There is a global movement toward increased innovation in the digital economy, propelled by the perceived potential around data use and AI technologies. The U.K. is among the nations preparing to seize the moment, but the Information Commissioner's Office indicated nothing will happen at the cost of data protection and consumer trust.
Following a consult between Information Commissioner John Edwards and Chancellor of the Exchequer Rachel Reeves, the ICO unveiled new commitments 17 March under the U.K. government's growth agenda that aim to leverage the existing data protection regulatory regime to support economic growth. The ICO's planned initiatives include piloting a new data protection sandbox regime, improved support for small and medium-sized businesses, updated guides for AI and international data transfers, and more.
"Our desire to promote innovation does not come at the cost of our duty to protect the public — in fact, they go hand in hand," Edwards said in a post detailing the measures. "Good regulation creates an environment where customers and businesses have trust that data will be looked after properly. This encourages the flow of data through the economy which is absolutely essential for growth."
The plan comes among a flurry of data protection news out of the U.K. in recent weeks, including news of a six-month extension on the deadline to renew the EU-U.K. adequacy decision. Moving the deadline from June to December allows the EU to have full consideration of adequate or equivalent data protection standards in the U.K. after it completes data reforms under the proposed Data Use and Access Bill.
The timeline for the DUA was recently updated as U.K. Minister of State for Data Protection and Telecoms Chris Bryant told IAPP Data Protection Intensive: UK 2025 attendees the bill is expected to be finalized by U.K. Parliament in April. Notably for the ICO, the data reforms will bring a change in organizational posture for the ICO while it will also oversee technology innovation and public safety matters in addition to its current data protection compliance enforcement.
And in relation to the current regulatory landscape, the ICO opened children's data protection investigations into social platforms TikTok, Reddit and Imgur while simultaneously releasing its latest progress report on the application and enforcement of the U.K. Children's Code. The actions marked an ongoing ICO priority to improve children's data protection standards that began in 2024.
'A controlled regulatory environment'
As similarly-sized global economies like the EU and the U.S. are exploring their own versions of deregulation to foster technological innovation, the ICO's approach signals the U.K. will attempt to find a middle ground between impactful regulation and unfettered technology use and development.
"There is a responsibility on all regulators to create an environment where businesses can flourish, and there is a particular onus on the ICO as a whole economy regulator to make sure companies can use data responsibly," Edwards said.
Replacing enforcement with more oversight is a clear goal within the measures.
The proposed sandbox update — referred to by the ICO as the "experimentation regime" — is designed to "enable businesses to trial innovative data-driven solutions within a controlled regulatory environment. The ICO added, "Organisations will be granted comfort from enforcement of certain data protection requirements, starting with consent rules for privacy-preserving advertising models."
Insights gleaned from participating projects are expected to spur future guidance on various data protection matters.
Additionally, the SME Data Essentials training program launching in 2025 will educate businesses on compliance to avoid potential malpractice and subsequent enforcement.
Allen & Overy Special Advisor Steve Wood, formerly a deputy commissioner at the ICO, said the office's plans build on "strong foundations" laid over many years. However, meeting government objectives with immediacy presents a challenge.
"What is unprecedented is the level of Government pressure to respond to the agenda," said Wood, who spent 15 years with the ICO. "The scale at which the ICO will be operating these innovation services at will also be a step change. Although the ICO has recently secured government agreement for an increased fee regime these innovation plans may still require a reallocation of resources."
Review and reshape
Existing regulatory tools and guides will also receive attention among the ICO commitments.
The guidelines to international data transfers will be reassessed to ensure it is "quicker and easier for businesses to transfer data safely." It's unclear how the new EU adequacy deadline will impact the expected guidance review or if the ICO will tailor separate guidance for EU-U.K. transfers.
The ICO also opened up about its timeline for potential rethink around the Privacy and Electronic Communications Regulations that will "enable a shift towards privacy-preserving online advertising models." Following development of a consensus position, the regulator will publish in fall 2025 a list of permissible "low-risk advertising activities" the ICO will not bring actions on.
The culmination of the advertising technology review will be secondary regulation on PECR consent requirements that promote "commercially viable" ad models with privacy principles.
Shoosmiths Partner Sherif Malak indicated the commitments "appear to hit all the right notes" to greenlight innovation, but time will tell if prescriptive rules are more appropriate.
"These measures will naturally have their limits as they will no doubt aim to stretch existing legal frameworks to deal with new technologies and may not deal with the elephants in the room," Malak said. "Fundamental issues such as web scraping to train AI or the realities of the ad-funded open web, may ultimately require a legislature, rather than a regulator, to help attain the threshold of much-needed certainty that businesses in the U.K. need to thrive."
Joe Duball is the news editor for the IAPP.
