UK Data Protection and Digital Information Bill

The Data Protection and Digital Information Bill: An In-Depth Analysis

Data protection reform · UK GDPR · Digital governance

The Data Protection and Digital Information Bill should no longer be treated as a live Bill. It did not become law. The current legal reference point is the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025 and is being brought into force in stages. The practical issue is not whether the UK has abandoned data protection, but how far the new Act changes the balance between data use, individual rights, regulator accountability, innovation and public trust.

Category
Data protection
Jurisdiction
United Kingdom
Reading time
c. 12 minutes
Last reviewed
3 July 2026
By-line
Legal Lens

Publication snapshot

The 2023 Data Protection and Digital Information Bill has been overtaken by events. The current statute is the Data (Use and Access) Act 2025. It amends the UK GDPR and the Data Protection Act 2018, creates new machinery for data use and access, reforms aspects of subject rights and automated decision-making, changes international transfer tests, establishes the Information Commission, and gives the regulator additional powers. The policy direction is clear: more usable data, more flexibility, and an attempt to preserve public confidence through accountability mechanisms.

Why the old Bill frame is now wrong

Any article still describing the Data Protection and Digital Information Bill as being in its final parliamentary stages is now out of date. That Bill was a Conservative Government Bill from the 2022-23 and 2023-24 sessions. It reached the House of Lords, but it did not receive Royal Assent before the 2024 general election. It should not be presented as pending reform in 2026.

The live legislative frame is the Data (Use and Access) Act 2025. That Act was introduced under the subsequent Parliament, originated in the House of Lords, and received Royal Assent on 19 June 2025. It covers a broad field: access to customer and business data, digital verification services, registers, birth and death registration, personal data regulation, privacy and electronic communications, health and social care information standards, smart meter communications, public-service data sharing, online-safety research, biometric data, trust services and intimate image offences.

That wider frame matters. The Act is not only a narrow data protection amendment. It is part of a wider policy move towards data infrastructure: using information to support public services, regulated markets, digital identity, research, AI-adjacent governance, safety and administrative efficiency. The question is whether that move preserves the accountability that makes data use legitimate.

What the 2025 Act does

The Act is best understood as a recalibration. It does not remove the UK GDPR or the Data Protection Act 2018. It amends them. The UK remains a data protection jurisdiction built around lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability. However, the Act adjusts how parts of that regime operate.

The Government’s UK GDPR and DPA factsheet identifies changes concerning research and statistical purposes, broad consent for scientific research, recognised legitimate interests, further processing, international-law-based public interest processing, subject rights, automated decision-making, children’s higher protection matters, law enforcement logging, international transfers, and research safeguards.

Data use

More statutory confidence for research, further processing, recognised legitimate interests and some public-interest uses.

Rights and safeguards

Updated rules on subject requests, complaints, automated decision-making and children’s higher protection matters.

Regulator structure

Creation of the Information Commission and new powers intended to strengthen investigation and accountability.

The political language around the Act is often about growth and innovation. The legal question is more exact: where the Act makes data easier to use, has it kept the safeguards clear, enforceable and visible to the person whose data is being used?

UK GDPR continuity and change

The most important correction to the public debate is that the UK has not simply replaced GDPR with a light-touch free-for-all. The UK GDPR remains the central framework for most personal data processing. The Act changes parts of that framework, but it does not abolish the basic architecture.

Some changes are designed to make the rules easier to apply. For example, the Act clarifies research and statistical purposes and brings broad research consent into the main text of the legislation. Other changes are more sensitive because they affect the balance between administrative convenience and individual control. The new recognised legitimate interests route removes the need for the usual balancing exercise in specified circumstances, although necessity still matters. The further-processing provisions also seek to clarify when data can be reused for a new purpose.

Those changes may reduce friction for organisations. They may also make it harder for individuals to understand why their data has moved from one purpose to another. That is the public-confidence issue. A simpler route for organisations must still be explainable to the people affected by it.

Individual rights and complaints

The Act changes the practical handling of data-subject rights. The Government factsheet says the Act clarifies rules around subject access requests, introduces a stop-the-clock provision where clarification or further information is needed, and codifies the requirement for reasonable and proportionate searches.

Those changes are not automatically anti-rights. Subject access can be burdensome, especially where requests are broad, historic or technically complex. However, the practical risk is that organisations may use clarification and proportionality language to narrow requests too aggressively. The safeguard is evidence. A controller should be able to show why clarification was needed, what search was reasonable, what systems were checked, what was excluded, and why.

The Act also creates a direct complaint-handling requirement for controllers. That is significant. A person should not have to jump immediately from frustration with a controller to a regulator complaint. A functioning internal complaint process can resolve errors earlier, reveal poor practice, and create a record if escalation is needed. The value of that reform will depend on whether complaint routes are accessible, timely and substantive rather than merely procedural.

01

Request

The individual asks for access, correction, erasure, objection, restriction or explanation.

02

Clarify

The controller may need clarification, but should be able to justify why it was needed.

03

Search

The search must be reasonable and proportionate, with a defensible record of what was checked.

04

Respond

The outcome should explain the decision, the documents, any exemptions and the route to complain.

Automated decision-making

Automated decision-making is one of the Act’s most important practical issues. The previous UK GDPR approach was built around a general restriction on solely automated decisions with legal or similarly significant effects, subject to limited conditions. The Act replaces that with a more permissive framework, while retaining safeguards.

The Government describes the reform as enabling wider use of solely automated decision-making where safeguards are in place. Those safeguards include giving people information about significant decisions, allowing them to make representations, enabling them to challenge decisions, and allowing them to obtain human intervention.

The tension is obvious. Automation can speed up decision-making and improve consistency. It can also produce opaque, unfair or poorly understood outcomes. In welfare, finance, employment, housing, policing, immigration, education, insurance and health-adjacent systems, an automated decision can have real consequences for a person’s life. A right to human intervention is only meaningful if the human review is informed, independent enough, and capable of changing the outcome.

Automation discipline

The practical test is not whether a human appears somewhere in the workflow. It is whether the affected person can understand the decision, challenge the basis of it, and obtain a meaningful reconsideration by someone with authority to correct it.

Public services and data sharing

The original article rightly identified public-service delivery as a major theme. The current Act confirms that direction. It includes provision about the disclosure of information to improve public service delivery and sits alongside wider measures on smart data, digital verification services, health and social care information standards, online-safety research and infrastructure registers.

Better data sharing can make public administration less fragmented. It can reduce repetition, support eligibility checks, improve research, identify risks and make services more responsive. But public-service data is often high sensitivity data. It may concern poverty, health, education, safeguarding, disability, immigration, social care, criminal justice, housing or family life. Efficiency cannot be the only measure of success.

The central safeguard is purpose discipline. Public bodies and private partners should be able to explain what data is shared, why sharing is necessary, what legal basis applies, what safeguards are in place, how long records are retained, who has access, how errors are corrected, and how affected individuals can challenge misuse.

The Information Commission

The Act establishes the Information Commission to replace the current Information Commissioner’s Office structure. The Government factsheet says the new body will be led by a chair, chief executive and other executive and non-executive members, with shared decision-making responsibilities. The chair will retain the title Information Commissioner.

The stated purpose is governance resilience. A corporation sole model concentrates formal authority in one office-holder. A board-style structure may improve institutional capacity, continuity and scrutiny. However, structure alone does not guarantee stronger regulation. The public-interest question is whether the regulator has sufficient independence, expertise, enforcement appetite, resources and transparency.

The Act also gives the regulator additional tools. These include powers connected with information notices, assessment notices, commissioned reports, interview notices and changes to penalty-notice processes. These powers matter because modern data investigations can be technical. A regulator that cannot obtain technical evidence cannot properly test complex systems.

EU data transfers

UK-EU data transfers remain one of the most sensitive political and commercial issues in UK data reform. The UK’s post-Brexit data regime depends, in part, on whether the European Commission regards the UK as providing an adequate level of protection for personal data flowing from the European Economic Area.

The concern during the Bill debates was that too much divergence from EU standards could endanger adequacy. That concern remains a useful discipline even where disruption has been avoided. Data adequacy is not only a technical trade issue. It is also a trust judgment about legal standards, safeguards, regulator independence, surveillance boundaries, onward transfers and rights protection.

The Act’s international-transfer reforms introduce a test based on whether the recipient country or international organisation has a standard of data protection that is not materially lower than the UK standard. That language matters. It signals a UK-specific transfer test rather than simple replication of EU terminology. The practical challenge is to make that test predictable for exporters and credible to overseas partners.

The implementation test

The Act’s significance will be determined less by its political branding than by implementation. Much of the Act comes into force in stages. Organisations therefore need to track commencement, ICO guidance, internal policy updates, contract changes, transfer mechanisms, automated-decision safeguards, complaint-handling procedures and staff training.

For businesses, the opportunity is not simply lighter regulation. It is clearer operational design. A business that can explain its lawful basis, reuse decisions, transfer assessment, automated-decision process, complaints route and subject-access search logic will be in a stronger position than one that treats the Act as permission to loosen controls.

For individuals, the test is whether rights remain practical. Can a person find out what happened to their data? Can they obtain a reasoned response? Can they challenge automated or opaque decisions? Can they complain to the controller and then to the regulator with a proper paper trail? Can they understand when their data has been reused or transferred?

For organisations

Update records of processing, lawful-basis reasoning, SAR handling, complaint routes, transfer assessments and automation safeguards.

For individuals

Keep requests, responses, clarification messages, refusal reasons, automated-decision notices and complaint correspondence.

For public bodies

Record the purpose, legal basis, necessity, safeguards, retention period and accountability route for data sharing.

Source anchors

These sources support the legal and regulatory framework used in this article. They do not prove any disputed complaint, breach or organisation-specific failure.

The Legal Lens point

The Data Protection and Digital Information Bill is now history. The Data (Use and Access) Act 2025 is the current framework. That shift should change the article from a preview of possible reform into an accountability analysis of enacted reform.

The Act’s success will depend on whether flexibility produces responsible data use rather than weaker transparency. Data can improve services, research and innovation. It can also deepen power imbalances if people cannot understand, challenge or correct what is done with their information. The legal question is not whether data should be used. It is whether the use is lawful, necessary, transparent, accountable and open to meaningful challenge.

Data protection route map

If a data protection issue needs structure, Legal Lens can help organise the documents, legal route and practical questions before correspondence, complaint escalation, publication or specialist legal review.

Identify the data route

Clarify whether the issue concerns access, erasure, automated decision-making, data sharing, transfer, complaint handling or regulator escalation.

Map the evidence

Collect requests, responses, privacy notices, data-sharing records, policies, screenshots, decisions and chronology.

Choose the next step

Separate internal complaint, ICO complaint, legal correspondence, public-interest article and specialist advice routes.

Issue map

Rights, routes, records, duties and decision points.

Evidence schedule

Requests, responses, notices, chronology and missing documents.

Independent Legal Lens consultancy. Legal Lens is not a regulated solicitors' firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.

Legal Lens publishes public-interest commentary and practical legal education. This article is not legal advice. Data protection issues may overlap with privacy, public law, employment, education, health, safeguarding, equality, consumer, online safety, platform governance and regulatory complaint routes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar