Privacy and Data Protection Winter Snapshot 2025
Monday 24th February 2025
Welcome to our Winter Snapshot, covering data protection news and developments over the last few months, and looking forward to changes on the horizon.
In this edition we look at:
- the Data (Use and Access) Bill which is set to supplement and replace certain provisions within the Data Protection Act and UK GDPR, the practical impact of those changes, and the ICO’s recent response;
- the European Data Protection Board Opinion on AI models;
- the ICO’s new marketing advice generator; and
- further developments in cookies enforcement and international transfers.
Data Protection Law Reform – The Data (Use and Access) Bill
The Data (Use and Access) Bill was introduced into Parliament towards the end of 2024. The bill is intended to ‘revamp’ data protection laws in the UK by amending the UK GDPR and PECR. While the proposed legislation does not represent a full overhaul, there are some key changes on the horizon to be aware of.
You can see our deep-dive and comparison against current GDPR obligations here which is aimed at commercial organisations.
The ICO responded to the bill early this year, largely supporting its changes, welcoming the Government’s commitment to maintaining adequacy with the EU when deviating from the legacy GDPR.
EDPB Opinion on AI models and data protection
In December, in response to a request from the Irish DPC for clarity, the European Data Protection Board (EDPB) issued an Opinion on the use of personal data in AI models, focusing on three key points – 1) an appropriate lawful basis for processing, which suggests ‘legitimate interests’ can likely be used as a lawful basis, 2) the impact of unlawful use of personal data to train AI models, and 3) circumstances when personal data is likely to be anonymous (citing examples to demonstrate anonymity). The Opinion can support those developing and deploying AI systems in understanding whether they are complying with their data protection obligations where the processing involves personal data, although the consensus needs to be that more clarity is needed here.
ICO creates new direct marketing advice tool
The ICO has created a beta tool which intends to support organisations in understanding their legal obligations when it comes to marketing – both under the UK GDPR and under PECR. The tool works by answering a short questionnaire which then generates succinct advice on ultimately whether consent is needed to undertake the marketing activity, with examples. This will be particularly helpful for SMEs navigating their compliance journey or for those who wish for an initial view.
International transfers: New SCCs, fines and enforcement…
Restricted transfers of personal data continue to be in the spotlight as we have seen a flurry of enforcement in this area over the past year.
We are expecting to see a fifth set of Standard Contractual Clauses early this year, covering transfers of personal data from the EEA to restricted territories where the data importer is directly subject to GDPR, which is a scenario which current documents do not currently cater for.
In January, President Trump removed certain privacy oversight in the US which begs the question of whether the Data Privacy Framework will remain intact or whether ‘additional safeguards’ will once again be needed to transfer personal data to the US.
ICO Cookie Compliance 2025 update
In our 2024 Autumn Snapshot, we highlighted the ICO’s investigation in which it was writing to the top 200 website owners in the UK which failed to comply with cookies laws in their consent management platforms/banners, requiring them to bring their banners into compliance with PECR within a specific time period. In January 2025, the ICO announced that it was now focusing on the now UK’s top 1,000 visited websites to continue its efforts.
Across 2023 and 2024, the ICO wrote to 134 organisations who failed to comply and set out its expectations. Whilst the majority of non-compliant websites have engaged with the ICO, one website, Tattle Life has failed to engage with the ICO and is now subject to investigations for its use of cookies and failure to engage with the regulator.
The ICO’s continued efforts form part of its 2025 online tracking strategy in which it is has reinforced that it will continue to investigate and address ‘the significant harm that can occur when online tracking practices are misused.’
If you would like to discuss these changes in more detail, please get in touch with one of our experts.
