Privacy and Data Protection Quarterly Snapshot 2025
Monday 16th June 2025
Welcome to our Spring Snapshot, covering data protection news and developments over the last few months, and looking forward to changes on the horizon.
In this edition we look at:
- Data (Use and Access) Bill to become law imminently;
- Online Safety Act – phased implementation update;
- extension to the UK’s adequacy decision determination by the EU;
- ICO set to release draft encryption guidance; and
- our upcoming webinar: Direct Marketing – Best Practice and Pitfalls.
Data (Use and Access) Bill close to final form
The Data (Use and Access) Bill is likely to become law imminently as it has passed through both houses in June 2025. The new law amends and supplements the UK GDPR and Data Protection Act 2018. For a full breakdown of the key changes applicable to commercial organisations please read our article here.
Online Safety Laws – phased implementation update
The first phase of the Online Safety Act – the Illegal Harms Codes of Practice – came into effect on 17 March 2025.
This requires platforms to take proactive measures against illegal content by having clear and accessible terms of use, rigid risk assessments and monitoring processes and providing a user-reporting system.
Phase two focuses on protection particularly for women and children. Platforms were under a duty to undertake children’s access assessments by 16 April 2025. If a platform is likely to be accessed by children, further risk assessments must be completed by July 2025. Guidance on age assurance for pornography providers was published in January 2025 and Ofcom began enforcement action against non-compliant providers from this date. It has been announced that pornography websites can expect further enforcement of the Act’s age assurance requirements soon.
Phase three centres on additional requirements imposed on some platforms. The Threshold Conditions Regulations came into force in February 2025, categories will be announced by Summer 2025, and duties enforceable by early 2026.
Extension to the UK adequacy decision
The European Data Protection Board (EDPB) granted a six-month extension to the UK’s adequacy decision under the EU GDPR and the Law Enforcement Directive. This extension, announced on 6 May 2025, ensures the continued free flow of data from the EU to the UK until 27 December 2025, allowing the UK to complete the legislative process for the Data (Use and Access) Bill. The EDPB emphasised that further extensions should not be expected.
Draft encryption guidance
The Information Commissioner’s Office (ICO) remains active in the data protection landscape. The ICO is currently consulting on updated guidance on encryption, with the consultation set to close on 24 June 2025.
The guidance would cover encryption in the context of the UK GDPR and how organisations can use it in different contexts. It includes several scenarios where organisations can use encryption to protect personal information, as well as highlighting the key risks of doing so.
If you have any questions or would like to discuss your business’ privacy and data protection compliance, feel free to contact one of our experts here.
