Peter A Clarke

There is a continuous changes to privacy related legislation in the Europe and many states of the United States of America. The UK has just made its changes to such legislation, on 19 June to be exact, after passing both the House of Commons and the House of Lords on 11 June 2025. Australia completed the first tranche of privacy reforms on 10 December 2025.  

The amendments to the UK GDPR and Data Protection Act 2018 include:

• providing a revised legal definition of ‘recognised legitimate interests’,  which are more narrow and public sector focused and sets out a list of bases for processing personal data.  The Secretary of Sate can amend the list.
• clearer provisions regarding the meaning of legitimate interest with references to direct marketing,  transmission of personal data for internal administration purposes, and what processing is necessary to ensure the security of network and information systems.
• providing the Secretary of State with power to designate additional special categories of personal data and additional processing categories under special category data.
• a revised scientific research definition.
• an expanded provision on the meaning of further processing and what constitutes compatible processing.
• narrowing the prohibition on automated decision-making.
• providing specific provisions regarding children’s “higher protection matters”, with a need to take account of the same when providing information society services that are likely to be accessed by children.
• codifying the data protection test for assessing adequacy of third countries or international organisations
• specifying that exporters of personal data should act reasonably and proportionately when making transfers subject to appropriate safeguards.
• codifying the existing ICO guidance that organisations need to conduct reasonable and proportionate searches when responding to data subject access requests.
• adjusting transparency requirements when it is impossible or involves disproportionate effort to inform data subjects of further processing for research purposes.
• provisions establishing smart data schemes and digital verification services.
•  provisions relating to:
  • online safety research and data retention,
  • national security,
  • intelligence service and law enforcement use of data,
  • National Underground Asset
  • Births and Deaths registers,
  • information standards for health and social care,
  • smart meters; and
  • overseas trust services.

The legislation also updates the e-privacy regime in the UK, by allowing certain cookies to be set without consent and aligning fines with those under the UK GDPR, being a maximum of 4% of annual worldwide turnover or £17.5m.

The legislation sets out in greater detail the ICO’s role, its enforcement powers and brings the ICO in line other UK regulators.