Share
Relevant DUA Act Provisions: Schedule 14, amending Part 5 and adding a new Schedule 12A into the DPA 2018; Amended Section 155 of the DPA 2018.
The DUA Act significantly reforms the governance and accountability structure of the Information Commissioner’s Office. The ICO is reconstituted as the "Information Commission," a new statutory body subject to strategic direction from the Secretary of State and consisting of executive and non-executive members, replacing the previous single-commissioner model. The reform brings the ICO closer in structure and accountability to other UK economic regulators such as the FCA and CMA.
Under new Schedule 12A, the Commission must:
- Prepare and publish an annual strategic plan setting out its priorities.
- Issue annual reports on its performance.
- Take account of strategic priorities set by the Secretary of State, including policy statements relating to innovation, economic growth, and proportionality.
- Be subject to enhanced parliamentary oversight, including appearance before select committees.
While the Commission retains its operational independence, the Secretary of State is empowered to issue statutory guidance on how the Information Commission exercises its functions, including prioritisation of regulatory activity. These directions are subject to public consultation but may influence how enforcement discretion is applied.
This governance shift is part of a broader realignment of the UK data protection framework toward economic and innovation objectives. However, it also raises questions about the Commission’s ability to act as an autonomous supervisory authority for the purposes of cross-border cooperation under Article 50 UK GDPR.
Divergence
The GDPR mandates supervisory authorities to act “with complete independence” under Article 52, free from external influence. The DUA Act introduces strategic oversight by the Secretary of State, raising concerns around regulatory capture and perceived impartiality. It also creates potential tensions with international adequacy frameworks that rely on the independence of national data protection authorities. While judicial review and consultation safeguards remain, the perception of reduced independence may complicate future adequacy negotiations or cooperation with EU/EEA authorities.
ICO commentary
The ICO has acknowledged the governance changes and confirmed its intention to operate independently and protect data subject rights within the reformed structure. It also welcomed its expanded fining powers (e.g. PECR fine alignment) as necessary to bring PECR enforcement in line with modern digital risks.
Recommendations
- Monitor the Information Commission’s strategic plans, codes of practice, and formal consultations, especially where aligned with government innovation or growth priorities.
- Evaluate compliance and enforcement risk in light of evolving ICO priorities and new penalty regimes.
- Prepare to engage with formal consultations on future ICO guidance or statutory direction.
- Review external communications and DPIAs to ensure alignment with emerging regulatory focus areas.
|
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) |
United Kingdom