The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.
By Gail E. Crawford, Fiona M. Maclean, Danielle van der Merwe, Calum Docherty, and Amy Smyth
The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018
The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions.
By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth
The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication of its response to the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post.)
The Bill details the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)).
This article presents an overview of the proposed changes. In part 2, we provide a deeper dive into certain key provisions.
In summary, the proposed changes — while broad in scope — do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.
Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role.
By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth
The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)). While broad in scope, the proposals do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.
This article provides a deep dive into certain key provisions of the Bill. In part 1, we provide an overview of the proposed changes.
UK government sets out ambitious proposal for reforming the UK data protection landscape.
By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth
On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out the government’s plans to reform the UK data protection regime.
These reforms are part of the UK’s National Data Strategy, which seeks to shift focus from prescriptive requirements to a risk-based approach, thereby making data protection less burdensome for businesses and enabling them to protect personal data in a proportionate and appropriate way. The DCMS has indicated, in comments at a recent conference, that the intention and direction of travel is to build on, improve, and clarify the approach that the UK will take with the UK GDPR in a way that benefits businesses whilst maintaining the same level of data protection for individuals.
This blog post scrutinises some of the Consultation’s key takeaways. For a full list of proposals that are being taken forward pursuant to the Consultation, see this response Annex.
Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.
By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell
Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.
The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services.
Despite progress, the online advertising industry and UK regulators are still at odds over the “legitimate interest” definition under the GDPR.
By Olga Phillips and Elizabeth Purcell
Following publication of the UK Information Commissioner’s Office’s (ICO’s) report on adtech and real time bidding in June 2019, the ICO has been working closely with the online advertising industry to improve data protection practices by the end of the year.
Simon McDougall, the ICO’s Executive Director for Technology Policy and Innovation, reportedly stated at the recent AdTech London event that the ICO has made progress with the industry, including through workshops with Google and the Interactive Advertising Bureau Europe (IAB), which were both featured in the June report. However, McDougall noted that there is still “a very big difference” in how the online advertising industry and the ICO view the “legitimate interest” legal basis for processing personal data under the General Data Protection Regulation (GDPR). The ICO has yet to be convinced of the use cases in which the industry is seeking to rely on the legitimate interest basis.
UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis.
By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker
The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech sector’s use of personal data in RTB scenarios. The ICO Report notes widespread compliance concerns that, in some cases, the ICO does not consider “will be addressed without intervention.” Organizations in this field should expect potentially more vigorous investigations and enforcement action if the ICO’s concerns are not addressed.
RTB is an online ad-buying process by which advertising space on websites is bought and sold via an instantaneous “programmatic” auction. During the auction process, a wide range of data (mostly originated from cookies) can be shared with multiple advertisers who place real time bids for relevant ad space.
The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties.
By Alain Traill and Gail Crawford
The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own products and services, with third parties. The proposals, released on 11 June 2019 by the Department for Business, Energy and Industrial Strategy (BEIS) in its Smart Data report and consultation, are indicative of a wider drive toward requiring companies to free up access to the data they hold. The drivers behind this include a desire to increase competition, foster the growth of data-driven services, and improve consumer choice.
The proposals follow the introduction of a range of sector-specific initiatives in the UK and is part of a concerted government focus on digital strategy, as evidenced in its recent white paper on Regulation for the Fourth Industrial Revolution, as well as the National Data Strategy introduced last year.
The ICO issued notices of intent to fine British Airways and Marriott. What happened?
By Gail Crawford, Fiona Maclean, Hayley Pizzey, and Calum Docherty
On 8 July 2019, the UK Information Commissioner’s Office (ICO) announced a notice of intent to fine British Airways £183.39 million (about US$230 million) for violating the General Data Protection Regulation (GDPR). The proposed fine is the largest to date under the GDPR, and equals 1.5% of British Airways’ 2017 global turnover, according to the Financial Times. It follows months of investigation after British Airways notified the ICO of a security incident that led to the theft of customer data in September 2018.
Then on 9 July 2019, the ICO announced a notice of intent to fine Marriott International £99.2 million (about US$124 million) for infringements of the GDPR stemming from a data breach at Starwood, which it acquired in 2016. According to the Wall Street Journal, this fine represents 2.5% of Marriott’s global revenue. Marriott initially announced the data breach in November 2018, which led to an ICO probe.
UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms.
By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford
On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to combat online harms. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users’ illegal and socially harmful activity. Although the regime appears to target larger social media platforms, the proposals technically extend to all organisations that provide online platforms allowing user interaction or user-generated content (not limited to social media companies or even ‘service providers’ in the traditional sense) and set out a potentially onerous and punitive compliance and enforcement regime for a broad set of online providers.