Data Protection – what’s happened in 2025?

2025 has been a lively year for the data protection sphere, with the main talking point coming from the UK’s data reform Bill finally receiving Royal Assent on 19 June 2025.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA) introduced widespread changes that will have a significant impact, especially in terms of the UK’s data protection regime. Although there is a long list of changes, some key examples include:

• Complaints can now be made directly to data controllers.
• The Information Commissioner’s Office (ICO). Under the DUAA, the ICO will go through a restructuring and a name change, but, most importantly, the enforcement powers of the ICO have largely been enhanced.
• International transfers. DUAA introduces a “data protection test” which will analyse whether a third country’s data protection regime is adequate when deciding whether to approve international data transfers.
• Automated Decision-Making (ADM). Restrictions on solely ADM will be relaxed, but safeguards will still be in place for special category data.
• Data processing. DUAA introduces legitimate interests as a lawful basis for processing.
• Special category data. The Secretary of State, via secondary legislation, can introduce more classes of special category data.

Other key amendments as bought in by DUAA include changes to the Privacy and Electronic Communications Regulations (PECR) which controls cookies and electronic direct marketing. Fines given under PECR now align with UK GDPR which can be the higher of £17,500,000 or 4% of an organisation’s worldwide turnover (which is a huge increase from the previous maximum of £500,000).

In addition, DUAA allows the government to introduce regulations in connection with Smart Data schemes and Digital Verification Services.

To start 2026 right, keep an eye out for the staged implementation of DUAA reforms. The ICO will consult and release guidance which is especially important as 2026 will see the introduction of some vital changes, including the likes of the data transfer rules, complaints handling and ADM.

Personal data, the UK and the European Economic Area (EEA)

On 19 December 2025, the European Commission renewed two adequacy decisions made in 2021 which means controllers and processors of personal data can continue to send data safely between the UK and the EEA. This decision is subject to a ‘sunset clause’ of 6 years but will be in force until 27 December 2031 (with a review midway through).

The EU’s ‘Digital Omnibus’ – one to watch out for in 2026

The European Commission has proposed its ‘Digital Omnibus’ package which aims to simplify and streamline AI, cyber security and data regulation rules. In terms of data regulation, some of the key proposals are as follows:

• Defining ‘Personal Data’. The definition of ‘Personal Data’ will be amended to clarify that data will not be considered ‘Personal Data’ where the holder cannot identify the individual (pseudonymised data).
• ‘Scientific Research’. The definition of ‘Scientific Research’ will be amended. However, this is thought to be similar to that introduced by the UK’s DUAA.
• Further information is to be provided which clarifies when decisions based solely on ADM will be permitted.
• AI and legitimate interests. Guidance could be given to clarify when a legitimate interest can be relied upon for AI training and operation (subject to the balancing test).
• Data breach. When there has been a breach of personal data, a supervisory authority will need to be notified only if the risk to the rights of the data subject is high.
• Data Subject Access Requests (DSARs). Circumstances may be provided where data controllers can refuse manifestly unfounded or abusive DSARs.

The Digital Omnibus on AI

The Digital Omnibus on AI is designed to allow the smooth introduction of the Regulation (EU) 2024/1689 (AI Act). In summary, the AI Act is a simplification instrument which intends to align Europe’s complex digital framework which stems from the Data Act, the Digital Services Act, the Cyber Resilience Act and GDPR.  The AI Act will reduce administrative burdens, align deadlines and strengthen centralised enforcement structures.

How could this effect you?

The ‘Digital Omnibus’ would simplify the EU’s complicated digital regulatory framework which, in turn, would have the effect of reducing the administrative burdens placed on businesses, especially for those who utilise AI systems throughout or hold large amounts of data.

The above proposals will be crucial from a UK standpoint as the ICO will watch closely, who may consider following in the EU’s footsteps to avoid jeopardising EU adequacy.

Disclaimer – this article is provided for general information purposes and specific advice should always be sought in relation to any queries you may have. If you require further assistance or have any questions regarding the above, please feel free to contact a member of our data protection team.