United Kingdom
Why has NHS England been abolished, and what does it mean for patients?
- On March 13th, 2025, Keir Starmer announced that NHS England, the body that has managed the delivery of healthcare services in England since 2013, will be abolished and merged with the Department of Health and Social Care (DHSC).
- Starmer cited the cost-saving and bureaucracy-cutting benefits of this move, he stated: “I can’t, in all honesty, explain to the British people why they should spend their money on two layers of bureaucracy [NHS England and the Department of Health and Social Care]. That money could and should be spent on nurses, doctors, operations, GP appointments.”
- Currently, NHS England employs 13,000 staff. According to an email from NHS England’s outgoing chief executive Amanda Pritchard, the size of the NHS England workforce “could…decrease by around half”, while others will start working for the DHSC. Following her lead, most of the organisation’s most senior executives have also recently announced their departure.
UK minister says Data Use and Access Bill in final stages.
- According to U.K. Minister of State for Data Protection and Telecoms Chris Bryant, the U.K.’s data reform package is in its “final straights” and will likely be completed later this spring.
- As of March 12th, 2025, the bill is now in the House of Commons report stage. After this stage, the bill will be subject to a third reading before reaching final stages, with an additional consideration of amendments and then Royal Assent.
- Since its introduction to U.K. Parliament in October 2024, the Data Use and Access Bill has undergone several amendments in the House of Lords, which passed the bill last month. Notably, the House of Commons has since steered away from those amendments.
- This Bill represents the U.K.’s third attempt to modernise data use and privacy protection, after the proposed Data Protection and Digital Information Bill failed to pass before last July’s national elections. “The single most important thing for us is to improve trust in the use of data,” Bryant stated, noting the legislation empowers the Information Commissioner’s Office to increase trust.
United States
UK, US Hold Talks in Bid to Resolve Apple Encryption Feud
- British officials have held private talks with their US counterparts to address concerns that the UK is trying to force Apple Inc. to build a backdoor into the encrypted data of American citizens.
- These concerns arose after British authorities ordered Apple to remove its most advanced encrypted security feature for cloud data in the UK to facilitate national security and criminal investigations.
- Last month, US Director of National Intelligence Tulsi Gabbard called for an inquiry into this matter, raising concerns about what she called a “clear and egregious violation of Americans’ privacy and civil liberties.” The suggestion of a backdoor into Apple users’ data could also “open up a serious vulnerability for cyber exploitation by adversarial actors,” she warned.
- On Friday March 14th, 2025, Apple’s appeal against the UK order commenced in a secret hearing at the Royal Courts of Justice. The hearing was held in private because it relates to Britain’s security services.
Europe
European commissioner discusses EU-US Data Privacy Framework, potential GDPR reform
- In response to criticism from U.S. Vice President JD Vance over the EU’s stringent data protection laws, including the General Data Protection Regulation (GDPR) and Digital Services Act, the EU has pledged to slow down on new digital regulations to support innovation. Notably, the EU recently abandoned proposals such as the AI Liability Directive and the ePrivacy Regulation.
- The European Commission is now exploring potential changes to existing regulations, particularly regarding how the GDPR applies to small and medium-sized businesses. European Commissioner Michael McGrath noted efforts to ease regulatory burdens on these “smaller organisations…. while preserving the underlying core objective of our GDPR regime”.
- However, It remains unclear how the EU and U.S. will reconcile these changes while maintaining the EU-U.S. Data Privacy Framework (DPF). McGrath emphasised the EU’s commitment to “full implementation and enforcement of the Data Privacy Framework”, while also monitoring U.S. developments that may complicate its application.
International
New authority established for personal data protection in Mexico
- On November 24th, 2024, the Mexican Senate dissolved seven autonomous constitutional bodies, including the National Institute of Transparency, Access to Information, and Protection of Personal Data (“INAI”), which played a crucial role in ensuring government transparency and personal data protection.
- This constitutional reform transferred data protection responsibilities solely to the Ministry of Anti-corruption and Good Governance.
- On February 20th, 2025, President Claudia Sheinbaum submitted a bill to revise national data protection laws, introducing a new process for challenging ministerial decisions through specialised courts. The bill otherwise keeps most principles, rights, procedures, and sanctions in line with previous laws.
- However, the dissolution of INAI, which was a constitutionally autonomous body independent of any government branch, is viewed as a setback for the data protection framework in Mexico.
The current state of affairs for AI regulation in Australia
- Australia has confirmed its position on artificial intelligence (“AI”) in recent weeks, with Privacy Commissioner Carly Kind’s signature to an international joint statement on building trustworthy data governance frameworks to encourage the development of innovative and privacy-protective AI.
- Currently, unlike the European Union’s AI Act, Australia does not have specific legislation governing AI. Instead, several federal government departments have issued AI-specific guidance notes and standards, including the Office of the Australian Information Commissioner’s (“OAIC”) guidance on privacy and generative AI models, and the Department of Industry, Science and Resources ‘Voluntary AI Safety Standard’.
- The OAIC guidance outlines key practical principles for developers to meet their privacy obligations when training and implementing generative AI models, such as ensuring accuracy in training data, complying with privacy laws for publicly available data, obtaining consent for sensitive data, and adhering to use and disclosure obligations. Whereas the Voluntary AI Safety Standard focuses more on organisations’ use of AI, providing ten guardrails.
- However, ultimately, without an enforceable regime specifically for AI, the Australian government may struggle to achieve the regulatory cohesion and effectiveness it aspires to.
