Will the UK’s Data Bill weaken its GDPR core?

It seems like years since the aim of UK data protection law was solely to regulate the processing of personal data, while economic growth was the task of government economic departments led by the Treasury.

The data protection ethos starting with the UK’s Data Protection Act 1984 and then continuing with the 1998 and 2018 revisions were all about data related to people. This aim and scope continued with the EU GDPR which is widely regarded as the gold standard and influential across the world.

Future dual role of the ICO

Now there is tension over the future role of the ICO at the heart of the Data (Use and Access) Bill (DUAB), likely to complete its legislative stages in the next few months.

The principal objective of the new Information Commission is stated in the DUAB in non-controversial terms:

   a) “to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and

   b) to promote public trust and confidence in the processing of personal data.” [Clause 90 (120A)]

However, consensus is eroded by the next clause covering the future Information Commission’s duties:

   a) “the desirability of promoting innovation;

   b) the desirability of promoting competition;” [Clause 90 (120B)]

Following a Privacy Laws & Business Briefing on the Bill in November by the Department of Science, Innovation and Technology (DSIT), on 6 December PL&B sent the DSIT Secretary of State 13 detailed recommendations for amendments. On 21 February, the Ministerial team responded in detail.

The PL&B recommendation document asked for a provision that would require the Information Commission to be transparent in relation to how it prioritises its principal objective while balancing its innovation and competition duties under section 120B. “It is not clear how the Growth Duty and these principal and secondary objectives interact.”

DSIT’s response stated “The Commissioner will have to consider these duties in his work, but he will have discretion as to their application.” In addition:

1. “The DUA bill requires the Commissioner to prepare and publish a strategy, outlining how the ICO will deliver on the principal objective and duties …
2. The ICO will be required to report on the framework – including its strategy – as part of its annual reporting to Parliament.
3. … the Information Commissioner is already subject to the Growth Duty, as set out in section 108 of the Deregulation Act 2015. However, the DUA bill does require the Commissioner to include how he intends to meet this duty as part of his new strategy, and report against it in his annual reporting – both of which are new requirements …”

Business groups tend to support the ICO’s recent framing of its mission as a whole economy regulator whose principal objective is to support economic growth. John Edwards, Information Commissioner, in his letter of 16 January, to the Prime Minister, the Chancellor and the DSIT Secretary of State, stated that he stands ready to support the government in its plans for sustainable economic growth by ensuring regulatory certainty.

While there is broad consensus about the need for economic growth, privacy rights advocates are critical of this re-orientation of the Information Commission. For example, on 26 and 27 February Dr Chris Pounder published 19 DUAB provisions which act to the detriment of data subjects. He suspects that “economic issues are overriding any privacy concerns.” One example is “The expansive powers in Schedule 7 that replace the transfer provisions in the UK GDPR create a risk to the Adequacy Decision with the European Commission because the UK and Commission can significantly diverge on their assessment of the level of data protection in a Third Country.”(1)

Political winds from the new US administration

A statement on 10 February at the AI summit in Paris by JD Vance, the new US Vice-President, criticised the EU GDPR and its compliance costs for US business. According to Euractiv, he “implied the dismantling of Europe's flagship tech regulations, the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR).”

It would be wrong to see a line running directly from the new US administration’s statements to the UK’s DUAB, but there seems to be a change of political atmosphere. In the early 1980s, I recall that US-based multinational companies often asserted that national data protection laws, such as those in the Nordic countries, France and Germany, were aimed at constraining these companies’ international transfers of personal data. Such sentiments from governments and multinational companies had disappeared until this year and had been replaced by respect for the aims of the laws, in principle, but with reservations about implementation details.

PL&B’s children’s privacy law conference on 11 March in London is fast approaching and features companies, age assurance, services, regulators and academics, and will draw on experience in the UK, France, Canada, the EU, Australia and Asia.

Get a 25% discount on registration with the discount code: CHILDREN25.

In-person places are limited so register now. We look forward to meeting you there.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

March 2025