Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, what assessment she has made of the potential implications for her data protection polices of the enforcement action taken by the Agencia Española de Protección de Datos against Yoti in March 2026.

Organisations such as Yoti that process biometric data of UK users, through the provision of digital verification and age assurance services, have to comply with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR). As such, the processing must be fair, lawful, transparent and secure. Organisations must have a lawful basis for the processing of personal data under Article 6 of the UK GDPR. For processing of biometric and other sensitive data, they must also have a specific Article 9 condition, such as a user’s explicit consent.

DSIT monitor developments in this space and supports the Information Commissioner’s Office (ICO) in providing guidance to organisations to help their compliance. The ICO, working with Ofcom, has recently published guidance on age assurance and is engaging with the age assurance industry through a programme of risk reviews.

The ICO can take enforcement action against those organisations that have breached the UK’s data protection legislation.