UK data protection and ePrivacy reforms take effect: what businesses need to know

The DUAA introduces a more liberal ‘risk-based’ approach to international transfers of personal data that may therefore facilitate increased transfers of personal data outside the UK. This includes:

• a revised set of criteria that the government will use to decide if the laws of a non-UK country are generally ‘adequate’ and therefore personal data can be sent to that country from the UK without additional safeguards; and
• a new statutory test that will govern how organisations should undertake transfer risk assessments that must be completed before using commonly used safeguards to transfer personal data outside the UK (eg certain approved data transfer agreements or binding corporate rules).

These reforms are explored further in our separate blog post.

The DUAA also includes reforms to help facilitate responses by communications service providers (and various related entities) to certain information requests from US authorities.

Key changes include:

• unlawful direct marketing and the unlawful use of tracking technologies (eg cookies) are now subject to increased fines equivalent to those under the UK GDPR (ie up to the greater of £17,500,000 or 4% of an undertaking’s total annual worldwide turnover, compared with a previous maximum of £500,000);
• officers (eg directors) of businesses may also now be subject to personal penalties of up to £17,500,000 for certain infringements of the ePrivacy regime (eg in connection with various unlawful direct marketing), compared with a previous maximum of £500,000;
• reforms to rules relating to the use of cookies and other tracking technologies include:
  • expressly extending those rules to cover: (1) the collection and monitoring of information automatically emitted by the equipment (eg, Wi-Fi probe requests); and (2) those instigating the storing of, or access to, information;
  • exempting certain further cookies (and the like) from the general requirement to obtain consent if an appropriate right to object and certain information is provided, such as various cookies used for analytics or to record the preferences of subscribers/users; and  
  • giving the government powers to vary exemptions in the future; and
• amendments to definitions relating to direct marketing, such as to clarify that ‘call’ includes attempted calls.

The DUAA amends controllers’ data protection by design obligations for those processing personal data in the course of providing information society services (which include most online services) likely to be accessed by children. 

Under the reforms, in-scope controllers must take account of certain ‘higher protection matters’ when assessing what technical and organisational measures are appropriate. 

The Information Commissioner’s Office (ICO) has published updated guidance on data protection by design to help businesses apply this new duty.

The DUAA implements changes to the calculation of timeframes within which responses to data subject requests must be provided and clarifies the scope of searches the controller is obliged to undertake. These changes will often benefit data controllers, including by specifying they may:

• ‘stop the clock’ on the response time if they were unable to respond to a request without receiving further information or clarification from the person making the request (building on rights to ‘stop the clock’ the ICO had already granted in its guidance on data subject access requests); and
• limit searches in response to a data subject access request to what is ‘reasonable and proportionate’ (under one of the few reforms that took effect immediately upon Royal Assent).

The DUAA makes various changes to the ICO’s duties. For example, the ICO is now:

• required by law to have regard to promoting innovation and competition;
• granted new enforcement powers (eg, the right to require an organisation to produce a report or compel a person to attend an interview in connection with an investigation); and
• empowered to take longer than six months to issue a penalty notice following its notice of intent where necessary, and provided it does so as soon as reasonably practicable. This will give it more time to complete investigations, which could help strengthen and prolong enforcement actions. 

Reforms were made to:

• assist controllers in determining whether the processing of personal data for a new purpose (eg, to improve an AI system) is compatible with the purpose limitation principle; and
• pre-approve certain purposes as ‘compatible’.

Where relevant, businesses will need to ensure that compatibility assessments and templates are updated accordingly. 

The DUAA has: 

• clarified how controllers processing data for scientific research purposes may obtain consents where it is not possible to fully identify the purposes for which the personal data is to be processed at the time of collection;
• clarified that certain commercial research activities can benefit from special rules regarding research (some changes are also made to liberalise processing for statistical purposes);
• clarified and collated various provisions relating to safeguards to be employed for processing for research, statistical and certain other purposes; and
• provided further exemptions from the need to give transparency information to data subjects.

Providers of a public electronic communications service (ie entities which provide any service allowing members of the public to send electronic messages, including telecoms providers and internet service providers) are subject to a personal data breach notification regime under UK ePrivacy laws, which is distinct from that under the UK’s general data protection regime. Those obligations had previously included notifying the ICO of a personal data breach within 24 hours. 

The reforms (which took effect in 2025) have relaxed these obligations to require reporting of breaches without undue delay and, where feasible, not later than 72 hours after becoming aware of it (plus an obligation to explain any failure to notify within the 72 hours).

Express confirmation that certain processing ‘may’ be lawful under the existing legitimate interests basis

The reforms expressly confirm that certain processing may be permitted under this existing lawful basis if it passes a legitimate interests assessment, including processing necessary for: (1) direct marketing; (2) intra-group transmission of personal data for internal administrative purposes; and (3) ensuring the security of network and information systems. 

Reforms focused on the public and third sector

The DUAA also implements various other reforms that are generally most likely to be relevant to processing by public authorities, NGOs and charities (which are out of scope of this article). 

Those include a new ‘recognised legitimate interests’ lawful basis for certain processing related to: (1) national security, public security and defence; (2) serious civil emergencies; (3) detecting, investigating or preventing crime and apprehending or prosecuting offenders; and (4) safeguarding vulnerable individuals.