UK Data (Use and Access) Act comes into force

The question

What are the key elements of the UK’s new Data (Use and Access) Act (DUAA)?

The key takeaway

The DUAA has completed its passage through Parliament and received Royal Assent. Whilst it does not stray far from the UK GDPR, it does introduce a number of new pro-business changes to the UK data protection regime, with the overall aim of harnessing the power of data to generate economic growth.

The background

The DUAA, which was introduced to Parliament on 24 October 2024, (see our Winter 2024 edition of Snapshots) is a new law which updates current data protection legislation and introduces a new Smart Data scheme (that allows for the sharing and access of customer and business data), new digital verification services, and changes to the structure of the ICO.

It was originally proposed by the previous Conservative Government as the Data Protection and Digital Information Bill (DPDI Bill) as a progressive, business-friendly framework that would cut down on costs and paperwork. However, this failed to become law before the July 2024 general election, paving the way for the current Government to recalibrate the UK's approach to data protection in the form of the DUAA. In the last few months, debates over the use of copyrighted material for AI training threatened to overturn the bill but a compromise position was eventually reached.

The development

On 19 June 2025 the DUAA received Royal Assent, marking the conclusion of its long road through Parliament. The DUAA restructures the ICO, now to be known as the 'Information Commission', replacing the single Information Commissioner role with a Chair and a board of directors. The new Information Commission is granted new powers, including the right to compel witnesses to attend interviews, request technical reports and issue greater fines for breaches of PECR (see below).

The DUAA introduces the following key amendments to the UK data protection regime:

• legitimate interests: it includes certain “recognised legitimate interests” which do not require that a balancing test is performed to be relied on as a lawful basis of processing. Additions to this list can be made by the Secretary of State but must be in the public interest. Otherwise, businesses can rely on the existing legitimate interest lawful basis subject to performing the balancing test. The DUAA includes certain types of processing that might fall within this category eg processing for direct marketing, intra-group transmission for admin purposes and to ensure security of IT systems (these examples were already in the recitals of the UK GDPR but for clarity have been moved into the substantive provisions)
• automated decision-making: it permits automated decision-making in many cases. However, there are safeguards to protect the rights and interests of the data subject for ‘significant decisions’ based solely on automated processing. These include providing information about the automated decision-making and allowing the affected individual to make representations, obtain meaningful human intervention and contest decisions
• research and statistics: it clarifies the meaning of scientific research purposes and statistical purposes in the UK GDPR. For example, it makes clear that data processing in the context of a privately-funded commercial activity or technology development can still benefit from the provisions related to scientific research as long as the activities can reasonably be described as scientific
• data protection test: it provides for a new “data protection test” instead of the adequacy test under the EU GDPR to be carried out prior to any international transfer. Organisations will be required to consider whether the standard of data protection in a third country is “not materially lower” than that under the UK GDPR
• special category data: it allows the Secretary of State to amend the Article 9 prohibition on processing special category data to add new special categories of data (eg neuro data), state that certain processing does not fall within the prohibition and amend how an exception to the prohibition should apply
• DSARs: it codifies case law by providing that organisations only have to carry out reasonable and proportionate searches when responding to a data subject access request (DSAR) but must do so “without delay” and in any case within a month of receiving the request, subject to exceptions where an extension is available. It also introduces 'stop the clock' rule allowing organisations to pause the response time if more information is needed from the requester. This change to DSARs came into effect immediately upon Royal Assent and is backdated to 1 January 2024
• processing purposes: it clarifies when processing may be carried out for a new purpose which is compatible with the original purpose of processing
• PECR: it aligns the fine for The Privacy and Electronic Communications Regulations (PECR) breaches and the time limit for reporting PECR breaches to the GDPR standard in both cases (ie fines of up to £17.5m or 4% of global turnover). It also introduces an exception to the requirement for consent for certain non-intrusive cookies or similar technologies (eg to measure website use in order to improve the site), provided that users are given clear and comprehensive information about the cookies and an opportunity to object
• children's data protection by design: it amends Article 25 of the UK GDPR to ensure that processing carried out when providing information society services (eg apps, social media platforms, search engines) which are likely to be accessed by children takes into account the protection of children
• mandatory complaint procedures: it requires organisations to implement a formal complaint-handling mechanism for individuals exercising their data rights. Acknowledgment must be issued within 30 days with a clear path to resolution of escalation.

Towards the end of its legislative journey, the House of Lords introduced amendments in relation to AI and copyright law. Baroness Kidron, alongside several other prominent members of the House of Lords, proposed provisions to empower online creators to protect their IP rights from operators of web crawlers and general-purpose AI models. On this issue, the DUAA also faced much-publicised opposition from high-profile musicians such as Sir Elton John who argued that without such amendments AI operators could train their AI models on copyrighted content without the consent of artists and without providing compensation.

However, facing repeated opposition from the House of Commons and the risk that the bill might have collapsed entirely, the House of Lords agreed to a compromise position. The final iteration requires the Government to report on its review of AI and copyright within six months of Royal Assent, including possible enforcement mechanisms for both UK and overseas AI models.  Read more about the Government's AI and copyright consultation in our Spring 2025 edition of Snapshots.

Why is this important?

Despite its long and sometimes contentious journey through Parliament, the DUAA marks a shift in the UK’s data protection landscape. By expanding smart data use, simplifying compliance, and modernising digital verification, it is hoped that the DUAA will reduce administrative burdens for businesses while fostering innovation and economic growth. Despite unresolved concerns over AI and copyright protections, the DUAA provides some clarity regarding legitimate interests, automated decision-making, and international data transfers. These changes are not intended to cause the UK to depart too far from the EU GDPR so as to preserve UK adequacy.

Any practical tips?

Although it is unlikely businesses will be required to make significant changes to their processes as a result of the DUAA, current data processing activities should be reviewed to ensure compliance with the new rules, with a particular emphasis on policies concerning automated decision making, legitimate interests and data subject access rights. As ever, early preparation will minimise disruption and is likely to ensure more comprehensive regulatory alignment.