The Data (Use and Access) Act

Ana Hadnes Bruder, Ellen Hepworth, Alasdair Maher, Reece Randall, Katie Steval, Oliver Yaros
Mayer Brown
Contact
LinkedIn
Facebook
X
Send
Embed

Mayer Brown

On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025.

In these articles we discuss how the DUA Act principally reforms the General Data Protection Regulation in the UK (the "UK GDPR") and the Privacy and Electronic Communications Regulations 2003 ("PECR"). PECR is the law in the UK that governs the use of cookies and other online tracking technologies, as well as the rules on electronic marketing communications.

Additionally, the articles discuss the current position in the UK on copyright issues related to generative AI.

Reform of the GDPR in the UK

On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025. The DUA Act principally reforms the General Data Protection Regulation in the UK (the "UK GDPR") and the Privacy and Electronic Communications Regulations 2003 ("PECR"). It aims to streamline and modernise the UK's data protection framework. This article focuses on the changes that the DUA Act makes to the UK GDPR. See our article on the changes the DUA Act makes to PECR.

CHANGES TO LAWFUL BASES FOR PROCESSING

  • The DUA Act introduces a non-exhaustive list of processing activities that can constitute a legitimate interest for processing personal data under Article 6(1)(f) UK GDPR.
  • These bases are named "recognised legitimate interests" and are contained as a new Article 6(1)(ea) in the UK GDPR. For companies processing under these bases, there will no longer be a requirement to carry out a Legitimate Interest Assessment ("LIA"), which is a lighter form of a data protection impact assessment that has to be carried out when relying on the legitimate interests legal ground to process personal data in the UK.
  • The list of new lawful bases include: safeguarding national security; protecting public security and defence; responding to an emergency; investigating crime; and safeguarding vulnerable individuals.
  • The expansion of processing activities that constitute legitimate interests might be relied upon by a broad range of industries, such as financial services firms combatting or investigating financial crime as well as social media and other businesses operating online in relation to safeguarding individuals from online harm and retail companies in relation to security.
  • Additionally, the DUA Act sets out a list of processing activities that "may" be processed under the existing legitimate interests lawful basis. These activities include direct marketing; sharing data within groups of companies for internal administrative purposes; and ensuring the security of network and information systems. An LIA is still required for processing personal data for these purposes. Nonetheless, with respect to conducting direct marketing to consumers, it remains best practice for businesses to still seek consent before carrying out those activities in light of previous European Data Protection Board guidance relating to direct marketing.

INTERNATIONAL DATA TRANSFERS

  • The DUA Act introduces a change to the UK's data transfer regime, as it amends Article 45 of the UK GDPR so that the UK's adequacy framework compromises of transfers "approved by regulations,” as opposed to “transfers on the basis of an adequacy decision”. Under the new standard, the Secretary of State will determine whether the destination country's standard of data protection is "not materially lower" than the standard in the UK. This marks a slight loosening of the standard that has to be considered in order to get an adequacy assessment of transfers from the UK, which previously was that the destination country must offer "essentially equivalent" protections.
  • The effect of this change is unclear. Previous UK governments discussed that the DUA Act could enable transfers of data from the UK to a greater range of countries, such as the USA and India, which have less stringent data protection standards than the UK. However, there is no indication that the current government will use the DUA Act to permit data transfers to jurisdictions with notably lower data protection frameworks than the UK, although the effect of this change remains to be seen.
  • In terms of transfers to the UK from the EU, the EU's adequacy decision for the UK is subject to renewal on 27 December 2025 and the European Commission will consider the changes the DUA Act makes to UK data protection law when assessing whether the UK has an adequate data privacy framework.

PURPOSE LIMITATION

  • The DUA Act potentially loosens the purpose limitation principle under the UK GDPR. The new Article 8A outlines the conditions where further (i.e. different) processing is compatible with the original purpose of processing for which personal data were collected (and practically speaking, it may not be necessary to identify a new legal basis or provide a privacy notice to the data subject to conduct the further processing).
  • The conditions include: where the data subject has given fresh consent to the new purpose; where the processing is for scientific or historical research; where archiving is in the public interest; or where the processing is for any of the purposes specified in Annex 2. As with Article 6(1)(ea) UK GDPR, the Secretary of State may add, vary, or omit provisions to Annex 2.

AUTOMATED DECISION MAKING ("ADM")

  • The DUA Act relaxes restrictions on the use of ADM under Article 22 of the UK GDPR for the purposes of ADM. The DUA Act sets out that significant decisions based entirely or partly on processing special categories of data may not be taken based solely on automated processing. In addition, the DUA Act outlines that a decision based on ADM is one with no meaningful human involvement.
  • This marks a divergence to the EU GDPR, as ADM relating to personal data that is not classed as special category data is, under the DUA Act, no longer subject to restrictions on processing, such as the right of the individual to contest the ADM.

Scientific Research

  • The DUA Act broadens the definition of scientific research to encompass any research that can “reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. This expands the list of exemptions for processing of special category data under the UK GDPR to include privately funded and commercial research. The amendment gives companies greater flexibility when conducting scientific research.

DATA SUBJECT ACCESS REQUESTS ("DSARS")

  • The DUA Act amends the time period for controllers to respond to DSARS, to bring the UK GDPR in line with the current ICO guidance. Controllers can extend the initial one-month period for responding to a DSAR to a further two months where it is deemed necessary due to the complexity or number of DSAR requests.
  • The DUA Act also clarifies controllers' obligations related to DSARs. Controllers need only to conduct a "reasonable and proportionate" search in response to a DSAR. However, the DUA Act does not provide further guidance as to what constitutes a "reasonable and proportionate" search.
  • A change that the DUA Act makes to DSARs is that when organisations withhold information based on legal professional privilege or client confidentiality, organisations must inform the data subject about the specific exemption being applied and the reason for applying this exemption. The data subjects will also have a right to request that the ICO review how these exemptions have been applied to their case.

CHANGES TO THE STRUCTURE OF THE ICO

  • The DUA Act restructures the ICO and the body will be known as the Information Commission.
  • The DUA Act replaces the role of the Information Commissioner with a Chair and a board of directors consisting of executive and non-executive members.

COMMENT

The DUA Act makes significant amendments to the UK GDPR, largely clarifying obligations under the UK GDPR and aligning data protection law with existing guidance. The main changes relate to the inclusion of the "recognised legitimate interests" regime, which presents businesses with a list of new bases to rely on for personal data processing, and the amendment to the UK's data transfer regime, which has the potential to lower the standard for international data transfers. The tone of the DUA Act is to make it easier for businesses operating within the UK to process personal data and aligns with the broader pattern across Europe of loosening regulations around business to foster more innovation and flexibility, most notably with the EU's Omnibus Packages. Following the enactment of the DUA Act, businesses should review their current practices and policies in line with the changes.

PECR Reform: Rules relating to Electronic Marketing and Cookies in the UK

On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025. The DUA Act principally reforms the General Data Protection Regulation in the UK (the "UK GDPR") and the Privacy and Electronic Communications Regulations 2003 ("PECR"). This article focuses on the changes that the DUA Act makes to PECR, the laws in the UK that govern the use of cookies and other online tracking technologies, as well as the rules on electronic marketing communications. See our article on the changes the DUA Act makes to UK GDPR.

INCREASED FINES

  • The DUA Act increases the maximum fine under PECR to bring the maximum fine in line with the UK GDPR.
  • The maximum fine is raised from £500,000 to £17.5 million or 4% of annual global turnover.
  • This is significant as it signals that the ICO is taking PECR compliance seriously and echoes the ICO's statement earlier this year outlining its intent to clamp down on cookie non-compliance.

SIMPLIFICATION OF COOKIE REQUIREMENTS

  • The DUA Act removes the requirement for user consent to obtain certain non-essential cookies, including collecting statistical data to improve services or websites; enhancing website appearance or performance; and for emergency assistance.
  • The DUA Act also includes a list of purposes for using cookies and similar tracking technologies which can be considered strictly necessary and so do not require consent, such as security and fraud detection.
  • Importantly, the EU has not relaxed its cookies rules and businesses operating subject to the UK and the EU rules need to comply with both regimes.#

BREACH NOTIFICATION TIMEFRAME

  • The DUA Act amends the timeframe to notify the ICO of a personal data breach under PECR from "without undue delay" to within 72 hours of becoming aware of the breach.
  • A personal data breach under PECR differs from a personal data breach under the UK GDPR. Under PECR, a personal data breach takes place whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation in connection with the provision of a public electronic communications service. There is no threshold for how serious the breach must be – all breaches must be notified.
  • This amendment aligns the timeframe to notify the ICO of a personal data breach under PECR with the timeframe under the UK GDPR.

ADDITION OF THE DEFINITION OF DIRECT MARKETING

  • The legal definition of direct marketing which is found in the Data Protection Act 2018 - "the communication (by whatever means) of advertising or marketing material which is directed to particular individuals" - has been added to PECR and the UK GDPR.
  • The addition of this definition creates consistency across key data protection legislation.
  • The UK government had initially considered extending the PECR requirements to cover business-to-business (B2B) marketing, but has ultimately not implemented that proposal. This decision was influenced by concerns from businesses about the potential negative impact on the economy and marketing practices, as well as the potential for increased compliance burdens.

COMMENT

The DUA Act refines and clarifies PECR to bring it in line with other data protection legislation within the UK. The most significant changes relate to the easing of requirements related to cookies and other tracking technologies, and the notable increase in the maximum fines under PECR. Following the enactment of the DUA Act, businesses should review their cookies policies to ensure compliance with cookies law.

Copyright and Generative AI

On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025. The DUA Act principally reforms the General Data Protection Regulation in the UK (the "UK GDPR") and the Privacy and Electronic Communications Regulations 2003 ("PECR"). This article focuses on the current position in the UK on copyright issues related to generative AI. See our articles on the changes the DUA Act makes to UK GDPR and PECR.

Before the DUA Act was passed by the UK Parliament, it was subject to an extended back and forth between the two houses of Parliament, in relation to the training of AI tools on copyright works. The House of Lords proposed an amended version of the DUA Act, which would include a requirement improving the position of copyright holders who are concerned that their works are being used to train AI models without their consent.

This amendment was proposed to address the concerns of content creators that had been raised during a separate, contentious debate about the UK government's consultation on AI and copyright at the end of 2024, in which the government proposed to expand the existing general text and data mining exception to copyright law and place a new burden on copyright owners to pro-actively opt out if they do not want their works to be used to train generative AI models. Many high profile content creators were vocal in their opposition to the proposals made in that consultation, which closed in February 2025.

The House of Lords' amendment to the DUA Act would have required the UK Government to implement regulations requiring organisations that operate web crawlers and general purpose AI models to publish transparency statements in which they identify the tools they are using to crawl the internet and how intellectual property owners can contact them regarding the use of their works. This amendment could have made it easier for content creators to identify which works were being used to train AI models and potentially take action to preserve their rights.

The House of Commons rejected the amendment, arguing that the government is still considering the responses it received to its consultation on AI and copyright and legislation should not be passed before that has been completed. In addition, the UK government argued that the inclusion of transparency requirements for AI models in the DUA Act would overcomplicate the Act, and therefore requires separate legislative action. The government's concerns were in the context of ongoing litigation in the UK High Court, the outcome of which will have significant ramifications regarding the use of copyright materials in AI model training. The Court's ruling is expected later this year.

Ultimately, the UK government agreed within nine months of Royal Assent of the DUA Act to:

  1. Publish a report on the use of copyright works in the development of AI systems.
  2. Publish an economic assessment of the impact of each option on copyright owners and developers or users of AI systems described by the government in the Copyright and AI Consultation Paper.

The government must give a progress statement on both of these in six months.

COMMENT

The training of generative AI models on works protected by copyright and other intellectual property rights is a hot topic globally and there is ongoing litigation in the courts and debates related to regulatory reform in this area which may affect the ultimate position adopted on this issue in the UK and internationally.

The UK government's latest copyright and AI consultation aims to protect and strengthen both the creative and AI sector. It is expected that the AI copyright report, economic assessment and government proposals will be published in Spring 2026 and any new draft AI copyright laws could be passed by Parliament by late 2026.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Mayer Brown

Written by:

Mayer Brown
Mayer Brown
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Mayer Brown on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide