Data (Use and Access) Act 2025 becomes law

The Data (Use and Access) Bill has today received Royal Assent, completing its journey through Parliament. In this update, we look at the key features of the Data (Use and Access) Act 2025 and what it means for UK data protection and ePrivacy laws, together with new rules on smart data and digital verification services in the UK.

What does the Data (Use and Access) Act do?

The DUA Act covers a number of different areas, including:

• Amendments to UK data protection and ePrivacy laws
• A framework under which the Government can create Smart Data schemes in different sectors
• a new framework for digital verification schemes, enabling people to verify their identity electronically

We cover these in more detail below.  The DUA Act also puts the national underground asset register (for pipes and cables in England, Wales and Northern Ireland) on a statutory footing and makes changes to the register of births, deaths and marriages in England and Wales.

Updates to UK data protection laws

The DUA Act makes a number of changes to UK GDPR and the Data Protection Act 2018, including:

• Research - the DUA Act makes clarifications and amendments in relation to the collection of consent and the processing of personal data for research purposes, including the inclusion of "any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity." This can include processing for the purposes of technological development or demonstration, fundamental research or applied research, where those activities can reasonably be described as "scientific." This potentially opens the door to far greater use of the research condition. Historical research is also amended to expressly include genealogical research.
• Purpose limitation - the purpose limitation is extended to say that scientific research or historical research is a purpose compatible with the original purpose.
• Legitimate interests - the DUA Act "whitelists" certain activities as legitimate interests, eliminating the need for a controller to carry out a legitimate interests assessment. These include direct marketing, intra-group transfers of personal data for administrative purposes, network security and disclosure to someone carrying out a task in the public interest.
• Public task - the DUA Act clarifies that the public task condition applies only to a task carried out in the public interest by the controller. Organisations cannot rely on a public task performed by a third party to share data with that third party (but that is now a whitelisted legitimate interest).
• Data Subject requests - the DUA Act formalises the position set out in the ICO's guidance, expressly stating that controllers need only carry out reasonable and proportionate requests and that controllers can wait until they have verified the identity of the requestor before the time period for responding commences
• Automated decision making - the general prohibition in Article 22 in relation to automated decision making will apply only where the processing relies on special category data. This substantially narrows the scope of the current Article 22 in UK GDPR. For example, AI decisions based on financial information or sex or gender will not be subject to Article 22. The DUA Act does, however, give the Secretary of State powers to make new regulations in relation to automated decision making.
• International transfers - the DUA Act introduces a risk based approach to assessing adequacy. The key test is whether the standard of protection is "materially lower than the standard of protection provided" in the UK (the "data protection test"). Controllers and processors must also consider the data protection test in relation to appropriate safeguards. The ICO's transfer risk assessment process is codified under the DUA Act.
• Complaints - the DUA Act introduces new rules in relation to the processes that controllers must adopt when handling complaints. Data subjects must complain directly to the controller before going to the ICO. Controllers must have a complaints process, such as an electronic form, and must acknowledge complaints within 30 days.

The DUA Act also makes some changes to Parts 3 (Law Enforcement Processing) and 4 (Intelligence Services Processing) of the Data Protection Act 2018.

Lastly, the DUA Act will reform the Information Commissioner's Office. The ICO will become the Information Commission,  a statutory body corporate. The role of the current Information Commissioner will transition to the role of chair of the Information Commission. 

As we noted in our summary of the DUA Bill when it was introduced to Parliament in October 2024, the reforms are much less extensive than those set out in the previous Government's Data Protection and Digital Information Bill, which would have made substantial changes to the accountability framework in the UK. 

While the European Commission has extended the EU's adequacy decision in respect of the UK for six months pending the DUA Act being passed by Parliament, the removal of the DPDIB's more radical reforms to UK data protection law should make renewal of the adequacy decision more straight forward.

What does the DUA Act mean for AI?

The changes to the definition of research, the purpose limitation and narrowing the restrictions on the use of automated decision making create divergence between UK data protection law and EU data protection law. 

Together, these amendments may provide a more flexible environment in the UK for the development and deployment of AI in the UK. This is particularly so given that unlike the EU the UK has so far not introduced specific legislation in relation to AI systems. While UK businesses deploying AI systems in the EU will still need to comply with the EU AI Act, the DUA Act may make the UK a more attractive place to invest in and develop AI technology.

Multinational businesses will also need to ensure that their internal guardrails and policies for AI development and deployment recognise the different approaches that are now being taken in the UK and the EU.

What about the rules on ePrivacy?

In addition to amendments to data protection law, the DUA Act also makes some amendments to ePrivacy laws, including:

• Extending the soft opt in to charities for electronic marketing that is for the purpose of furthering a charitable objective of the charity
• Amendments to the rules on cookies and tracking technologies, exempting cookies used for collecting statistical data (analytics) or website optimisation or preferences from the requirement to obtain prior consent. However, in order to rely upon this exemption users must be provided with "clear and comprehensive" information and have a "simple" and "free of charge" means of objecting, meaning that cookie pop-ups will likely still be necessary.
• Aligning the maximum fines under the Privacy and Electronic Communications Regulations with those under UK GDPR

Smart Data

Part 1 of the DUA Act creates a new framework for smart data schemes. The rules on smart data schemes expand on the principles of Open Banking within the financial services sector and are intended to enable new schemes that allow consumers and businesses to permit third parties to access their data. 

Customer data can include information about goods, services and digital content supplied, information about prices of terms on which supplies are made, information on customer usage, and information on performance or quality of goods, services and digital content.

Business data is similar, covering information about goods, services and digital content supplied by a trader, where the goods, services and digital content are supplied, information about prices or terms on which supplies are made, information about how they are used and performance of quality, and information relating to feedback.

Smart data schemes should enable the development of innovative products and services and promote competition. Under the schemes, obligations will apply to traders that supply goods, services and digital content, whether paid for or free. While compliance will create opportunities, for affected traders there may need to substantial investment in IT and systems to enable data sharing.

This part of the DUA Act enables rules to be created using secondary legislation, so we will need to wait until those regulations are published to see how they will work in practice.  The Government has identified the energy sector as a primary target, addressing issues such as energy consumption for price comparison and carbon reporting for companies.

Digital Verification Services

Finally, the DUA Act will also reform the rules in the UK governing digital verification services, such as electronic signatures and eID. Under this part of the DUA Act, the Government will publish a new trust framework setting out the rules for digital verification services in the UK. DVS providers will be able to be certified against the trust framework and be included on a statutory register of certified providers.

This part of the DUA Act also enables information gateways between DVS providers and public authorities and the ability for the Government to make regulations permitting the use of registered DVS providers for right to work or right to rent checks. The use of DVS should help to reduce the volume of personal data that businesses and other organisations need to collect, in turn reducing risk for businesses and individuals.

When will the Data (Use and Access) Act come into force?

While some provisions came into force upon Royal Assent, we do not yet have a timetable for the main sections of the DUA Act coming into force. Watch this space for further updates.

In the meantime, the ICO has published an update to its plans for new and updated guidance to take into account the DUA Act.

Where can I find the DUA Act?

Access the Data (Use and Access) Act 2025 on the legislation.gov.uk website: Data (Use and Access) Act 2025

Preparing for the DUA Act

Organisations should not need to make any substantial changes to their data protection compliance frameworks to prepare for the DUA Act coming into force. However, organisations should familiarise themselves with the changes to ensure that their practices will comply with data protection law and they are able to take advantage of the clarifications and amendments.

Businesses and other organisations that are involved in research or the development or deployment of AI should look at how the DUA Act will change the rules on research and automated decision-making and potentially facilitate greater innovation and use of AI across all organisations.

Charities and third sector organisations should start thinking now about how they should prepare for the extension of the soft-opt in and how they can utilise that in their electronic marketing.

If you would like to discuss the DUA Act please contact Martin Sloan or Grant Campbell.