Data Protection update - June 2025

Data Protection update - June 2025

Welcome to the latest edition of the Stephenson Harwood Data Protection update, covering the key developments in data protection and cyber security law in June 2025.

In data protection headline news, the Data (Use and Access) Act 2025 has received Royal Assent and we analyse what this means for businesses; the European Commission ("Commission") has formally adopted a six-month extension of the two adequacy decisions in respect of the United Kingdom; a provisional agreement has been reached on cross-border GDPR enforcement; new Internet of Things guidance is published; the EU-US data privacy framework is confirmed despite changes to the PCLOB; and Article 48 guidance has been released by the European Data Protection Board.

In cyber security news, the UK has announced its Cyber Growth Action Plan.

In our enforcement and civil litigation section, we provide our usual round-up of this month's enforcement actions, including a £2.31 million fine by the ICO for 23andMe.

Data Protection

Cybersecurity

Enforcement and Civil Litigation

Key US updates

Data Protection

What does the Data (Use and Access) Act 2025 mean for businesses?

On 19 June 2025, the Data (Use and Access) Act 2025 (the "DUAA") received Royal Assent following a prolonged passage through Parliament. The DUAA will introduce a number of amendments to existing data protection and ePrivacy laws in the UK, aiming to facilitate the safe and effective use of data, encourage innovation and simplify data protection compliance requirements for organisations. It will amend and supplement, but not completely replace the UK General Data Protection Regulation ("UK GDPR"), Data Protection Act 2018 ("DPA 2018") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR").

A new Information Commission ("IC") will be replacing the Information Commissioner's Office ("ICO") as the UK's supervisory authority, comprising of a formal board and chief executive. This differs from the ICO's current structure, which is led by a single Information Commissioner. John Edwards (the current Information Commissioner) will be stepping into the role of Chair, with Paul Arnold appointed the first Chief Executive Officer of the IC. The IC will be required by law to have regard to the desirability of promoting innovation and competition.

A key aim of the DUAA is to strengthen both data safeguards and transparency in the UK and to support the UK's efforts to maintain its data adequacy status with the European Union ("EU") by ensuring that the UK's data protection standards remain aligned with Europe. Despite the minor divergences from EU law, the UK Government remains confident that the reforms in the DUAA are unlikely to cause the Commission to revoke, or otherwise decline to further extend, the UK's adequacy status. Notably, the DUAA gives the Secretary of State broad authority to amend UK data protection laws through secondary legislation, bypassing Parliament, which effectively allows changes without full parliamentary approval. This includes adding to the list of special category data as set out under the UK GDPR.

Importantly, certain provisions in the DUAA came into force immediately upon Royal Assent on 19 June 2025, including the requirement for "reasonable and proportionate searches" to be made when responding to data subject access requests ("DSARs"). Minor amendments are coming into force on 19 August 2025 regarding IC notices, the requirement to provide documents to the IC, and certain changes to the logging of law enforcement processing. The remaining changes are expected to be phased in between August 2025 and June 2026 via secondary legislation.

Key reforms of the DUAA impacting the data protection and ePrivacy landscape are summarised in the table below. The DUAA also addresses the creation and implementation of Smart Data Schemes and a Digital ID verification framework, which we have considered further in our article series that deep dives into the Data (Use and Access) Bill.

It is worth noting that certain proposed amendments under the previous version (the Data Protection and Digital Information Bill) were not carried over to the DUAA. There is no change to the definition of "personal data" in the DUAA; Data Protection Officers, ROPAs and Data Protection Impact Assessment ("DPIA") requirements will remain the same as under the existing law; and the proposal to allow controllers to refuse to respond to a "vexatious or excessive" DSAR has gone.

ReformSummaryImplications for businesses

New mandatory complaints procedure

(Section 103 of the DUAA adds new sections 164A and 164B to the DPA 2018.

Schedule 10 of the DUAA amends Art. 12(4) of the UK GDPR and makes consequential amendments to the DPA 2018)

New statutory right for individuals to raise a complaint to a controller regarding their general UK GDPR compliance.

Controllers are required to have clear processes to facilitate complaints, acknowledge receipt within a 30-day timeframe and respond "without undue delay".

This new right introduces greater accountability for organisations and may increase operational burdens, particularly for organisations receiving high volumes of data-related queries. It is one of the few provisions in the DUAA that will require most organisations to take proactive steps to comply.

Businesses should consider building data protection elements into their existing complaints processes, taking into account the new statutory deadline to respond. They may wish to provide for an electronic complaints mechanism, such as an online form, and implementing staff training on handling data protection complaints.

ICO to be replaced by the IC

(Part 6 and Schedule 14 of the DUAA.

Section 91 of the DUAA amends DPA 2018 by detailing the duties of the IC in sections 120A to 120D and 139)

The IC will be given increased enforcement powers to ensure compliance with data protection laws, including the right to require organisations to produce documents and/or prepare a report on a specific data protection issue or even require individuals to attend interviews.

The IC may take longer than six months to issue a penalty notice following its notice of intent where necessary, provided it does so as soon as reasonably practicable.

The structure and goals of the IC align with the government's goal of a "pro-growth and innovation-friendly" data regime.

Codified updates to DSAR obligations

(Section 70 DUAA amends Art. 6 UK GDPR.

Sections 75 to 78 and 104 of the DUAA adds a new section 180A to the DPA 2018 and amends Art. 12, 13, 14 and 15 of the UK GDPR and sections 45, 53, 54 and 94 of the DPA 2018.

Section 79 of the DUAA adds a new section to Art. 12A(5) to the UK GDPR and section 45A to the DPA 2018.

Section 79 of the DUAA amends sections 43, 44 and 51 of the DPA 2018)

ICO guidance is now codified, confirming that controllers can "stop the clock" on the response time for responding to DSARs when seeking clarification and awaiting further information on the scope of the request.

Searches must be "reasonable and proportionate". This change applies retrospectively from 1 January 2024.

Organisations must inform the data subject about legal professional privilege or client confidentiality exemptions being applied and the reason for such application. Data subjects also have the right to request that the IC review how these exemptions have been applied.

The ability for businesses to seek clarification allows for more control over response deadlines in relation to DSARs. In addition, with a more pragmatic approach to responding to DSARs, there is a reduced burden on organisations to conduct overly broad searches.

International transfers of personal data

(Section 85 and Schedules 7-9 of the DUAA amend Chapter 5 of the UK GDPR and Part 3, Chapter 5 of the DPA 2018)

Data protection standards in the destination jurisdiction during the process of the transfer of personal data must not be "materially lower" than those in the UK.

This amendment is in line with the UK Government's aim to encourage innovation and economic growth as UK businesses may benefit from a more flexible regime when transferring personal data abroad, potentially enabling partnerships and operations in a broader range of jurisdictions.

It can be contrasted with the EU's requirement of "essential equivalence", which is arguably more stringent.

Legitimate interests

(Section 70 of the DUAA amends Art. 6 of the UK GDPR and Schedule 4 of the DUAA adds Annex 1 to the UK GDPR)

As per UK GDPR recitals, the DUAA confirms that legitimate interests can be relied upon as an acceptable lawful basis for direct marketing purposes (subject to the legitimate interests balancing test).

The DUAA provides a list of recognised legitimate interests where the balancing test is no longer required. Controllers are exempt from conducting a full legitimate interests' assessment when processing personal data for specific purposes such as national security, emergency response and safeguarding vulnerable individuals.

The DUAA is attempting to make it easier for controllers to rely on Article 6(1)(f)UK GDPR (legitimate interest) for data processing, by setting out a list of "recognised legitimate interests", albeit these are narrow in scope.

 

Purpose limitation

(Section 71 of the DUAA amends Art. 5 and 6 of the UK GDPR and creates a new Art. 8A in the UK GDPR)

Under the UK GDPR, the purpose limitation principle ensures that an individual's personal data is re-used only in ways that they might reasonably expect.

When assessing the compatibility of any "further processing" with the original purpose, the DUAA clarifies that the purpose for which the controller received the data is key (rather than the purpose for which the data was originally collected from the data subject).

This change provides welcome clarity on how to ascertain compatibility with an original purpose.

Solely automated decision making ("ADM") and the use of AI

(Section 80 of the DUAA replaces Art. 22 of the UK GDPR and section 14 of the DPA 2018 with new Articles 22A to 22D of the UK GDPR)

This amendment removes the restrictions around significant decisions that are made solely by ADM, unless special category data (biometric and health data etc.) is involved (in which case the current restrictions remain). This means that it may be permissible to carry out ADM in reliance on legitimate interests.The fact that strict restrictions around the use of ADM will only remain in place for decisions involving special category data means that businesses have more flexibility to innovate, for example where AI tools are used in ADM processes (such as in recruitment).

Changes to the ePrivacy regime: Direct marketing, cookies and PECR fines

(Section 115 of the DUAA repeals regulations 5(6), 5B, 31A and 31B of the PECR, amends regulation 5C of the PECR and replaces regulation 21 and Schedule 1 of the PECR)

Fines for infringements of the PECR will be brought in line with the fines that can be levied under the UK GDPR (up to a maximum of £17,500,000, or 4% of the organisation's total annual worldwide turnover).

Exceptions to consent requirements have been introduced for certain cookies (e.g. cookies for statistical purposes and website functionality). Consent will still be required for marketing and advertising cookies.

Charities will be able to rely on soft opt-ins for email communications, where the sole purpose of the email is to further the charity’s charitable purposes.

Businesses must strengthen compliance with electronic marketing and cookie regulations, as potential fines now significantly increase financial exposure, particularly in light of increased enforcement action from the ICO in their crack-down on cookies compliance in recent months.

While exemptions ease the use of certain functional cookies, organisations must still ensure clear communication with users and maintain strict consent practices for marketing cookies to avoid enforcement action.

Scientific research

(Section 67 and 68 of the DUAA amends Art. 4 of the UK GDPR)

This change implements a broader definition of "scientific research" which includes non-commercial and commercial scientific research.

In addition, broad consent for scientific research is now permitted, allowing personal data to be processed for research within a general area, even if the specific purpose for its use is not known at the time of collection.

The change should reduce barriers for businesses and research organisations using personal data. It allows data to be collected for general research purposes without specifying all future uses, enabling innovation and long-term projects while still requiring safeguards to protect individuals' rights.

"Children's higher protection matters"

(Section 81 of the DUAA amends Art. 25 of the UK GDPR)

There are now greater obligations for those processing personal data in the course of providing information society services likely to be accessed by children. Controllers must take account of certain "higher protection matters" when assessing appropriate technical and organisational measures.This increases compliance requirements, particularly around safety and data minimisation. This may require redesigning services or policies to meet higher protection thresholds.

Smart Data Schemes

(Part 1 of the DUAA)

Enables the creation of a legal framework for smart data to expand its use beyond open banking models into other sectors.This will allow consumers to securely share their data with authorised third-party providers to find better deals and services.

Digital Verification framework

(Part 2 of the DUAA)

Creation of a framework to enable the introduction of trusted digital verification services. Individuals will be able to prove their identity via trusted providers who have been certified with a "trust mark".This will simplify processes such as registering births and deaths, starting a new job, and renting a home.

  
The ICO has published a summary of the changes to data protection law, aimed at assisting organisations. We are expecting further guidance for organisations from the ICO in the coming months.

Whilst the DUAA diverges from current law in certain areas in its aim to introduce greater flexibility, the changes actually introduced are relatively limited. Where organisations already comply with the current UK data protection and ePrivacy regimes, it is unlikely that organisations will need to make significant adjustments. However, with the increased fines for infringements of ePrivacy rules, organisations would be well advised to review and ensure their existing UK processes are compliant. Many organisations will also be subject to both UK and EU GDPR regulations, so adhering to the stricter EU GDPR standards is likely to be the preferred approach to ensure that the requirements of both regimes continue to be met.

EU extends data adequacy decisions in respect of UK further six months

The Commission has formally adopted a six-month extension of the two adequacy decisions in respect of the UK, allowing for the continued free flow of personal data from the EU to the UK until 27 December 2025. This extension, initially proposed in March, provides time for the Commission to assess whether the UK's newly adopted DUAA maintains an adequate level of protection for personal data, which was presumably drafted with the upcoming adequacy decision in mind.

Until the assessment is complete, the safeguards contained in the UK's laws and systems for protecting personal data that were deemed adequate by the EU in 2021 remain effective. By way of background, the Commission published two adequacy decisions in 2021 – one for transfers under the EU GDPR and the other for transfers under the Law Enforcement Directive. The importance of uninterrupted data flows for a strong EU-UK digital partnership cannot be overemphasised, with Commissioner Michael McGrath highlighting the extension's role in "supporting cross-border business and cooperation". Confirmation of the extension follows a positive opinion from the European Data Protection Board (the "EDPB") and approval by EU Member States.

Provisional agreement reached on cross-border GDPR enforcement Regulation

The Council of the European Union (the "EU Council") and European Parliament ("EP") have reached a provisional agreement on the highly anticipated GDPR Procedural Regulation (the "Regulation"). The Regulation is aimed at improving cooperation between EU Member State data protection authorities in cross-border enforcement cases.

This development reflects the EU's continued efforts to enhance the effectiveness of the GDPR’s One-Stop-Shop mechanism (the "Mechanism") under Article 56. The Mechanism aims to streamline the supervision of cross-border data processing by organisations established in the EU and engaged in such processing. It designates a single lead supervisory authority ("LSA") to oversee investigations where a controller or processor operates in multiple member states or processes data affecting individuals across borders. The LSA coordinates with other supervisory authorities, but if no consensus is ultimately reached, the matter may be referred to the EDPB which can issue binding decisions to ensure consistent GDPR application across the EU.

The Commission has conceded that national procedural differences have hindered and slowed down its effectiveness. Indeed, criticism over lengthy enforcement delays and procedural inconsistencies have characterised recent cases.

Key elements of the provisional agreement on the Regulation are as follows:

  • Standardised procedures: the Regulation harmonises requirements for complaints to be deemed admissible across all EU Member States, ensuring consistent evaluation regardless of filing location. This addresses longstanding procedural inconsistencies that have complicated cross-border enforcement since the GDPR was implemented.
  • Clear binding deadlines for enforcement: simplified cooperation procedures for straightforward matters will have a 12-month deadline. For more complex cases, investigations must conclude within 15 months, with possible 12-month extensions for the most complex cases.
  • Enhanced due process: both complainants and investigated organisations are granted rights to be heard at various stages of investigations and to review preliminary findings before a final decision.
  • Early resolution mechanism: data protection authorities may resolve non-contentious cases before triggering full cross-border procedures, provided complainants do not object to this.

While promising greater procedural clarity, organisations should prepare for more structured regulatory interactions and tighter compliance timelines. Businesses should review current GDPR compliance frameworks and ensure both legal and privacy policies are updated accordingly. Businesses should also work to identify their main establishment for jurisdictional purposes, as this will determine who will act as their LSA. The early resolution mechanism particularly rewards proactive compliance cultures.

The provisional agreement requires formal approval by both the EU Council and the EP. Once adopted, the Regulation will become directly applicable across all EU Member States.

New Internet of Things guidance

The ICO has recently published draft guidance on Internet of Things ("IoT") products and services in order to provide regulatory certainty to the industry. IoT products and services refer to a network of physical devices—such as appliances, vehicles, and other objects that are embedded with software and connectivity, enabling them to collect and exchange data over the Internet. Examples are smart meters, washing machines and smart refrigerators.

The draft guidance responds to concerns raised about products collecting too much information and individuals feeling powerless and unable to control how their personal information is used and shared. It sets out clear expectations of compliance with data protection legislation and the responsible use of individuals' personal data. It covers how to provide individuals with transparent privacy information and obtain informed consent, and also builds on the ICO's online tracking strategy for 2025, which aims to give individuals meaningful choice and confidence in how their information is used while also enabling businesses to operate in a manner which is fair and responsible. The ICO is calling on all manufacturers and developers of smart products to use the draft guidance in order to prioritise individuals' privacy.

The ICO's Executive Director for Regulatory Risk stated that their guidance offers clear recommendations to help manufacturers and developers understand legal responsibilities, ensuring smart products respect privacy. The ICO aims to empower responsible information use but will monitor compliance closely and take action against reckless data practices.

Manufacturers, developers and the wider tech industry have until 7 September 2025 to provide their views on the draft guidance.

EU-US data privacy framework still valid, despite PCLOB changes

The Commission has confirmed the continued validity of the EU-US Data Privacy Framework. This should reassure data protection clients that transatlantic data transfers remain lawful despite recent developments concerning the US Privacy and Civil Liberties Oversight Board ("PCLOB"). By way of background, the PCLOB is an independent agency within the US government which advises US leaders to ensure privacy and civil liberties in anti-terrorism policies.

The EP raised queries about the impact of three Democrat PCLOB members' dismissals, and the Commission clarified that US Executive Order 14086, which underpins the adequacy decision, remains fully in force - ensuring safeguards such as restricted intelligence agency access and the existence of a Data Protection Review Court. The Commission also noted that the PCLOB can still function without a quorum and that a US court has since reinstated the dismissed members. Ongoing close cooperation with US authorities and stakeholders was also confirmed, providing further assurance of the framework’s stability for organisations relying on EU-US data transfers.

If the Commission concludes in the future that the required level of protection is no longer ensured, the Commission has the power to propose the suspension, amendment or repeal of any adequacy decision.

Article 48 guidance released by EDPB

Following a period of consultation, the EDPB published the final version of the guidelines on Article 48 (the "Article guidelines") of the GDPR in early June. Article 48 deals with international data transfers and aims to protect EU personal data from being accessed by non-EU authorities and law enforcement (when a decision or judgment is reached by a third country requiring the transfer of personal data) unless such access complies with EU law.

The purpose of the Article guidelines is to shed light on both the rationale and objective of Article 48, as well as to clarify how it interacts with other provisions set out in Chapter V of the GDPR. Additionally, the Article guidelines set out practical recommendations for controllers and processors based in the EU and that may receive requests from third-country authorities to disclose or transfer personal data.

Changes in the new versions of the Article guidelines includes clarification that Article 48 does not apply to indirect requests and will exclude scenarios such as a third-party country authority requesting data from a non-EU entity, which then asks its EU subsidiary for data. The finalised Article guidelines also clarify the roles of processors when handling third-country requests and provides guidance on navigating uncertainty surrounding international agreements.

Cyber Security

UK announces Cyber Growth Action Plan

The UK Government has launched a new Cyber Growth Action Plan (the "Plan") to boost jobs and promote innovation and resilience in the UK's £13.2 billion cyber security sector, backed by up to £16 million in funding for startups and academic spinouts.

The Plan is led by experts from the University of Bristol and Imperial College London and will assess the strengths of the cyber sector and recommend strategies for future growth, feeding into the government's National Cyber Strategy, which sets out how the UK will establish itself as a democratic and responsible cyber power. Senior cyber experts from industry and academia will advise on public sector cyber security. The Plan aims to (i) create high-quality jobs for the UK population; (ii) foster innovation amongst businesses; and (iii) strengthen the UK's digital and economic security amid rising cyber threats.

It is clear the government is creating the foundations for an overarching policy and legal framework intended to strengthen cyber security in the UK over the years to come and supplement the nation's chances of economic prosperity. A key example is the Cyber Security and Resilience Bill, which, when enacted into law, aims to provide more protection for digital services and supply chains as well as empower regulators with more comprehensive oversight capabilities.

Enforcement and Civil Litigation

Round up of enforcement actions

 

CompanyAuthorityFine/enforcement actionComment
23andMeICO£2.31 million

The Office of the Privacy Commissioner of Canada (the "OPC") and the ICO jointly investigated 23andMe following a 2023 data breach affecting 6.9 million customers globally, including approximately 320,000 Canadians and 155,592 UK residents. We previously reported on the ICO's proposed fine for 23andMe here.

The ICO and the OPC emphasised the unique sensitivity of genetic data, noting that a breach increases the potential harm to individuals because genetic makeup cannot be altered in the same way that login credentials can be when there has been a data breach affecting passwords.

23andMe has been facing bankruptcy proceedings in the US. This week, a US bankruptcy court approved the sale of the company and its bank of genetic data to a nonprofit organisation led by 23andMe's former CEO Anne Wojcicki.

University PharmacyFinland€1.1 million

The fine follows Finland's data protection authority ("DPA") finding that the pharmacy chain had breached the GDPR because of "deficiencies" in its security practices when using cookies and other technologies for monitoring.

Finland's DPA found that identifiable personal data relating to online pharmacy transactions were directly transmitted to tracking service providers Google and Meta in the period May 2018 to September 2022.

Department for Social Protection (the "Department")Ireland€550,000

Ireland's DPA launched an inquiry to examine the Department's processing of biometric facial templates and use of associated facial matching technologies.

It was found that found the Department lacked a valid legal basis for collecting and keeping biometric data, also failing to meet transparency obligations. In addition, the Department had conducted an inadequate DPIA.

Digi Telecommunications and Services Ltd ("Digi")Hungary€205,000A data breach occurred when an unauthorised party accessed personal data via the Digi's website. An investigation revealed that Digi had not implemented adequate technical and organisational measures. This enabled the breach and exposed data belonging to customers and newsletter subscribers.

 
Key US updates

US in agreement over potentially problematic UK Government order

The bipartisan US House Judiciary Committee's Subcommittee on Crime and Federal Government Surveillance has raised concerns about the proposed UK order requiring Apple to create a "backdoor" to encrypted user data in its cloud services, fearing it could undermine data privacy and set a dangerous international precedent. We reported on the decision by the UK Government in a previous Data Protection update.

During a 5 June hearing, lawmakers discussed the implications of the UK's use of its Investigatory Powers Act and how it relates to the UK-US CLOUD Act, which allows US companies to provide data to foreign authorities under certain conditions. It was argued that the UK's actions could erode trust and data security, suggesting the US should consider terminating and renegotiating this sharing agreement if backdoor access is pursued. Expert testimony highlighted the UK's divergence from its allies, prioritising encryption standards that rank surveillance over privacy, inevitably eroding consumer trust.

US lawmakers were in agreement that privacy remains a vital right and cautioned against measures that would compromise encryption and data security for both the US, and global users of technology.

Lawsuits being faced by LinkedIn

LinkedIn faces having to defend itself against several potential class action lawsuits from users concerning the use of its website-tracking technology by websites and applications that handle information relating to health.

In early June, the social network requested that US District Judge Edward Davila dismiss five cases which raised similar privacy claims against its Insight Tag (this feature uses LinkedIn cookies to track website visitors, enabling the implementation of targeted LinkedIn advertisements tailored to those visitors). There are also two newer cases involving LinkedIn before the same District Judge which have not yet been consolidated.

At the hearing in early June the plaintiffs argued that LinkedIn failed to disclose that it was collecting "private health information" which the network then shared with third parties such as Spring Fertility and Noom. However, LinkedIn argues that the data collection was "expressly and repeatedly" disclosed, and its privacy policy states that it only collects and processes personal data where there are "lawful bases".

These cases against LinkedIn follow a flow of lawsuits which target the use of website trackers. LinkedIn argues that the cases do not trigger strict disclosure concerning health data as the data is only "healthcare adjacent". Regardless, the plaintiffs accuse LinkedIn of "trying to play down" the data collected. This indicates that even data considered healthcare adjacent may prompt regulatory attention and action, suggesting that organisations should consider adopting more cautious and transparent data handling approaches.