The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.
By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth
The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018
The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.
By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty
On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines
Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR.
By Frances Stocks Allen and Mihail Krepchev
The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds research organisations that the General Data Protection Regulation (GDPR) applies to health data used in research and contains a number of recommendations that participants in the research process, particularly clinical trial sponsors, should bear in mind. The Guidance has been developed with the participation of the UK privacy regulator, the Information Commissioner’s Office (ICO).
“Business as usual” for UK-EU data protection transition in 2020.
By Gail E. Crawford and Susan Mann
On 29 January 2020, the EU Parliament approved the UK Withdrawal Agreement after the UK Parliament’s ratification via the EU Withdrawal Act 2020 on 23 January 2020 (Withdrawal Agreement). The Withdrawal Agreement maintains the UK pre-Brexit position and clarifies that the GDPR continues to apply in the UK during the transition period (between 1 February 2020 and 31 December 2020, or any extension agreed by UK and EU), allowing both sides to negotiate the future data protection relationship. The ICO confirmed that the GDPR will continue to apply, and that during the transition it will be “business as usual”.
The provisions of the UK GDPR will be incorporated directly into UK law from the end of the transition period, and will sit alongside the current UK Data Protection Act 2018. At the end of the transition period, there will be the current EU GDPR as well as a UK GDPR. The Withdrawal Agreement includes technical amendments to the current GDPR, so that it will work in a UK-only context.
Despite progress, the online advertising industry and UK regulators are still at odds over the “legitimate interest” definition under the GDPR.
By Olga Phillips and Elizabeth Purcell
Following publication of the UK Information Commissioner’s Office’s (ICO’s) report on adtech and real time bidding in June 2019, the ICO has been working closely with the online advertising industry to improve data protection practices by the end of the year.
Simon McDougall, the ICO’s Executive Director for Technology Policy and Innovation, reportedly stated at the recent AdTech London event that the ICO has made progress with the industry, including through workshops with Google and the Interactive Advertising Bureau Europe (IAB), which were both featured in the June report. However, McDougall noted that there is still “a very big difference” in how the online advertising industry and the ICO view the “legitimate interest” legal basis for processing personal data under the General Data Protection Regulation (GDPR). The ICO has yet to be convinced of the use cases in which the industry is seeking to rely on the legitimate interest basis.
UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis.
By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker
The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech sector’s use of personal data in RTB scenarios. The ICO Report notes widespread compliance concerns that, in some cases, the ICO does not consider “will be addressed without intervention.” Organizations in this field should expect potentially more vigorous investigations and enforcement action if the ICO’s concerns are not addressed.
RTB is an online ad-buying process by which advertising space on websites is bought and sold via an instantaneous “programmatic” auction. During the auction process, a wide range of data (mostly originated from cookies) can be shared with multiple advertisers who place real time bids for relevant ad space.
Following in the footsteps of the CNIL and the ICO, the Berlin DPA will impose a multimillion-euro fine for breach of the GDPR.
By Tim Wybitul, Joachim Grittmann, Ulrich Wuermeling, Wolf-Tassilo Böhm, and Isabelle Brams
The Berlin Data Protection Authority (Berlin DPA) recently announced that it will issue a multimillion-euro fine for breach of the EU’s General Data Protection Regulation (GDPR), a significant step change in its GDPR enforcement approach. The Berlin DPA’s most significant penalty to date includes two fines on a company totaling €200,000. In that case, as with the latest announcement, the Berlin DPA has not yet named the affected company. The announcement also continues a trend, started by the French Data Protection Authority (CNIL) and followed by the UK Information Commissioner’s Office (ICO), of data protection authorities beginning to show their teeth in GDPR enforcement.
Delicate balance required, as regulators and lobbyist warn of the risks of over-regulation while research indicates users seek greater protection.
By Alain Traill
Both the ICO and the outgoing Chief Executive of Ofcom have sounded a cautious note regarding the possible consequences of UK proposals to introduce a new regulatory regime intended to combat online harms. The Internet Association — a Washington based lobbying group — has also voiced its concerns, suggesting that they risk discouraging businesses from continuing to operate in the UK.
The ICO did, however, offer support for key aspects of the proposals, and acknowledged that they identify an “important gap in the existing regulation of the internet”. Furthermore, research carried out on behalf of both Ofcom and the ICO has shown an increasing appetite for online regulation among UK web users.
The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance.
By Fiona M. Maclean, Laura Holden, and Grace E. Erskine
The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the General Data Protection Regulation (GDPR) applies to cookies and similar technologies. The new guidance makes it clear that under the GDPR, consents cannot be the default or blind setting, and consents cannot be bundled, as had been the common “wait and see” practice among many online businesses and sites. Organisations subject to the ICO jurisdiction will want to pay immediate attention to this guidance, including some helpful, pragmatic tips.
The European law on cookies can be found in the European Directive 2002/58/EC (ePrivacy Directive) (as amended by Directive 2009/136/EC), as implemented into UK law by the Privacy and Electronic Communications Regulation 2003 (as amended) (PECR). Regulation 6 PECR constitutes the foundation of the UK rules requiring organisations setting non-essential cookies on websites to provide “clear and comprehensive information” to users and to obtain their consent to the use of cookies.
Online services have until 31 May to respond to 16 draft standards of age-appropriate design.
By Fiona Maclean and Olga M. Phillips
The ICO is required by s123 of the Data Protection Act 2018 to prepare a code of practice which contains guidance on standards of age-appropriate design of relevant information society services likely to be accessed by children. On 15 April, the ICO published a draft code of practice on age-appropriate design for online services (the Code). A copy of the Code can be found here.
Who does the Code apply to?
The Code is aimed at Information Society Services (ISS), which is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. In practice, this definition extends to almost all online services including apps, websites, social media platforms, online messaging services, online marketplaces, content streaming services, and even news and educational websites.
The reference to “remuneration” is often seen as confusing. However, the ICO clarified that remuneration covers services funded by advertising, but also those provided to end users free of charge.
ISS should also note that the Code applies if children (i.e. a person under 18) are likely to use the service. This definition includes services that are designed specifically for children, as well as those that may appeal to children or those that were designed for adults but have, in fact, attracted children.