General Data Protection Regulation (GDPR),
Geo Focus: The United Kingdom,
Geo-Specific
UK Government Announces Bill to Infuse £10 Billion into Economy
The United Kingdom has enacted significant data privacy legislation, altering the European data protection framework in a jurisdiction that diverged from the European Union in 2020. This legislative change comes as the UK’s Data Use and Access Bill takes effect, following thorough deliberations in Parliament over several years.
After gaining royal assent, the new bill is positioned to inject £10 billion into the British economy over the next ten years. The UK government stated that this initiative is designed to streamline processes, enhance efficiency in infrastructure projects, and foster innovation across technology and scientific domains.
The bill was initiated by the Labour government under Prime Minister Keir Starmer in 2024, following failed attempts by previous Conservative administrations to modify GDPR regulations. Key changes include updated processing standards for “recognized legitimate interests” tied to national security, crime, and emergency situations, enabling organizations to bypass standard assessment tests for lawful data processing.
This revised framework also relaxes current regulations governing artificial intelligence-driven automated decision-making. Notably, the penalties for breaches related to direct marketing have increased significantly—from £500,000 to £17.5 million or 4% of global annual revenue, whichever amount is higher.
The bill further adjusts the responsibilities of the Information Commissioner’s Office (ICO). Business clients must now address privacy issues directly with companies before elevating complaints to the regulatory body, prompting a rename of the ICO to the Information Commission.
Information Commissioner John Edwards emphasized the bill’s capacity to “boost innovation” and bolster “data-driven business” across various economic sectors. He assured stakeholders that the regulatory body will retain its independence, addressing concerns regarding any potential undermining of its authority.
As this legislative adjustment unfolds, the UK government is attempting to navigate the complexities involved in retaining an adequacy decision from the European Union. This determination indicates that the UK can manage European data under a comparable legal framework to those within the EU, a critical consideration given the stringent standards upheld by European legislation.
Yet, whether the EU will continue to regard UK law as adequate remains uncertain. The preceding adequacy decision, which was enacted in June 2021, is set to expire after four years, leading to apprehensions regarding the long-term feasibility of this relationship. A six-month extension proposed by the European Commission aims to prolong the UK’s adequacy status until December 27, 2025.
It remains to be seen how European stakeholders will perceive the Data Use and Access Bill, particularly as modifications to GDPR complicate compliance across the continent. The inherent advantages of a unified regulatory approach could diminish, introducing additional costs and intricacies for companies operating with transnational data flows.
