Data Protection Day 2025: Looking Ahead and Things to Keep an Eye On
Over the course of 2024 there has been a lot that has happened in the data protection sphere. With the emergence of AI into the mainstream – so much so that it has become a household topic of conversation – as well as a host of new legislation, regulations and guidance, and action taken by various data protection regulators and the Courts, data protection and privacy has, arguably, found an increased energy and this energy does not appear to be decreasing any time soon.
In fact, it looks as though 2025 could be just as busy, if not busier, as organisations look to work through and implement the new legislation, regulations and guidance, consider and analyse the use of AI within their organisation and keep on top of any other developments in the world of data protection and privacy, all while continuing to comply with the current data protection and privacy requirements that they are subject to.
But whilst 2025 is likely to be busy, it is also likely to be a year of uncertainty. Organisations await practical guidance and assistance around some of the new legislation and AI, new UK data protection laws are working their way through Parliament, decisions are being made on adequacy for the UK by the EU Commission, and the world waits to see whether the position of the US in relation to data protection and privacy remains the same under the new administration.
I have set out below some of the things that I, along with my colleagues, will be keeping an eye on, and issuing updates in relation to, over the coming year, along with some things that it may be useful to start considering now:
- Data (Use and Access) Bill
The Data (Use and Access) Bill (or the DUA Bill) was introduced to Parliament on 23 October 2024 and includes, amongst other things, the current proposals to reform UK data protection law. There have been a number of previous bills submitted to Parliament which included reforms to UK data protection law (such as the Data Protection and Digital Information Bill (DPDI) (numbers 1 and 2)) but these previous bills did not make it to the end of the parliamentary process and did not, therefore, become law.
Whilst there are some reforms to the UK data protection laws as we know them – notably (i) changes to the threshold for the UK Government to consider when it determines adequacy for other countries, (ii) changes to some of the requirements for automated decision making, (iii) the inclusion of an illustrative list of when legitimate interests can be relied upon as a lawful basis, including for direct marketing, (iv) the simplification of when cookies can be used, (v) the bringing of fines under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) into line with the fines under UK GDPR, (vi) the introduction of a defined data protection complaints process and (vii) proposed reforms to the structure of the Information Commissioner’s Office – the reforms proposed under the DUA Bill are not as extensive as those we have seen proposed previously, for example under DPDI. Many commentators believe that this is the case so as not to affect the UK Adequacy Decision which is due to expire later this year.
The DUA Bill also includes provisions around smart data, the digitisation of births and deaths registers and regulation around those who provide digital verification services.
When might we hear more about the DUA Bill and do we need to do anything now?
The DUA Bill is currently in the report stage in the House of Lords and this is the stage where the House of Lords can closely scrutinise elements of the Bill and make changes. A second day of the report stage for the DUA Bill is scheduled for today – how very apt! However it still needs to make its way through the House of Commons after it has finished in the House of Lords.
Currently it is uncertain as to what the final text of the Bill will look like – though it is highly likely that there will be some changes to how the text of the Bill started – and it is uncertain when the DUA Bill may become law.
However, in the meantime, I would suggest looking at the data protection governance and practices that you have in place and ensuring that all records and information is up-to-date. This will make it easier, once we know more, to update your data protection governance and practices, should you need to, to ensure your organisation can comply with the new legislation. In addition, if your organisation currently carries out marketing that falls within the scope of PECR, you should review and understand your marketing practices and any risk-based decisions that have been made as these may need to be considered should the DUA Bill (as drafted) come into force.
2. UK Adequacy Decision
The UK adequacy decision allows the free flow of personal data between countries in the European Economic Area (EEA) and the UK and the decision expires on 27 June 2025, unless the EU Commission chooses to renew it. An adequacy decision is a formal decision made by the EU Commission which recognises that another country provides an equivalent level of protection for personal data as the EU does.
The EU Commission will need to consider whether the UK data protection laws and systems for the protection of personal data are substantially the same or similar to those in the EU. This could be affected by the new Data (Use and Access) Bill if the EU Commission determines that the reforms provide less protection to individuals’ personal data and their data protection rights than is currently the case.
What would it mean if the UK adequacy decision was not renewed?
If the UK adequacy decision was not renewed, then additional safeguards would need to be put in place whenever personal data was shared between an EEA organisation and a UK organisation – often the simplest way to ensure an appropriate safeguard is in place is to enter into standard contractual clauses with the organisation sending the personal data.
It is important to note however, that the UK Government still deems the EU adequate. Therefore, as a UK organisation sharing personal data with an EEA organisation, you would still be able to rely on the adequacy decision for the EU granted by the UK Government.
Is there anything we should be doing now?
At the moment there is nothing to suggest that the UK adequacy decision will not be renewed by the EU Commission, however I would suggest that it would be useful to review your current customers, clients and suppliers etc. to identify whether any relationships or contracts may be affected should the UK adequacy decision not be renewed, particularly if these are critical to your organisation.
3. US Position on Data Protection and Privacy
Data protection and privacy legislation has, so far, been dealt with on a state-by-state basis in the US rather than at a federal level and a number of US states have implemented data protection and privacy legislation to date. In addition, the EU-US Data Privacy Framework was granted adequacy by the EU Commission on 10 July 2023. This means that US organisations participating in, and which self-certify under, the EU-US Data Privacy Framework can receive personal data from EEA organisations without needing to put additional safeguards in place. There is also an extension of this adequacy decision for the UK and Switzerland – though importantly each US organisation has to opt-in to participating in the extensions in addition, for them to apply.
The new administration in the US appears to have a focus on developing new technology and therefore there is a concern that the positive steps taken for data protection and privacy in the US may slow down or stop entirely. It is also uncertain whether any changes will be made in relation to the EU-US Data Privacy Framework.
Is there anything we can do now?
I would suggest that it would be useful to review your current customers, clients and suppliers etc. to identify whether any relationships or contracts may be affected should the US position change, particularly if these are critical to your organisation, and so that you can act quickly if necessary to protect those relationships and contracts.
4. AI and the EU AI Act
Whilst AI is not a new concept it has rocketed into the mainstream in 2024 and has become one of the hottest topics of the year. There is a lot of uncertainty around AI and data protection at the moment and this is something that the ICO in particular has been doing a lot of work on in order to help organisations and businesses who use or wish to use AI.
The EU passed the EU AI Act on 1 August 2024. It applies to all AI systems, albeit there are lots of carve outs as to what is classed as an AI system under the Act. The Act does not only apply to developers of AI systems but also to providers, operators, importers, distributors, deployers and users of the AI system (but not if you are using the AI system in the course of a personal, non-professional activity). It is also important to note that whilst the EU AI Act is European legislation, it does have territorial scope and will apply to any AI system that is available in the EU, whether any deployers or users of the AI system are located in the EU or even if the output produced by the AI system is used in the EU. The Act adopts a risk-based approach and it is intended to lay down more onerous obligations on the more harmful AI.
Quite confusingly, the Act does not come into force on one date – it has been split into smaller ‘chunks’ with different sections coming into force on different dates. Most provisions will come into force on 2 August 2026 however, the first ‘chunk’ of provisions (which deal with the prohibition of the most harmful AI systems) comes into force on 2 February 2025, with another ‘chunk’ of the Act (provisions which deal with generative purpose AI i.e. ChatGPT) coming into force on 2 August 2025.
What should we be thinking about in relation to AI and the EU AI Act?
It is important to consider whether you are already using AI in your organisation – have you implemented a new AI system, do any of the current products or systems you use have AI built into them, or will any of your suppliers of your current products or systems be looking to build AI into those products or systems?
If you do already use AI in your organisation - do you know what it does or how it works? Do you know what happens with any data that you input into the AI system or product? Do you know if you would be able to comply with your data protection obligations in relation to any personal data inputted into the AI system or product? What AI governance measures do you have in place? Will you fall within scope of the EU AI Act as a deployer and if so what will you need to do to comply when it comes into force? What does your contract with the developer or provider of the AI say?
If you are looking to use AI in your organisation ensure that you ask appropriate questions of the developer or the provider before you sign on the dotted line and ensure that you have appropriate contractual provisions in place.
How can we help?
At Irwin Mitchell we have solicitors who specialise in advising upon data protection law and commercial contracts, who actively seek to keep abreast of developments within these areas and who can assist you navigate the uncertainty of data protection law and privacy law throughout 2025. If you have any questions or if you would like to know more, please do not hesitate to get in touch.
