On 15 January 2025, Louise Keenan and Shauna Jones hosted our webinar “UK Data Protection: what happened in 2024 and what’s in store for 2025.” Our webinar is available for you to watch, but in this article, we will provide a brief summary of what was discussed.
Data Protection and Digital Information Bill (DPDI Bill)
The Data Protection and Digital Information Bill (DPDI Bill) was going through Parliament in 2024. However, when a general election is called, Parliament is disbanded. The DPDI Bill was unlucky in that it wasn’t one of the few bills which was passed in the 'wash up' period. If it had become law, then we would have seen some substantial changes to data protection law such as:
- Narrowing the definition of personal data by focusing on the controller or processor’s knowledge as to whether someone can be identified;
- Changing the threshold for charging a reasonable fee or rejecting a data subject access request (DSAR) from “manifestly unfounded or excessive” to “vexatious or excessive” which could have resulted in more DSARs being rejected;
- Codifying ICO guidance in permitting a controller to pause the time limit for responding to a DSAR in certain circumstances, particularly where they require further information.
- Providing a list of recognised legitimate interests; and
- Replacing an external Data Protection Officer with an internal Senior Responsible Person
Data Use and Access Bill (DUA Bill)
When the DPDI Bill was shelved, this left an opportunity for Labour to introduce their own data protection bill. This was introduced in the King’s Speech as the Digital Information and Smart Data Bill and has now begun the legislative process as the Data Use and Access Bill (DUA Bill). It is similar to the DPDI Bill in some ways but has dropped the more controversial provisions such as the narrower definition of personal data, the threshold being amended to “vexatious or excessive” and the change to DPOs.
There are 8 parts to the Bill with Part 5 governing the data protection changes. Some of the key DUA Bill provisions we discussed in the webinar include:
- The provision of a list of legitimate interest examples which can be useful for those seeking to rely on legitimate interests as a legal basis for processing;
- Guidance on when personal data can be processed for purposes other than its original purpose;
- The potential for the Secretary of State to introduce new special categories of personal data to provide greater protection;
- Greater flexibility regarding the use of data in research, archiving and statistical purposes;
- New relaxed automated decision making rules;
- Clarifying the current position by codifying existing case law and guidance in relation to DSARs, such as elaborating that only a reasonable and proportionate search is required and that the clock can be paused if there isn’t sufficient information in order to carry out the search;
- New test for transfer of data to other countries that the standard of data protection in that country is “not materially lower”; and
- Increase to fines for breaches of the Privacy and Electronic Communications Regulations 2003 to mirror those available for breaches of the UK GDPR
Generative AI
AI has been a huge talking point in the last few years and this is set to continue in 2025. In 2024, we saw the ICO carry out consultations to determine how data protection legislation should deal with generative AI. A report was published in December 2024, and concluded, amongst other things that companies shouldn’t use web-scraping processes (an automatic process which enables large amounts of data to be pulled from a number of different websites) unless it is necessary for a legitimate interest. There’s been a push as to how AI can be safeguarded against and we expect there will be further updates to this in 2025.
EU-UK Adequacy Decision
Our final point for 2025 relates to expectations on the adequacy decision granted to the UK from the EU regarding the transfer of personal data between the two. In June 2025, this current decision expires so the EU will need to decide whether to extend this. It’s expected this will continue and that the provisions of the DUA Bill will not jeopardise this but we will continue to monitor any discussions surrounding the decision.
The above is just a brief summary as to what was discussed in our webinar. If you would like any further details, you can watch our webinar by following this link. If you have any questions, please feel free to contact any member of our data protection team who can assist you. We will continue to review the position regarding the parliamentary process of the DUA Bill and any AI updates, and will publish these updates to our insights page throughout the year for you to keep up to date.