The UK is now firmly on its own path

The Data Protection (Use and Access) Bill (DUAB) will soon be adopted. Changes are coming to the legislative framework but UK companies are less likely to be fined than their EU counterparts. However, the DUAB will give the ICO more fining powers, in effect a much bigger stick, under the Privacy and Electronic Communications Regulations (PECR) which will be matched with those of the GDPR. The ICO has been very active on children’s privacy, and it has made many large platforms change their practices by persuasion. Now a new era has started under the Online Safety Act for regulating harmful content for children.

Professor David Erdos of the University of Cambridge notes on LinkedIn that just three (UK) GDPR fines have been issued on average in each of the last five years. Erdos writes that substantive scrutiny by the Tribunal and the Courts has been lacking, and there has also been an absence of holistic oversight by Parliamentary committees(1). Lately, the ICO has confirmed a £3 million fine on Advanced Software Group. O’Carroll v Meta (2025) represents a different way of achieving a result – the ICO assisted an individual in a case settled by Meta and confirmed that targeted advertising is direct marketing.

So the UK’s differences from the EU are evident – it remains to be seen whether the EU Commission will revise the GDPR due to its general simplification agenda. We expect to hear more about this policy development very soon, but it is likely that reliefs will be mainly targeted at SMEs. A crucial part of the new global order affected by
events in the US is international data transfers – read an analysis.

The DUAB will introduce changes to the ICO’s structure. The ICO’s job advert for the Interim CEO said that the role will be filled by a person who is a “people-orientated and visible leader, who can maintain high levels of motivation and cooperation, setting and embedding a culture of curiosity, collaboration, impact and inclusion to deliver
regulatory interventions that improve people’s lives, reduce burdens, promote economic growth and innovation and enable efficient public services.”Anyone?

Laura Linkomies
Editor, Privacy Laws & Business

May 2025