Data law | UK Regulatory Outlook June 2025

UK updates 

Data (Use and Access) Act 2025 receives royal assent 

The Data (Use and Access) Bill has finally passed both Houses of Parliament, after the contentious ping pong process, and received royal assent, becoming the Data (Use and Access) Act 2025.  

The Act ushers in the first ever changes to the UK GDPR, and, importantly, a slew of other data-related measures, aiming to boost use and sharing of both personal and non-personal data across the economy. The government hopes this will simplify and modernise the UK's data regime, improve trust in using data and support its growth and innovation agenda. But, on the whole, it is evolution not revolution. 

Some of the more interesting provisions are on data generally, such as: common standards for health records, digital identity verification and smart data schemes. On the data privacy front, look out for many changes, including those on automated decision-making, cookies and tracking, and subject access requests. The fines for breaches of the Privacy and Electronic Communications Regulations are to be increased from £500,000 to the GDPR levels – up to £17.5 million or 4% of global turnover. 

(See this Insight for more on the original provisions.) 

There have been many changes agreed to the original draft bill, including on: 

• Children's data: is now to be treated to a higher standard of protection for the purposes of the GDPR provisions on data protection by design.
• Deepfakes: it will be a criminal offence to create or request the creation of a purported intimate image of an adult.
• Charities marketing: charities will be able to take advantage of the soft opt-in exception when sending direct marketing emails.
• Copyright and AI: the government has nine months to produce an economic impact assessment and report on some of the copyright policy options regarding AI training which were set out in the government's AI/copyright consultation, including proposals on technical measures, transparency, licensing, enforcement and AI developed outside the UK. It also has to produce an interim progress report within six months. 

The provisions of the Act will be brought into effect in stages. Many (including most of the GDPR changes) will do so on a future date to be decided by the government or are being implemented over time via secondary legislation. 

A few took effect as soon as the Act became law. Interestingly, the change making it clear that a subject access request applicant is only entitled to the data and other information based on a "reasonable and proportionate search" ostensibly came into effect on day one, but is back-dated to be treated as having come into force on 1 January 2024. 

A few more provisions will take effect two months from the date the Act became law, including those giving the Information Commissioner the power to require production of documents. 

Many provisions will affect most businesses, for example those exempting some uses of cookie data from having to be consented, and provisions relaxing some of the rules around legitimate interests processing, and automated decision-making.  

Others will have more of an impact on particular sectors. One notable change that has not received much attention affects social media companies and other online services providers within scope of the Online Safety Act 2023: those changes pave the way for secondary legislation requiring providers of regulated services to provide information for use by third party researchers into online safety measures. However, before enacting secondary legislation, Ofcom, the ICO and representatives of both providers and persons carrying out relevant search will need to be consulted. 

The ICO has published an overview of the data protection provisions of the Act, which includes a useful summary of the changes, and has announced plans for new and updated guidance on various issues. 

 ICO releases draft updated guidance on encryption

Under Article 32(1) of the UK GDPR, data controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks of processing personal data to protect against unauthorised or unlawful processing. Encryption is among the suggested measures that can be used to achieve this. 

The ICO's updated guidance on encryption is longer and more detailed than the previous version, published in 2022. It includes a new section on "Encryption and data protection", which explains (among other things) how to decide whether encryption is appropriate and how it may also be relevant to complying with data protection by design obligations in Article 25. It also contains more detail on the relationship between encryption and data storage and between encryption and data transfer, as well as a new section on how to implement encryption. The updated guidance also provides more examples and encryption scenarios to demonstrate practical uses of the technology. 

The updated guidance does not cover end-to-end encryption, privacy-enhancing technologies (or PETs) or the potential impact of quantum computing, for which separate, dedicated guidance is available on the ICO website. It will be finalised once the ICO has considered the results of its consultation. 

ICO consults on draft guidance for manufacturers and developers of smart products

The ICO has published new draft guidance for manufacturers and developers of Internet of Things (IoT) devices. It explains how data protection law and the Privacy and Electronic Communications Regulations 2003 apply to personal data processing in consumer IoT products and includes the ICO's recommendations for good practice.  

Also called "smart" products, IoT devices cover a range of sectors from home entertainment (such as smart speakers and connected TVs) and wellbeing (including fitness trackers and smart watches) to security and safety (for example, security cameras and baby monitors), medical devices (such as blood pressure monitors) and peripherals (smart keyboards, mice, headphones).  

The draft guidance provides useful detail on IoT-specific issues as ways of validly obtaining informed consent, and how to compliantly provide privacy information, both of which can be a challenge on a device with small (or no) screens, and with multiple users. Other areas covered include: 

• Distinguishing processing for personal/domestic purposes from that covered by the GDPR.
• Use of IoT data for online advertising.
• Data about child users.
• Tools to allow individuals to exercise their rights over their data.
• Accuracy of data collected by sensors.
• Ensuring data security. 

These products often collect significant amounts of personal information from users, including special category data. The ICO makes the point that many consumer IoT devices are used in the home, where people have a particularly high expectation of privacy, and that most processing by IoT devices is likely to result in a high risk and so will require a data protection impact assessment. There is also plenty on children's data, and the higher standards that will apply in many cases where children are likely to use an IoT device. 

The guidance is relevant to a broad range of organisations including: manufacturers of IoT devices, developers of operating systems, mobile and web apps and software, AI service providers, providers of biometric technologies, sensors and telemetry, as well as cloud, cybersecurity and IT providers.  

The ICO is consulting on the draft guidance until 7 September 2025. 

ICO fines genetic testing company 23andMe for failing to protect users' data 

The £2.31 million fine was imposed on 23andMe, Inc., the well-known US-based consumer genetics testing company (which has filed for Chapter 11 bankruptcy relief). It follows a joint investigation with Canada's Office of the Privacy Commissioner into a personal data breach first reported to both regulators in October 2023. 23andMe experienced a credential stuffing cyberattack, where hackers exploited recycled login credentials from other websites that had been stolen from previous unrelated data breaches, which resulted in the unauthorised access to the platform's customer accounts.  

The ICO found that, at the time of the data breach, the company had failed to implement appropriate technical and organisational measures to "ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and services" and an appropriate process to regularly test, assess and evaluate the effectiveness of such measures, in breach of Articles 5(1)(f) and 32(1)(b) and (d) of the UK GDPR. 

Factors affecting the severity of the fine included:  

• The number of individuals affected (about 495,000 customers were UK residents).
• That it involved "highly sensitive personal data", including special category data, such as genetic and health-related data.
• The seriousness of the potential consequences for the affected individuals.
• The fact that the breach went on for at least five months.
• Delays in detecting, dealing with and reporting the breach.
• Dissuading the company from committing further breaches.
• Deterring other genetic testing companies from committing similar breaches. 

ICO launches AI and biometrics strategy 

See AI section. 

EU updates 

Commission seeks views on the use of data for AI development  

The Commission has launched a consultation and call for evidence on the use of data in AI. The feedback should inform the upcoming Data Union Strategy, one of the key initiatives for the scaling up of AI development, as referenced in the EU AI continent action plan. The Data Union Strategy will aim to "improve and facilitate secure private and public data sharing … and accelerate the development of new systems or applications."  

The consultation is open until 18 July 2025. 

EDPB adopts guidelines on data transfers to third country authorities 

The European Data Protection Board has adopted the final version of its guidelines on Article 48 of the GDPR about data transfers to third country authorities. The guidelines clarify the rationale and objective of Article 48 and provide practical recommendations for controllers and processors in the EU who may receive requests from third country authorities to disclose or transfer personal data. 

Council and Parliament provisionally agree on cross-border GDPR enforcement 

The Council of the EU and the European Parliament have reached a provisional deal on the EU Regulation on cross-border GDPR enforcement. The proposed regulation aims to streamline administrative procedures such as those relating to, for instance, the rights of complainants or the admissibility of cases, as well as encouraging faster resolution of complaints. 

In order to proceed, the provisional agreement now has to be confirmed by both institutions. 

See our Digital Regulation timeline for more information on the proposed regulation.