Privacy & Information Security Law Blog

On February 10, 2025, the UK Information Commissioner’s Office (“ICO”) released an updated response to the draft Data (Use and Access) Bill (the “DUA Bill”), providing comments on the amendments made to the DUA Bill by the House of Lords. The ICO provided its initial response to the DUA Bill in October 2024. As stated in its latest response, the ICO continues to “support” the DUA Bill as “improving the effectiveness of the data protection regime in the UK, upholding people’s rights, providing regulatory certainty and clarity for organisations and improving the way the ICO regulates.”

The ICO’s views include:

• Definition of scientific research: the DUA Bill was amended so that references to processing of personal data for the purposes of scientific research are limited to processing “for the purposes of any research that can reasonably be described as scientific and that is conducted in the public interest, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.” The key amendment in this respect is the addition of the public interest test. The ICO confirmed it will provide guidance on what is meant by public interest in this context.

• Duties to protect children: with regards children’s data, the House of Lords introduced, amongst other things, the concept of “higher protection matters” and an obligation on controllers to take such into consideration when assessing appropriate technical and organizational measures for information society services likely to be accessed by a child. In the latest DUA Bill, children’s “higher protection matters” are defined as: “(a) how children can best be protected and supported when using the services, and (b) the fact that children i) merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing, and ii) have different needs at different ages and at different stages of development.” The ICO confirms that while a business may be required to take different steps when handling the data of children as opposed to adults, the underlying data protection principles remain the same. The ICO therefore expresses concern that the amendments proposed by the House of Lords may suggest that the Age Appropriate Design Code (also known as the Children’s Code) reflects a higher legal standard that when processing data about adults.   The ICO believes it would be helpful if government could provide clarify on the meaning of “higher protection matters,” specifically limb (a) of the definition.  

• Direct marketing for charities: the “soft opt-in” rule for marketing has been extended to charities in the latest amendments to the DUA Bill. Under the current law, the rule only applies to commercial organizations; it permits a business to send direct marketing on an opt-out basis to individuals that have an existing relationship with such business through the sale of goods or services. The ICO welcomes the extension of the rule to charities but cautions charities to be careful regarding implementation of such practices.

• Codes of practice: the ICO will be required through secondary legislation to produce two new codes of practice related to automated decision-making and artificial intelligence, and edtech. The ICO welcomes this opportunity.

• Web crawlers: the DUA Bill now includes new responsibilities for the ICO to regulate the transparency of web crawler use, aiming to increase the ability of creatives to assert and enforce their copyright. At this stage, the ICO has not been consulted on this amendment; it looks forward to discussing it with government.

• Deepfakes: new criminal offenses have been introduced regarding sexually explicit images digitally produced without consent. The ICO supports the intent behind the creation of such criminal offences but notes a potential incompatibility with the European Convention of Human Rights. The ICO would therefore “welcome assurance” that the government has assessed any implications on the UK adequacy decision.

The DUA Bill is now being considered by the House of Commons. It is expected that the DUA Bill will be finalized in the coming months.

Read the full response from the ICO and the draft Bill.