Data (Use and Access) Act 2025: Structure

Jane Lambert

 

An inkling of the scope and complexity of the Data (Use and Access) Act 2025 can be gained from the introductory text:

"An Act to make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about works protected by copyright and the development of artificial intelligence systems; to make provision about the creation of purported intimate images; and for connected purposes.

As I said in Data Protection Law Reform, the Act consists of 144 sections divided into 8 parts with 16 schedules.

Structure

The parts of the Act are as follows:

• Part 1 Access to customer data and business data (sections 1 to 26);
• Part 2 Digital verification services (sections 27 to 55); 
• Part 3 National Underground Asset Register (sections 56 to 60); 
• Part 4 Registers of births and deaths (sections 61 to 65); 
• Part 5 Data protection and privacy (sections 66 to 116):
• Chapter 1 Data protection (sections 66 to 108);
• Chapter 2 Privacy and electronic communications (sections 109 to 116);
• Part 6 The Information Commission (sections 117 to 120); 
• Part 7 Other provision about use of, or access to, data (sections 121 to 138); and 
• Part 8 Final provisions (sections 139 to 144).

The schedules are as follows:

Schedule 1: National Underground Asset Register (England and Wales): monetary penalties; 

Schedule 2: National Underground Asset Register (Northern Ireland): monetary penalties;

Schedule 3: Registers of births and deaths: minor and consequential amendments; 

Schedule 4: Lawfulness of processing: recognised legitimate interests; 

Schedule 5: Purpose limitation: processing to be treated as compatible with original purpose; 

Schedule 6: Automated decision-making: minor and consequential amendments; 

Schedule 7: Transfers of personal data to third countries etc: general processing;

Schedule 8: Transfers of personal data to third countries, etc: law enforcement processing;

Schedule 9: Transfer of personal data to third countries etc: minor and consequential amendments and transitional provision; 

Schedule 10: Complaints: minor and consequential amendments;

Schedule 11: Further minor provision about data protection;
Schedule 12: Storing information in the terminal equipment of a subscriber or user;
Schedule 13: Privacy and electronic communications: Commissioner’s enforcement powers;
Schedule 14: The Information Commission;
Schedule 15: Information standards for health and adult social care in England; and
Schedule 16: Grant of smart meter communication licences.

Further Information

The Departments of State and Ministries concerned with this legislation have prepared explanatory notes on the statute.  Probably the most useful are the Overview (paras 1 to 15) and the Legal Policy (paras 16 to 83).  Also useful are the Guidance on Data Use and Access Act 2025: plans for commencement by the Department for Science, Innovation and Technology ("DSIT"), the Information Commissioner's index page and the DSIT's fact sheets on the UK GDPR and the Data Protection Act, the ICO and the Privacy and Electronic Communications Regulations 2003.

Subsequent articles will discuss particular parts and schedules of the Act.  Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form at any time.

Related Articles

Jane Lambert  Data Protection Law Reform 23 Dec 2025

Data Protection Law Reform

Author Robert Harker Licence CC BY-SA 3.0  Source Wikimedia

 

Jane Lambert

Shortly after EU law ceased to apply to the UK, the government of the day proposed changes to this country's data protection laws.  I discussed those proposals in Dowden's Data Protection Plans on 27 Aug 2021.  A consultation was launched on 10 Sept 2021, which I considered in Consultation on Changing the Data Protection Laws on 12 Sept 2021.  Draft legislation was introduced on 17 June 2022, which I mentioned in The Proposed Data Reform Bill on 25 June 2022.  That bill never made it past its first reading because the minister responsible for piloting it through the Commons was replaced when Liz Truss became prime minister.  The new minister introduced the Data Protection and Digital Information Bill, which was more far-reaching than the Data Reform Bill (see the Data Protection and Digital Information (No 2) Bill 2022-2023). That bill fell with the Conservative government when the general election was held.  One of the first acts of the incoming Labour government was to introduce the Data (Use and Access) Bill on 23 Oct 2024.  That bill received royal assent on 19 June 2025.

The Data (Use and Access) Act 2025 consists of 144 sections divided into 8 Parts with 16 schedules.   The Department for Science, Innovation and Technology describes the legislation as "a wide-ranging Act which includes provisions to enable the growth of digital verification services, new Smart Data schemes like Open Banking and a new National Underground Asset Register" in its Guidance.  The new Act "will not replace the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act 2018 or the Privacy and Electronic Communications (EC Directive) Regulations 2003, but it will make some changes to them to make the rules simpler for organisations, encourage innovation, help law enforcement agencies to tackle crime and allow responsible data-sharing while maintaining high data protection standards."

According to the Information Commissioner, the statute updates some laws about digital information matters and changes data protection laws in order to promote innovation and economic growth.   Its provisions will be phased in between June 2025 and June 2026.  The Department for Science, Innovation and Technology has published useful fact sheets on the UK GDPR and Data Protection Act 2018, the Information Commissioner's Office and the Privacy and Electronic Communications Regulations 2003.

Anyone wishing to discuss this article is welcome to call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time.  In subsequent articles, I shall review the Act and analyse its provisions.

Data Protection and Digital Information (No 2) Bill 2022-2023

Jane Lambert

In The Proposed Data Reform Bill I discussed the government's proposals for a new data protection statute. On 18 July 2022 - 23 days after I wrote that article - Nadine Dorries MP, the Secretary of State for Digital, Culture, Media & Sport, introduced the Data Protection and Digital Information Bill into the House of Commons.  That bill never got beyond its first reading because Ms Dorries was replaced by Michelle Donelan MP when Elizabeth Truss MP became Prime Minister.

At the Conservative Party conference Ms Donelan promised what sounded like far more reaching legislation (see Graham Turner UK Gov Pauses Data Reform Bill | What you Need to Know 4 Oct 2022 Digit News). On 8 March 2023, Ms Donelan withdrew the previous bill and introduced a new Data Protection and Digital Information (No. 2) Bill into the House of Commons.  That Bill has now completed its passage through the Commons and is about to proceed to the House of Lords.

The new Bill consists of 114 clauses divided into 6 Parts with 13 Schedules. 

Part 1 (clauses 1 to 34) and the first 9 Schedules amend the Data Protection Act 2018 and those provisions of the General Data Protection Regulation that are incorporated into the laws of England and Wales, Scotland and Northern Ireland by s.3 of the European Union (Withdrawal) Act 2019 ("UK GDPR") and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 419).

Part 2 (clauses 46 to 60) regulates "digital verification services."   These are defined by clause 46 (2) as "verification services provided to any extent by means of the Internet."  "Verification services" are defined in the same subsection as 

"services that are provided at the request of an individual and consist in—

(a) ascertaining or verifying a fact about the individual from 5 information provided otherwise than by the individual, and

(b) confirming to another person that the fact about the individual has been ascertained or verified from information so provided."

An article by Charlotte Bowyer on Onfido Ltd.s website adds that:

"Digital identity verification is how businesses confirm that a customer is who they say they are, online. They do this by assessing personal information and personal data related to an individual."

The technique is used by central and local governments, financial services institutions and other businesses to verify identity, age, qualifications and other personal attributes. 

Part 3 (clauses 61 to 77) permits the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.   "Business data" is defined by clause 61 (2) as 

"(a) information about goods, services and digital content supplied or provided by the trader, 

(b) information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about where they are supplied, the terms on which they are supplied or provided, prices or performance), 

(c) information relating to feedback from customers about the goods, services or digital content, and 

(d) information relating to the provision of business data to a person in accordance with data regulations."

"Customer data" means 

"information relating to a customer of a trader, including— 

(a) information relating to transactions between a customer and the trader, and 

(b) information relating to the provision of customer data to a person in accordance with data regulations; 'data holder', in relation to customer data or business data of a trader,"

Clauses 79 to 86 of Part 4 and Sched 10 amend The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426). The Regulations implement arts 2, 4, 5 (3), 6 to 13, 15 and 16 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Clauses 87 to 91 amend Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market. Reg 910/2014 (also known as eIDAS) regulates electronic identification and trust services, such as verifying the identity of individuals and businesses and authenticating electronic documents.

Clauses 94 to 98 and Sched 11 amend The Births and Deaths Registration Act 1953 to facilitate the electronic storage of the relevant data.  Clause 99 and Sched 12 provide for information standards for health and adult social care d and information technology.

Clauses 100 to 103 and Sched 13 establish an Information Commission to enforce the Act.

Anyone wishing to discuss this article may call me on 020 7404 5252 during office hours or send me a message through my contact page.

The Proposed Data Reform Bill

 

Jane Lambert

In my article Consultation on Changing the Data Protection Laws (12 Sept 2021), I discussed the consultation on changing the data protection laws. According to the consultation outcome, Data: a new direction - government response to consultation of 23 June 2022, the government received 2,924 responses, 684 by email and 2,240 via a survey platform. It also attended over 40 round tables with academia, tech and industry bodies, and consumer rights groups.  The consultation outcome lists the organizations in Annex B, summarized the responses in the consultation outcome and set out the government's legislative intentions in the light of the responses on each issue in Annex A.

In a recent press release, the Department for Digital, Culture, Media and Sport outlined a new Data Reform Bill.  That Bill is intended to reduce the administrative burden on businesses in order to encourage more innovative uses of personal data for research, facilitate trade and save businesses up to £10 billion over the next 10 years. An example given by the press release is that an independent pharmacist will no longer have to recruit an independent data protection officer to comply with the data protection legislation provided that it can manage risks effectively.  The Bill will also increase penalties for nuisance calls and other serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 and reorganize the Information Commissioner's Office. 

The proposals have been welcomed by John Edwards, the recently appointed Information Commissioner, in a Statement in response to the government’s announcement on the upcoming Data Reform Bill which was published on 16 June 2022.   His predecessor contributed to the consultation (see Response to DCMSconsultation “Data: anew direction” 6 Oct 2021).

I shall return to this topic once the bill is published.  Anyone wishing to discuss this article or its subject matter may call me on 020 7404 5252 during office hours or send me a message through my contact form.

Privacy and Electronic Communications - Leave.EU Group Ltd v The Information Commissioner

Author Mrmw Public Domain CCO 1.0

Jane Lambert

Court of Appeal (Sir Geoffrey Vos, Master of the Rolls, Lord Justice Lewison and Lady Justice Asplin) Leave.EU Group Ltd & Anor v The Information Commissioner [2022] EWCA Civ 109 (8 Feb 2022)

On 1 Feb 2020, the Information Commissioner issued a monetary penalty notice for £45,000 against Leave.EU Group Ltd. under s.55A of the Data Protection Act 1998 and an assessment notice under s.146 of the Data Protection Act 2018.  She issued those notices because Leave.EU Group Ltd. had sent email newsletters to some of its supporters that contained unsolicited marketing material relating to Eldon Insurance Services Ltd.   It appears that Eldon Insurance Services Ltd is now known as Somerset Bridge Insurance Services Ltd.

Leave.EU and Eldon appealed unsuccessfully to the First-Tier Tribunal (General Regulatory Chamber) (see Leave.EU Group Limited Eldon Insurance Services Limited v The Information Commissioner 2020 WL 01140646). They appealed to the Upper Tribunal which upheld the First-Tier Tribunal (see Leave.EU Group Limited and another v The Information Commissioner [2021] UKUT 26 (AAC)).  With the Upper Tribunal's permission, they appealed to the Court of Appeal.  On 1 Feb 2022, when the appeal was due to be heard, the Information Commissioner's legal representatives turned up at court but there was nobody from Leave.EU.

The Court asked the Information Commissioner's counsel what they should do. He replied that the Court could either dismiss the appeal for non-prosecution or decide the appeal on the Commissioner's oral and written submissions and Leave.EU's skeleton argument. The Commissioner was neutral as to the course that the Court should adopt but her counsel emphasized the importance of the issues under appeal. The Court decided (i) that it would not be just or appropriate to hear the substantive appeal in the absence of Leave.EU, (ii) that the Court was satisfied that Leave.EU was aware of the appeal hearing and had decided not to attend, and (iii) the appeal should be dismissed and that it would give its reasons in writing later.

The Information Commissioner and the tribunals below had found that Leave.EU and Eldon had contravened art 13 (1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47. Leave.EU has appealed on the following grounds:

"First it contended that paragraph 22 did not prohibit the inclusion of any direct marketing information in an email which was otherwise solicited and not sent for direct marketing purposes, such as the political newsletters in this case. Secondly, Leave.EU contended that the FTT was wrong to hold that the subscribers had not freely consented to receive marketing information from Eldon, since they had consented to receive such material as Leave.EU felt might interest its subscribers. Thirdly, Leave.EU contended that the Information Commissioner ought to be regarded as having been required to give reasons for her decision, despite the absence of a statutory requirement to do so."

In its reasoned judgment which was delivered on 8 Feb 2022, The Master of the Rolls described those issues as "important and in some respects novel" at para [19]. He was satisfied that the Court had power to hear the appeal in the absence of the appellant under CPR 52.20 and rule 38 of the Tribunal Procedure (Upper Tribunal) Rules 2008 as well as its inherent jurisdiction but thought it undesirable in the circumstances of this case to try to decide such important questions at the level of the Court of Appeal without full oral argument.

Lord Justice Lewison and Lady Justice Asplin agreed.

According to the Commissioner's counsel, Eldon had been sold to a third party on 31 Jan 2022 who had consented to judgment and reached an agreement with the Commissioner (see her Statement on an agreement reached between Somerset Bridge Insurance Services Limited and the ICO of 1 Feb 2022). The solicitors who had acted for both appellants had applied to come off the record a few days earlier. The Court had tried to communicate with Leave.EU's sole director but he did not respond to its approaches.

The failure of Leave.EU to take any steps in the appeal in the days leading up to the hearing is regrettable.  As Sir Geoffrey Vos noted at [19] an appropriately qualified panel of the Court of Appeal had been ready to hear this case for many months.  The issues upon which the Court had been asked to decide are likely to concern other parties and cases of this kind do not come before the Court of Appeal often. 

Anyone wishing to discuss this article or the procedural or standard issues may call me on 020 7404 5252 during normal business hours or send me a message through my contact form.

Information Rights - Driver v Information Commissioner

Ramsgate Sands in 1854

Artist William Frith 

 

Jane Lambert

First Tier Tribunal (General Regulatory Chamber) (Upper Tribunal Judge Rintoul, J Randall and Raz Edwards) Driver v Information Commissioner and another [2021] UKFTT 2017-0218 (GRC)

In his preface to the white paper Your Right to Know (Cm 3818), the then Prime Minister, Tony Blair, introduced his government's proposals for a Freedom of Information Bill as one of several important constitutional reforms.  Others included the Human Rights Bill,  devolution statutes for Scotland and Wales and the Data Protection Act 1998.  The government's intention was to redefine its relationship with the governed.

S.1 (1) of the Freedom of Information Act 2000 states that:

"Any person making a request for information to a public authority is entitled—

(a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and
(b) if that is the case, to have that information communicated to him."

However, those rights are subject to several exceptions pursuant to s.1 (2) and s.2 (1), (2) and (3) (g) of the Act. One of those exceptions is s.41:

"(1) Information is exempt information if—
(a) it was obtained by the public authority from any other person (including another public authority), and
(b) the disclosure of the information to the public (otherwise than under this Act) by the public authority holding it would constitute a breach of confidence actionable by that or any other person.
(2)  The duty to confirm or deny does not arise if, or to the extent that, the confirmation or denial that would have to be given to comply with section 1 (1) (a) would (apart from this Act) constitute an actionable breach of confidence."

In Higher Education Funding Council for England v Information Commissioner and another (unreported, 13 Jan 2010). the Information Tribunal held that a public authority seeking to rely on that exception would have to show that the disclosure would be likely to give rise to a successful action for breach of confidence:

“Our conclusion on this part of the case, therefore, is that the HEFCE must establish that disclosure would expose it to the risk of a breach of confidence claim which, on a balance of probabilities, would succeed. This includes considering whether the public authority would have a defence to the claim.  Establishing that such a claim would be arguable is not sufficient to bring the exemption into play.”

An example of such a claim was  Driver v Information Commissioner and another   [2021] UKFTT 2017_0218 (GRC).

The information in question was the identity of certain claimants and the amounts paid to each of them in an out of court settlement with a local authority that had banned the transport of live animals through its port in contravention of EU law.  Those claimants had successfully challenged the ban in the Chancery Division on the grounds that it breached art 35 of the Treaty on the Functioning of the European Union.  They subsequently claimed damages for losses occasioned by the ban.  

 A local resident who had opposed live animal exports asked the authority for the above information under s.1 (1) of the Freedom of Information Act 2000. The authority declined on the ground that disclosure of that information would be an actionable breach of confidence. The resident asked the Information Commissioner to intervene.  The Commissioner sided with the local authority.  The resident appealed successfully against the Commissioner's decision to the General Regulatory Tribunal.  The Tribunal held that s.41 did not apply because the withheld information had not been obtained by the local authority (see Driver v Information Commissioner and another [2017] UKFTT 2017_0040 (GRC)).  The Information Commissioner appealed to the Upper Tribunal which allowed the appeal and remitted the case to a differently constituted first instance tribunal (see Information Commissioner v Driver and another [2020] UKUT 333 (AAC)). The Upper Tribunal directed the new tribunal to proceed on the basis that the threshold condition in s.41 (1) (a) of the Act had been satisfied.  That is to say, the claimants’ names constituted information obtained by the public authority from another person.

In the remitted proceedings the tribunal took as its starting point the following passage from the judgment of Mr Justice Megarry (as he then was) in Coco v A N Clark (Engineers) Ltd [1968] FSR 415:

"In my judgment, three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First, the information itself, in the words of Lord Greene, M.R. in the Saltman case on page 215, must “have the necessary quality of confidence about it”. Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it. I must briefly examine each of these requirements in turn."

The tribunal was satisfied that the information in question was passed to the local authority in the course of negotiations for compensation. The object of those negotiations was to achieve an out of court settlement.  At para [33] of its decision it said:

"There are good reasons of public policy why such negotiations are conducted with an expectation of confidentiality, not least of which is to encourage parties to settle disputes without the need to go to court. These negotiations were, we accept, carried out on a without prejudice basis. That, in turn, prevents the parties from revealing later what was discussed. The corollary of that is to impose a duty of confidentiality as, otherwise, the basis of without prejudice communications would be undermined. We find that is so irrespective of the fact that there was no express agreement to keep matters confidential; that was not necessary given the nature of the negotiations."

The resident had submitted that the information was not confidential because the identities of the claimants were well known.  They may have been witnesses in previous litigation.  Their names, photographs and videos had been circulated over the internet. That was true but what that evidence did not do was "identify with any certainty any entity, real or corporate, as having been in receipt of compensation or, importantly, the amount paid to each."  Accordingly, the confidential nature of the information had been retained and the obligation of confidence had not been waived.  The tribunal was satisfied that the information had "the necessary quality of confidence about it" and had been "transmitted in circumstances importing an obligation of confidence."

Turning to the question of detriment, the tribunal said at [42]:

"We consider that there is a detriment in the disclosure of withheld material in that the material was supplied on the basis that it was to be kept confidential. The parties clearly proceeded on that basis. The fact that they had done so, and had suffered loss, is something that they wished not to be known."

The tribunal reminded itself that its role was to consider only if it was more likely than not that a court would find a breach of confidence. Given the particular circumstances in which the information had been imparted and the relationship of trust that that would have been created, the disclosure of the information to the resident would have met the detriment requirement.

The tribunal acknowledged that there are circumstances in which the public interest outeights the obligation of confidence.  In this case, there was a significant weight to be attached to the public interest in keeping confidential negotiations undertaken on a without prejudice basis. All the parties who had entered into those negotiations did so on the assumption that they would be kept confidential. It was an assumption they were rightly entitled to hold.  The tribunal accepted that the public was entitled to know how its money was spent and to whom, but the amount of the settlement and the reason for entering it was already in the public domain.  There was no need to disclose more.  The tribunal concluded at [51] that the withheld material was exempted information by operation of s.41.

Anyone wishing to discuss this article may call me on 020 7404 5252 or send me a message through my contact form.

Consultation on Changing the Data Protection Laws

 

Jane Lambert

In his press release of 26 Aug 2021 which I discussed in Dowden's Data Protection Plans on 27 Aug 2021, Oliver Dowden MP, Secretary of State for Digital, Culture, Media and Sport, announced a consultation on changes to the UK's data protection laws.  That consultation was launched on 10 Sept 2021 with the publication of the consultation document, Data: a New Direction.  Responses must be submitted by 19 Nov 2021.

The consultation document is 146 pages long and is divided into an introduction, 5 chapters. a page on whom the Department for Digital, Culture. Media and Sport ("DCMA")  is seeking to consult, how to respond and what happens next and a privacy notice.  DCMS states that it is keen to hear from "a representative cross section of society, ensuring diversity and inclusion", It believes that the consultation will have particular relevance to 

• Individuals 
• Start-ups and small businesses 
• Technology companies and data-driven or data-rich companies 
• Investors in technology and data-driven or data-rich companies 
• Civil society organisations focused on consumer rights, digital rights, privacy and data protection 
• Academics, and research and policy organisations with a particular interest in the role of data in the economy and society, or as data controllers in their own right 
• Organizations involved in international data standards, regulation, and governance 
• Law firms and other professional business services.

Respondents are urged to use the DCMS's online survey platform but responses can also be submitted by email or post.  The DCMS will publish its response in due course.

The 5 chapters are as follows:

• Chapter 1- Reducing barriers to responsible innovation
• Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
• Chapter 3 - Boosting trade and reducing barriers to data flows
• Chapter 4 - Delivering better public services, and 
• Chapter 5 - Reform of the Information Commissioner's Office.

The reason for reducing barriers to responsible innovation are set out in para 30:

"The government has heard from stakeholders that elements of the law can create barriers to responsible innovation. Some definitions are unclear and lack explanatory case law or regulatory guidance that could take years to develop; organisations may choose not to use data as fully as they could owing to unfounded concerns about legality. For example, the rules for some organisations to use and to re-use personal data for research are difficult to navigate, despite the public being generally in favour of their personal data being used for scientific research that can deliver real benefits to society.5 The government has also heard evidence that uncertainty about when different lawful grounds for processing personal data should be used has led to an overreliance on seeking consent from individuals. This creates an unnecessary burden for consumers as well as for organisations. Finally, the increasing adoption and potential of new data-driven technologies is dependent on clear and consistent rules about the use of personal data."

The criticism of the present system is contained in para 139:

"The current legislation is based on a model that prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. Although a key goal of the EU's GDPR was to create a regime that focussed on the accountability of organisations, the current model, in practice, tends towards a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach, and risks undermining the intentions of the principle of accountability."

One of those burdens is said to be subject access requests.  It is said that organizations have difficulty in processing such requests and with the threshold for making requests.  One of the solutions canvassed by the DCMS is the reintroduction of a fee for subject access requests and that is one of the proposals on which the Department is consulting. 

On "Boosting trade and reducing barriers to data flows" the DCMS explains at 240:

"Recent legal developments, including the Schrems II judgment, have made it more difficult for UK data exporters to transfer personal data overseas (see explanatory box below). The invalidation of the Privacy Shield by this judgment was particularly disruptive given the volume of trade it supported and the very many small and medium-sized businesses that were relying on it. Outside of the European Union, the UK has an opportunity to consider both the impact of this judgment on its transfers regime and how best to support international data flows in the future."

Data protection law became horrendously complex with the adoption of the General Data Protection Regulation and the implementation of the Law Enforcement Directive by the Data Protection Act 2018 on 25 May 2018.  Brexit has greatly exacerbated that complexity.   A snapshot of the current law since the expiry of the transition or implementation period on 31 Dec 2020 is set out in The Data Protection Legislation which I published on 28 Aug 2021.

Anyone wishing to discuss this article or any of its contents can call me on 020 7404 5252 during normal office hours or send me a message through my contact form at other times.