By: ICCSO
Published: June 15, 2025
LONDON — The UK Parliament has officially passed the Data Protection and Digital Information (DPDI) Bill, marking a landmark moment in the government’s post-Brexit digital strategy. After more than two years of consultations, revisions, and political disputes, the Bill received Royal Assent on June 13, 2025, becoming law.
Promoted as a modernised alternative to the EU’s General Data Protection Regulation (GDPR), the DPDI Bill is designed to provide a “pro-growth and pro-privacy” framework tailored to UK businesses and public institutions. It introduces new rules on digital identity, government data sharing, and streamlined compliance for small businesses.
Timeline of the Bill’s Passage
| Date | Milestone |
|---|---|
| September 2021 | UK Government opens consultation on reforming UK data laws post-Brexit. |
| July 2022 | Original Data Reform Bill introduced under then-Culture Secretary Nadine Dorries. |
| September 2022 | Legislative work paused amid Conservative Party leadership changes. |
| March 2023 | Revised version titled DPDI Bill introduced under Michelle Donelan (DCMS Secretary). |
| April–June 2023 | First and second readings in the House of Commons. Civil society groups raise concerns. |
| July 2023 | Committee stage: over 40 proposed amendments debated, many voted down. |
| November 2023 | Bill passes third reading in Commons amid criticism from opposition MPs. |
| February 2024 | House of Lords scrutiny begins; Lords raise concerns on biometric data use and oversight. |
| March 2025 | Government introduces last-minute amendments to secure cross-party support. |
| June 13, 2025 | Bill passes final Lords vote and receives Royal Assent. Now in effect. |
Key Provisions of the DPDI Bill
- Eases compliance burdens for small and medium enterprises (SMEs).
- Allows data processing without consent in “legitimate interest” cases (e.g. research, fraud prevention).
- Establishes a legal basis for government data sharing across departments.
- Creates framework for digital identity systems, enabling secure online access to public services.
- Reforms and renames the Information Commissioner’s Office (ICO) as the Information Commission with a new governance model.
- Introduces Smart Data Schemes, enabling consumers to share their data with third-party services in sectors like telecoms and finance.
Political and Civil Society Response
Government’s Position
“This Bill cuts red tape, boosts innovation, and ensures the UK remains a world leader in digital policy,” said Michelle Donelan, Secretary of State for Science, Innovation and Technology.“We are striking the right balance between economic growth and individual privacy.”
Opposition and Watchdog Concerns
- Labour and Liberal Democrat MPs opposed certain provisions, particularly the expanded data-sharing powers granted to government bodies without explicit user consent.
- The Open Rights Group, Liberty, and Big Brother Watch warned that the reforms weaken individual protections and increase surveillance potential.
“This law gives ministers the power to decide when your personal data can be shared, bypassing the protections GDPR gave us,” said Silkie Carlo, Director of Big Brother Watch.
Business and Industry Reactions
Industry groups largely welcomed the reforms:
- techUK, representing the UK technology sector, praised the Bill’s clarity on data use for AI development and its simplification of record-keeping obligations.
- The Confederation of British Industry (CBI) estimated the reforms could save £4 billion in compliance costs over 10 years.
“The Bill gives British businesses the certainty and flexibility they need to innovate responsibly,” said Julian David, CEO of techUK.
However, some multinational firms remain concerned about data adequacy implications with the European Union.
EU Data Adequacy Risk
The EU previously granted the UK data adequacy status in 2021, allowing for the free flow of personal data between the UK and EU. Under GDPR, this is subject to periodic review.
“This reform could trigger a reevaluation of UK adequacy if the EU deems the UK’s regime to be too divergent,” warned Professor Mark Watts, a data protection expert at University College London.
The next review of UK adequacy by the European Commission is scheduled for late 2025.
Next Steps
- The Department for Science, Innovation and Technology (DSIT) will begin phased implementation by Q4 2025.
- The Information Commission will issue updated guidance for data controllers and public-sector bodies.
- A public awareness campaign is expected to launch later this summer to help individuals and businesses understand the new rights and obligations.
🔗 Sources
- UK Parliament Bill Tracker – Data Protection and Digital Information Bill
- Department for Science, Innovation and Technology (DSIT) – Official press release (June 13, 2025)
- BBC News – “UK Passes Data Reform Bill After Two-Year Battle”
- Open Rights Group – Public statement on DPDI Bill
- techUK – Industry response, June 2025
- The Guardian, Sky News – Parliamentary coverage archives
- Royal United Services Institute (RUSI) – Policy brief on UK-EU data divergence
Note: Information contained in this report is based on official statements from the UK Ministry of Defence, the National Cyber Security Centre (NCSC), and publicly available news sources, including the BBC, The Guardian, and Sky News as of June 2025. ICCSO takes care to ensure all reporting is accurate and timely at the time of publication.