UK Passes Data (Use and Access) Act 2025 Reforming UK Data Protection Laws
Having been passed by Parliament and receiving Royal Assent on June 19, 2025, the Data (Use and Access) Act (the "DUA Act") is now law, reforming the existing UK GDPR and Privacy and Electronic Communications Regulations. The DUA Act maintains the UK's existing data protection framework but introduces targeted refinements to reduce the compliance burden in respect of certain obligations. It introduces, amongst other things:
- new legal bases for data processing under "recognized legitimate interests" (for which organizations would not need to carry out a legitimate interest assessment);
- a more flexible test for "adequacy" for the purposes of assessing whether personal data can be transferred out of the UK, which is likely to result in "adequacy" decisions for more countries;
- statutory confirmation that a search for personal data in response to an access request need only be "reasonable and proportionate," as previously indicated by the regulator;
- less onerous consent requirements for certain common types of cookies; and
- less stringent requirements for carrying out automated decision-making where "special category" data is not involved.
On the whole, the DUA Act is intended to ease businesses' compliance with data protection rules. However, it may increase compliance burdens (and costs) in some areas. For example, the DUA Act gives data subjects a right to request that the UK data regulator verify an organization's reliance on the legal professional privilege exemption to withhold information in response to an access request. In addition, the DUA Act increases the maximum fines under UK cookies and direct marketing rules (previously capped at £500k) to align with the UK GDPR maximum fines of 4% of annual revenue or £17.5m (whichever is higher).
The majority of DUA Act provisions only come into effect once the Secretary of State makes specific regulations (which are expected relatively quickly), although a small number apply immediately, including the statutory footing for the reasonable and proportionate searches in response to an access request.
Takeaway: The DUA Act marks the UK's first significant legislative divergence from EU data protection law since leaving the EU. Whilst many organizations will welcome the changes, uncertainty remains regarding how the EU will react to the UK watering down some of the GDPR's protections, especially in relation to the change to the adequacy test. The European Commission was due, by the end of June 2025, to re-evaluate whether the UK is itself an "adequate" country under the EU GDPR, but it extended the deadline to December 2025 so that it could take into account the final version of the DUA Act. In the meantime, organizations will want to familiarize themselves with the changes being made by the DUA Act and assess whether they need to make any updates to their privacy compliance programs.
Trump Executive Order Revamps U.S. Cybersecurity Policy
On June 6, 2025, President Trump signed an executive order setting out the "reprioritization" of U.S. cybersecurity policy. The new executive order indicates the Trump Administration's differing priorities in the cybersecurity space; however, the order does not fully repeal prior administrations' executive orders on the same topics. Rather, the Fact Sheet accompanying the executive order provides that the executive order "amends problematic elements of Obama and Biden-era Executive Orders (14144 and 13694)."
For example, Executive Order 13694 (signed by President Obama in 2015) authorizes the U.S. government to sanction individuals or entities determined to be responsible for, complicit in, or benefitting from significant malicious cyber-enabled activities that threaten the national security, foreign policy, or economic health or financial stability of the United States. Whereas the original executive order applies to both U.S. and foreign persons and entities, the new executive order permits sanctions of only foreign, but not U.S. persons and entities.
Executive Order 14144 ("EO 14144"), signed by President Biden in the last days of his presidency, is more significantly impacted by the new executive order. First, the new executive order rolls back requirements for software providers regarding secure development practices, such as ending the mandate that the Cybersecurity and Infrastructure Security Agency ("CISA") maintain a central database of attestations from software providers affirming that their development practices are secure. The new executive order also rescinds EO 14144's promotion of digital identity documents, expressing concern that digital IDs—such as driver's licenses and other documents—could be used by illegal aliens.
The new executive order also scales back portions of Biden's EO 14144 that sought to promote development in the fields of post-quantum cryptography (i.e., security measures to keep data secure from quantum computing attacks) and artificial intelligence. The new executive order sets forth updated directives on the use of post-quantum cryptography in line with agency recommendations (most notably CISA), which is a marked change from the Biden administration's more proactive approach to post-quantum cryptography, as EO 14144 pushed for the implementation of post-quantum cryptography requirements in federal systems (this provision was struck down by the new executive order). Regarding artificial intelligence ("AI"), the new executive order rescinds some Biden-era directives for AI development in the defense space, while also requiring that existing datasets used for cyber defense research be made available to the broader academic research community.
Takeaway: While the new executive order curtails governance in some areas (such as oversight of private-sector cybersecurity) critical issues in cybersecurity remain consistent across administrations, such as sensitivity to foreign cyber threats, information misuse, and the importance of software security. As such, companies should not expect the Trump administration to significantly loosen regulation or enforcement in these areas.
Vodafone Fined €45m for Vendor Diligence and Security Failures
Vodafone GmbH, a leading European telecoms operator, has been fined a total of €45m by Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) for alleged serious data protection failures.
A €15m fine was issued for failing to adequately monitor partner agencies working for it, which the BfDI considered a violation of Article 28 of the GDPR. Some partner agencies had reportedly created fictitious contracts and made unauthorized contract changes on behalf of Vodafone, directly impacting customers. Vodafone had signed an Art. 28 GDPR Data Processing Agreement (DPA) with each of the partner agencies, but, per the BfDI, failed to appropriately audit the partner agencies and monitor their compliance with the provisions in the DPA. An additional €30m fine was imposed under Article 32 of the DPA due to alleged security flaws in the "MeinVodafone" online portal hotline, which exposed user authentication processes and allowed unauthorised access to and misuse of customer's eSim profiles. In response, Vodafone has reportedly overhauled its systems, separated from partners identified as being involved in fraud, and enhanced its security auditing procedures. Vodafone fully paid the fine and the BfDI acknowledged Vodafone's full cooperation during the investigation.
Takeaway: Vendors and third-party partners remain a major source of cyber risk and data protection liability for organizations, not only at onboarding, but also thereafter. Vodafone's case serves as a stark reminder of the regulatory penalties and reputational harm that can be caused by insufficient IT modernization and inadequate oversight of third parties, both, before contracting with vendors and third-party partners, and during the term of the contractual relationship. Organizations will want to check their vendor and partner due diligence and monitoring policies and processes and assess whether any updates are warranted.
UK ICO Launches AI and Biometrics Strategy
The UK Information Commissioner's Office ("ICO") has unveiled a new strategy in relation to AI and biometrics. The initiative aims to support organizations developing and using AI and automated decision-making systems in complying with data protection rules.
The strategy includes developing a statutory code of practice to address how privacy should be safeguarded by organizations developing and using AI and automated decision-making systems. The ICO's strategy indicates that it is particularly concerned about the use of automated decision-making systems in recruitment and public services. In addition, the ICO plans to engage with the developers of generative AI foundation models to ensure they act responsibly and comply with data protection laws when using personal data to train their AI models. The ICO also intends to collaborate with law enforcement authorities to ensure facial recognition technologies are used fairly and proportionately.
Takeaway: The ICO is leveraging data protection rules to increase its supervision of AI and biometric technologies amidst public concern about transparency in relation to AI and the implications of using AI to make significant decisions. A statutory code of practice may provide helpful guardrails for organizations developing and deploying AI, but the ICO will need to strike a balance between providing clear guidance and allowing flexibility to address new innovations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
