UK Data Protection Post-Brexit: The Evolving Landscape

David Erdos

SSRN Electronic Journal · 2026

Post-Brexit, the UK has clearly shifted to a more business and government-friendly data protection approach. Nevertheless, although wider changes have eliminated data protection as a fundamental right and deprived the UK GDPR of primacy vis-à-vis exemptions from the regime, the specific substantive reforms of the Data (Use and Access) Act 2025 are modest. Although limitations on automated individual decision-making rights do go further, almost all its substantive changes merely gloss prior law or could have found justification within the UK (and EU) GDPR's restrictions clause.

Of more significance is the attempt, partly on the back of DUAA itself, to further and entrench a very limited and selective approach to regulatory enforcement. This approach seriously diverges not only from the exacting standards of the Court of Justice of the EU but also from the EU's practical norm. For example, whereas the EU issued 1,396 data protection fines of €1,254m or around £1,062m in 2024, the 2024/25 ICO figures are only 2 and around £4m respectively.

Given that the UK GDPR's legal enforcement duties also remain largely intact, the extent to which this attempt at limitation will succeed remains uncertain. It should nevertheless lead to some questioning of whether UK data protection regulatory supervision is truly grounded in a rule of law which systematically safeguards data subjects' rights.