It's here! Data (Use and Access) Act 2025

The UK’s data protection regime is changing!

The Data (Use and Access) Act 2025 (DUA Act) received Royal Assent on 19 June, whilst I was delivering data protection training. It isn’t uncommon for the law to change whilst I am delivering training on the topic, though usually it’s because some new international data transfer issue has arisen.

UK data protection reforms have been in the pipeline for several years now (since Brexit). We had “Data: A New Direction” (Government consultation paper in 2021), the Data Protection and Digital Information Bill (in 2022), the Data Protection and Digital Information (No. 2) Bill (in 2023, which was re-named without the “No.2” a few months later), the announcement of the Digital Information and Smart Data Bill in the King’s Speech (in July 2024). And then finally the Data (Use and Access) Bill arrived a few months later.

The DUA Act amends existing data protection, and privacy and electronic communications laws (under UK GDPR, UK DPA 2018 and PECR). It also introduces new data-related laws, notably in relation to data portability for business and customer data (Smart Data), and to create a trust framework for verifying information about individuals online (digital verification services, for example to prove identity). And there were hotly debated attempts by the House of Lords to address copyright and AI issues in the DUA Act; these provisions were heavily watered down prior to finalisation.

Some proposed data protection changes have stuck throughout the process

Some changes were proposed in the original consultation paper, and have stuck it out through the different Bill iterations. These include a new lawful basis of “recognised legitimate interest” for use of personal data and changes to the rules on automated decision-making.

See my summary table below for more details of the changes which have carries through to the final DUA Act.

Some proposed changes have come and gone

The consultation paper suggested re-introducing the ability to charge a fee for the exercise of data subject rights, but this didn’t materialise in the Bills. DPDI was to change the “manifestly unfounded or excessive” exemption to “vexatious or excessive”, and to scrap DPOs and DPIAs (though replacing with “assessments of high risk processing” and “senior responsible individual”). These fell away with the DUA Bill.

There was also proposed wording for the DUA Bill to raise the upper age of when parental consent is needed for offering online services (under Article 8 UK GDPR) from 13 to 16. This carried across from yet another separate proposed Bill proposed by MP Josh MacAlister – the Protection of Children (Digital Safety and Data Protection) Bill. It did not make it through to the final DUA Act.

New changes have popped up or re-appeared

Some changes have popped up along the way, or disappeared and then re-appeared later.

The qualification that a search for data in response to subject access request should be “reasonable and proportionate” was snuck in by the House of Lords during the progress of DPDI, and has remained in the DUA Act.

DPDI 2 proposed to expand the scope of the “soft opt-in” rules under PECR, such that non-commercial organisations could use them to send marketing emails or SMSs relating to their non-commercial objectives. This wasn’t initially carried across to the DUA Bill. However, the final DUA Act re-includes this for charities.

See my summary table below for more details of the changes which made it through to the final DUA Act.

The final ping pong: AI and copyright

The focus of this article was going to be data protection, but this is such an interesting area, too!

The final ping pong in the passage of the Bill between the House of Commons and the House of Lords related to copyright concerns in the use of works to train AI. Proposed amendments went back and forth; the Lords proposing controls around transparency and compliance with copyright law, and the House of Commons rejecting these. Did anyone else have fun reading the transcripts of the messages between the two Houses? The Minister for Data Protection and Telecoms quoted Macbeth (“When shall we three meet again…”) and the shadow Minister referred to the film Groundhog Day.

The heavily watered-down provisions which appear in the final DUA Act require the Government to carry out an economic impact assessment and a report on the use of copyright works in the development of AI systems, in consideration of the policy options in the AI and Copyright consultation paper (from December 2024). One such option (which was strongly opposed by creative industries), was to allow AI developers to train on material to which they have lawful access, but only where rights holders have not expressly reserved their rights.

And also on this topic, the trial to determine liability High Court case: Getty Images vs Stability AI kicked off this month (June 2025). Getty Images claimed that Stability AI has been infringing its copyright (and copyright of its licensors) by using images without authorisation to train its generative AI model, Stable Diffusion. Reportedly, key copyright claims have since been dropped (partly on a jurisdictional point). The legal uncertainty on this issue therefore continues.

When do these changes take effect?

Some changes happened immediately; notably the “reasonable and proportionate” search for personal data in response to a subject access request. These provisions are to be treated as having come into force on 1 January 2024 (so presumably would apply in relation to any disputes since this date).

Other provisions come into force in two months’ time. These include updates to the meaning of “consent” for law enforcement processing under the DPA 2018 (reflecting the existing meaning of consent under the UK GDPR).

We await commencement regulations for other provisions.

Summary of key changes

As you can see, it has been a fun ride tracking the progress of the data protection reforms.

Here’s my summary of some key changes to data protection and PECR rules that made it through to the DUA Act 2025.

TOPIC	DUA Act amendment to UK GDPR/DPA 2018/PECR
“Recognised legitimate interest” lawful basis for processing (Article 6 UK GDPR)	In addition to the existing six lawful bases, there will be a new one (Article 6(1)(ea)): “processing is necessary for the purposes of a recognised legitimate interest”. A new Annex 1 to the UK GDPR contains a list of such recognised legitimate interests including: where a controller receives a request to disclose data to a person who needs the data for carrying out a public task (generally a public body); where the processing is necessary for responding to an emergency; where the processing is necessary for detecting, investigating or preventing crime; or where the processing is necessary for safeguarding a vulnerable individual. The importance of this new lawful basis is that no balancing test is required as it is with the existing “legitimate interests” lawful basis under Article 6(1)(f). However, the controller will still need to assess necessity, which means that the use of data must be a targeted and proportionate way to achieve the goals.
Legitimate interests lawful basis for processing (Article 6 UK GDPR)	There is a new list of examples of the types of processing that may be necessary for the purpose of a legitimate interest under the existing lawful basis 6(1)(f) (reflecting existing Recitals 46, 47 and 49 of the UK GDPR): processing that is necessary for the purposes of direct marketing; intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes; and processing that is necessary for the purposes of ensuring the security of network and information systems.
Public task lawful basis for processing (Article 6 UK GDPR)	Where the lawful basis for processing of personal data is that it is necessary for a task in the public interest or exercise of official authority, a new provision provides that this basis must be laid down by domestic (UK) law or relevant international law. Previously, this referred just to domestic law. Similar amendments are made in relation to the conditions for processing special categories of data. A new section 9A DPA 2018 is introduced to clarify what is meant by “relevant international law”.
Compatible purposes of processing (Article 5(1)(b))	There are new provisions on how to determine whether processing of personal data for a new purpose (other than that for which it was collected) is compatible with the original purpose. Processing is treated as compatible if the data subject consents or if the processing is for scientific or historical research, archiving or statistical purposes (similar to provisions under existing law, but moved around). In addition, there is a new Annex 2 to the UK GDPR which lists purposes of data processing which are considered ‘compatible’ with the purposes of collection of personal data. These include: where a controller receives a request to disclose data to a public body which needs it to carry out a public task; where the processing is necessary for safeguarding a vulnerable individual; where the processing is necessary to respond to an emergency; where the processing is necessary to detect, investigate or prevent crime; or Where the processing is necessary to comply with a legal obligation. There is also a new clarification that processing is not lawful by virtue only of being processed in a manner compatible with the purpose of collection. A lawful basis, for example, still needs to be identified.
Clarifying subject access requests and searching for data (Articles 12 and 15 UK GDPR)	A new Article 12A UK GDPR allows controllers to clarify a subject access request “where the controller reasonably requires further information to identify the information or processing activities to which a request…relates”. This expands the current “large quantities of data” rule (in Recital 63), as holding a large amount of data is now just an example of when clarification may be sought. An equivalent provision is introduced in section 54 DPA 2018, relating to law enforcement processing.
Searching for personal data in response to a subject access request (Article 15 UK GDPR)	Article 15 of the UK GDPR is amended such that, in addressing a subject access request, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provided based on a “reasonable and proportionate” search for the personal data and other information. An equivalent amendment is made to sections 45 and 93 of the UK DPIA 2018, in relation to law enforcement processing and intelligence services processing. These changes reflect existing case law.
Timing of responding to requests from individuals (Article 12 UK GDPR)	A new Article 12A UK GDPR confirms the time periods for responding to requests from data subjects to exercise their rights. This mainly reflects existing law and guidance on the issue, including: the one-month time period starts when the request is received, or when confirmation of identity or a fee (if applicable) has been received; the one-month time period may be paused whilst clarity is sought for subject access requests (see above); and the one-month time period may be extended by a further two months where necessary due to the complexity of the request or the number of requests. For law enforcement and intelligence services processing under the DPA 2018, the DUA Act includes provisions to allow the timescale to be paused whilst clarifying, and extended for complex or numerous requests, which brings it more in line with the equivalent provisions under the UK GDPR.
Automated decision-making (Article 22 UK GDPR)	Amendments are made to Article 22 of the UK GDPR, such that there are fewer restrictions on solely automated decision-making, though safeguards must still be in place. The main restrictions will be on solely automated decisions based on special category data, or which rely on the new lawful basis of a “recognised legitimate interest” (as raised in the first row above). Though safeguards must be in place for all solely automated (significant) decisions involving personal data. The provisions only apply where the decision is a “significant decision’” producing a legal effect or similarly significant effect for the individual. Regulations may specify specific situations which have (or do not have) a similarly significant effect. In considering whether there is meaningful human involvement in a decision, a person must consider the extent to which a decision is reached by means of profiling (in other words automated processing to evaluate individuals). Regulations may be made to describe cases where there is (or isn’t) meaningful human involvement. There are similar amendments to sections 49 and 50 of the DPA 2018, relating to law enforcement processing, with reference to “sensitive processing” rather than use of special categories of data.
Legal professional privilege exemption to SARs (Law enforcement processing under the DPA 2018)	The DUA Act introduces an exemption to subject access requests for information protected by legal professional privilege (similar to the equivalent exemption for the right of access under the UK GDPR).
Information Commission and Information Commissioner	The Office of the Information Commissioner is to transform into the “Information Commission” (a new body corporate), and the Information Commissioner’s role will transition to “chair of the Information Commission”. This change will update the governance structure of the ICO. There are also some updates to some duties, functions and powers of the ICO.
Complaints to the controller	A new section 164A of the DPA 2018 will allow a data subject to make a complaint to the controller if it considers that there is a breach of the UK GDPR in relation to use of their personal data. The controller must facilitate the making of complaints, such as providing a complaint form. The controller must acknowledge receipt of the complaint within 30 days and, without undue delay, take appropriate steps to respond and inform the complainant of the outcome. Whilst having a complaints procedure is already good practice, this new section introduces a statutory obligation for a complaints procedure. Information about the right to make a complaint must be included within privacy notices, and in response to subject access requests.
International Data Transfers (Chapter V UK GDPR)	Schedules 7 to 9 to the DUA Act contain lots of stuff on international data transfers (IDT). One aim is to enable the UK government to take a risk-based approach to assessing adequacy of other countries. Under new Articles 45A and 46A, a new “data protection test” is introduced for the Government to assess whether a third country (a country outside the UK) provides adequate levels of data protection. The test is that the standard of protection for data subjects is “not materially lower” than in the UK. The changes also embed the requirement for a transfer risk assessment when data exporters (controllers or processors) rely on safeguards (such as standard contractual clauses) to transfer data outside the UK. Again, the “data protection test” must be met, which requires the standard of protection for the data subject is “not materially lower” than in the UK. The data exporter must act “reasonably and proportionately” in determining whether the test is met. What is reasonable and proportionate take into account the circumstances or likely circumstances of the transfer, including the nature and volume of personal data transferred. Note that these factors are taken into account in the ICO’s existing guidance and template for transfer risk assessments. Under a new Article 47A UK GDPR, the UK government may specify standard data protection clauses which are capable of securing that the data protection test is met in relation to transfers of personal data generally, or in relation to a particular type of transfer.
Court procedures for access to information	A new section 180A applies where a court is determining whether a data subject is entitled to information under their right of access or right to data portability. The court may require the controller to provide available information to the court for inspection. However, the court may not require: the information to be disclosed to the data subject (for example as part of the discovery process) unless it has been determined that they have a right of access to such information; nor the controller to carry out a search than is more than a reasonable or proportionate search.
Direct marketing rules under PECR (Paragraph 22 of PECR)	The “soft opt-in” provisions of the Privacy and Electronic Communications Regulations 2003 are extended so that they can be used by charities. Under existing law, an organisation can use this soft opt-in as an alternative to seeking consent to sending direct marketing communications by email or SMS. These rules apply to the marketing of the organisation’s own goods or services, where contact details have been obtained in the course of previous sales (or negotiations to sell) goods or services to the recipient (and provided certain other conditions are satisfied). These rules therefore excluded organisations which do not sell goods or services, such as charities. Under the new provision, charities may rely on the soft opt-in where the sole purpose of the direct marketing is to further the charitable purposes, and it obtained the contact details of the recipient in the course of that recipient expressing an interest in the purposes, or offering to support those purposes.
Cookies rules under PECR (Paragraph 6 of PECR)	PECR is amended in relation to the use of cookies. More broadly, the requirements apply to storing information in the terminal equipment of a subscriber to or user of a service, which extends beyond cookies. However, cookies are talked about the most! Under current law, consent to the use of cookies is required, other than where use is strictly necessary for provision of a service requested by the user. A new Schedule A1 introduced by the DUA Act, introduces new circumstances where consent is not required, which were considered to present a low risk to people’s privacy. These include where collecting data for statistical purposes or to adapt the appearance or functionality of a website. The user must be given a way to object to such uses.
Data protection by design – use of children’s data (Article 25 UK GDPR)	A new provision amending Article 25 impacts data protection by design in relation to use of children’s data. In assessing appropriate measures for online services likely to be accessed by children, the controller must take into account children’s higher protection matters: how children can best be protected and supported when using the services, and the fact that children merit specific protection because they may be less aware of the risks and consequences in use of personal data and of their rights, and have different needs at different ages and at different stages of development.
Use of personal data for statistical, scientific or historical research purposes (Article 89 UK GDPR)	The use of data for scientific or historical research or statistical purposes is an exception to many rules under the UK GDPR. They should not be overused, particularly as they limit the application of data subject rights. The DUA Act clarifies the meanings of “scientific research”, “historical research” and “statistical purposes”. A key clarification is that something can be scientific research whether carried out as a commercial or non-commercial activity. The DUA Act also introduces new safeguards for processing of data for research purposes within a new Chapter 8A. These replace the existing safeguards under Article 89 UK GDPR. For example, safeguards are not satisfied if the processing is likely to cause substantial damage or distress to a data subject, or (in most cases) if decisions are made with respect to a data subject. The safeguards should include measures to respect the principle of data minimisation, including pseudonymisation.

Whew! That’s quite a lot!

The DUA Act is available here.

Olivia Whitcroft, principal of OBEP, 26 June 2025

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details