The Data (Use and Access) Bill passed both Houses of UK Parliament and received Royal Assent on 19 June 2025, now becoming the Data (Use and Access) Act 2025 (“DUA Act”). This is the final iteration of the Data Protection and Digital Information (No. 2) Bill, previously presented to Parliament (see here).
Below, we have summarised some of the key elements of the DUA Act.
Key Elements of the DUA Act
1. Recognised Legitimate Interests
The DUA Act introduces new lawful bases for certain data processing which fall under “recognised legitimate interests”. Traditionally, establishing a legitimate interest requires applying a three-part test:
- Purpose Test: Identifying the legitimate purpose for processing personal data.
- Necessity Test: Assessing whether the processing is necessary to achieve that purpose.
- Balancing Test: Weighing the legitimate interest against the individual’s rights and expectations regarding the use of their data.
The DUA Act introduces six new lawful bases for processing personal data that are automatically recognised as legitimate interests. This means that, in these cases, the three-part test does not need to be applied. These purposes include:
- Safeguarding national security, protecting public security or for defence;
- The detection, investigation, prevention of crime or the apprehension and prosecution of offenders;
- Safeguarding vulnerable individuals under 18 or at risk from neglect or physical, mental or emotional harm and protecting the well-being of such individuals;
- Responding to emergencies; and
- Processing for the purposes of making a disclosure of personal data to another person for the performance of a task in the public interest.
2. E-Privacy (Cookies & Marketing)
The DUA Act (i) aligns PECR enforcement with UK GDPR penalties; (ii) expands exceptions for cookies, and (iii) introduces soft opt-in for charities.
(i) Use of cookies is governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The DUA Act strengthens PECR enforcement by aligning its penalty regime with UK GDPR. Specifically, the maximum fine for cookie-related non-compliance has increased to the greater of £17.5 million or 4% of an organisation’s total annual worldwide turnover (a significant increase from the previous cap £500,000 under PECR).
(ii) Despite a stricter enforcement stance, the DUA Act introduces more flexibility around consent. Explicit consent is no longer required for non-essential, low-risk cookies – for example certain analytics and functionality cookies – providing users are given clear and sufficient information about their use and are offered a simple opt-out mechanism.
(iii) The DUA Act has introduced specific soft opt-in rules for charities who wish to send their supporters marketing messages, who can contact them without their prior explicit consent.
3. Data Subject Access Requests (“DSARs”)
The DUA Act clarifies DSAR obligations. Prior to the DUA Act, the UK Information Commissioner’s Office (which will be rebranded the Information Commission under the DUA Act) (“ICO”) provided guidance on how businesses are to handle DSARs.
The DUA Act codifies this guidance into law and will be treated as having come into force on 1 January 2024. The guidance clarifies that a controllers are only required to carry out reasonable and proportionate searches. This includes taking into account: the circumstances of the request; any difficulties involved in finding the information; and the individual’s right of access to their personal data.
Further, the DUA Act now introduces a ‘stop the clock’ provision, which allows businesses to request for individuals to verify their identity or clarify the nature of their DSAR before engaging in a data search. The time taken for such clarification will not count towards the time required for an organisation to comply with a DSAR request.
4. Definition of Scientific Research
Under the existing UK GDPR framework, special category personal data may be processed for scientific research purposes, provided that appropriate consent is obtained.
The DUA Act broadens the definition of “scientific research” to explicitly include both private and commercial research activities. The DUA Act also introduces the concept of “broad consent”, allowing individuals to consent to the use of their personal data for a general area of scientific research, even if the specific purposes cannot be fully identified at the time consent is obtained. This means, provided appropriate safeguards are maintained, further processing of personal data for compatible research purposes may proceed without requiring new consent.
Additionally, the DUA Act permits organisations to reuse personal data for scientific research without issuing a new privacy notice, if doing so would involve disproportionate effort, so long as transparency is maintained through other means, such as publishing notices online.
5. Adequacy Standard for International Data Transfers
The DUA Act simplifies requirements for international data transfers – allowing a more flexible, risk-based approach to adequacy assessments. Specifically, it allows the UK government to recognise third countries, territories, or sectors as providing adequate protection for personal data, provided the overall level of protection is assessed as essentially equivalent. This shift aims to streamline cross-border data flows while maintaining high standards of data protection.
These amendments are designed to support the UK’s ongoing EU adequacy status, which was originally set to expire on 27 June 2025 but has since been extended to 27 December 2025 to allow the EU time to assess the impact of the DUA Act on the UK’s data protection regime.
6. ICO Reform
The DUA Act establishes a new framework for the ICO, including granting the ICO stronger audit, reporting and enforcement powers. These include the ability to issue notices with extraterritorial effect to enhance its global regulatory reach.
Additionally, under the DUA Act, organisations are mandated to implement accessible complaints procedures, such as an online form, and respond to complaints raised within 30 days.
Other aspects of the DUA Act
Other reforms within the DUA Act include:
- The removal of the requirement under Article 21(2) UK GDPR requiring a qualifying lawful basis to be established before automatic decision making is conducted, except in cases where special category data is involved; and
- The right for the secretary of state to designate new special categories of data;
Matters left out of the DUA Act
Regulatory burdens on SMEs
The original DUA Bill proposed easing regulatory burdens on small and medium-sized enterprises, including exemptions from maintaining records of processing, conducting data protection impact assessments, and appointing a Data Protection Officer. However, these provisions were excluded from the final version of the DUA Act.
AI regulation
Separately, in the course of the debates over the DUA Act, the House of Lords sought to introduce amendments to the DUA Bill setting out transparency requirements for businesses training artificial intelligence (“AI”) models, especially in relation to the use of copyrighted material within the training of AI models. These were rejected to be handled in other bills, although Parliament has signalled its intention to consider the matter in the DUA Act by requiring a progress statement on the publication of an economic impact assessment and report on the use of copyright works in the development of AI systems. Given that the EU’s General-Purpose AI Code of Practice is set to become effective in August 2025, governing the training and transparency obligations of AI models, and the UK’s recent introduction of the Artificial Intelligence (Regulation) Bill earlier in March 2025, further legislative developments on AI transparency and copyright are expected.
The DUA Act marks a significant evolution in the UK’s data protection landscape, introducing pragmatic reforms aimed at balancing regulatory clarity with operational flexibility. By codifying recognised legitimate interests, reforming cookie consent requirements, and streamlining DSAR procedures, the Act provides organisations with clearer guidance while enhancing enforcement mechanisms. The deferral of AI-related provisions highlight areas where further legislative attention is anticipated. As the UK continues to refine its post-Brexit data governance framework, businesses should remain vigilant and proactive in adapting to these changes.
Conclusion
The DUA 2025 marks a shift in the UK’s approach to data protection, aiming to balance privacy rights with innovation and regulatory flexibility. It streamlines compliance for organisations by introducing clearer rules for DSARs, expanding permissible uses of data without explicit consent in contexts such as research and safeguarding, and creating more flexible legal bases for processing (e.g., "recognised legitimate interests"). These reforms are particularly beneficial for sectors such as health and AI, enabling broader reuse of data. The DUA Act also relaxes restrictions on low-risk cookie use which will be welcome news for many UK websites.
At the same time, the DUA Act restructures the UK’s ICO, enhancing its audit and enforcement capabilities. While the government claims the reforms maintain the UK’s adequacy with the EU, others are more sceptical and fear that the new legislation risks weakening accountability and eroding data subjects’ rights over time.
Overall, the DUA Act positions the UK as a leader in pragmatic, innovation-friendly data regulation, though its success will depend on how its applied in practice.
We would like to thank Claire Li for her contribution to this alert.
[View source.]
