implementation of a system which precludes compliance.

The guidelines are open for public consultation until 9 June 2025.