UK Adequacy Holds Firm Under New Data (Use and Access) Act 2025

Gail Crawford, Calum Docherty, Fiona Maclean, Amy Smyth, Danielle van der Merwe
Latham & Watkins LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Latham & Watkins LLP

The DUAA introduces several reforms to UK data protection law, but their implications are relatively limited in practice.

The Data (Use and Access) Act 2025 (the DUAA) was enacted on 19 June 2025 and amends rather than replaces the existing UK data protection regime. In particular, it introduces several targeted amendments to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Certain of these amendments came into force on 19 June, though the majority will be brought into effect via secondary legislation within the next six to 12 months.

In parallel, the UK Information Commissioner’s Office (ICO) has released a raft of initial guidance on the DUAA and a timetable for updating its existing data protection guidance to reflect the DUAA amendments.

The DUAA is the culmination of a series of proposed reforms to the UK data protection landscape initiated by successive UK governments.

Learn about the proposals under the UK Data Protection and Digital Information (No. 2) Bill (DPDI), in this Latham blog post. Learn about the original proposals from in 2022 in this Latham blog post.

The DUAA revived a number of the previous government’s proposals set out in the DPDI, though is less extensive overall in its amendments to UK data protection law.

The potential impact of the UK’s data protection reform on the EU-UK adequacy decision — which facilitates the free flow of personal data between the European Economic Area and the UK — has been the subject of considerable debate throughout the legislative process. Central to the discussion was whether the European Commission would renew the adequacy decision on its expiry in December 2025 in light of the revised UK framework.

On 22 July 2025, the Commission confirmed that it had commenced the renewal process for the UK adequacy decision, concluding that the UK continues to offer an adequate level of protection for personal data. Final approval of the renewal now rests with the European Data Protection Board, the EU Member States, and the European Parliament.

In addition to introducing specific data protection law amendments, the DUAA establishes frameworks for a new open data / data access regime and digital identity verification.

Key Amendments

Research

The DUAA broadens the definition of scientific research to encompass commercial research and technological developments, and allows individuals to provide consent to “areas of scientific research” (rather than consent for each specific data processing activity) under specific ethical conditions. These amendments essentially codify the UK GDPR recitals and are likely to be especially relevant for the life sciences, digital health, and AI industries, which may process special categories of data (e.g., health information, biometrics, information about race or sexual orientation) with individuals’ consent in a research and development context. It also introduces mechanisms for adding more categories of special category data via secondary legislation.

Recognised Legitimate Interests

The DUAA introduces a new legal basis for data processing based on a defined list of “recognised legitimate interests” that organisations can pursue without applying the balancing test required for the existing legitimate interests legal basis. The balancing test includes balancing the legitimate interests against the rights of the impacted individuals. Notably, the necessity test — which includes ensuring that the data processing is necessary to achieve the recognised legitimate interests — still applies.

These recognised legitimate interests include responding to UK government authority requests, national security, emergencies, crime prevention, and safeguarding vulnerable individuals. The DUAA also provides illustrative examples of processing activities that may constitute legitimate interests (as listed in the recitals to the UK GDPR) — including direct marketing, intra-group data sharing, and systems security — though the usual requirements of the legitimate interests legal basis (balancing test and necessity test) still apply.

Purpose Limitation / Compatibility Test

The DUAA restructures the rules around further processing of personal data and introduces a new list of further processing purposes that can be considered compatible with the original purpose, including compliance with a legal obligation, crime prevention, emergencies, and responding to UK government authority requests. This list of compatible processing purposes is not exhaustive (provided the original processing wasn’t based on consent),1 so controllers can still conduct their own compatibility assessments for any further processing. The DUAA does not amend the existing list of considerations for those compatibility assessments (e.g., the link between the original and the further processing, the potential implications for the individual, and any safeguards in place).

Automated Decision-Making (ADM)

The DUAA relaxes restrictions on automated decision-making which previously could only be carried out under specified legal bases (i.e., explicit consent, contractual necessity, and authorised by law). Processing personal data for ADM under Article 22 UK GDPR can now be carried out under any legal basis (other than the new recognised legitimate interests basis) subject to safeguards.

These safeguards are very similar to the existing Article 22 requirements and include human intervention, transparency, and enabling the impacted individual to make representations and contest the decision. Processing special category personal data for ADM purposes is still restricted and requires a specified legal basis (explicit consent; or substantial public interest and the decision being necessary for the performance of a contract or a legal obligation), in addition to the ADM safeguards.

Data Subject Rights

The DUAA introduces a new data subject right to complain to controllers, with corresponding obligations on organisations to acknowledge complaints within 30 days, investigate, and advise the individual on the outcome without undue delay. The DUAA also provides a statutory footing for certain aspects of the ICO’s existing data subject rights guidance, specifically:

  • Controllers are only required to carry out “reasonable and proportionate” searches for responsive personal data on receipt of a data subject access request (this amendment came into force on 19 June 2025).
  • The time period for responding to a data subject request starts when the controller receives the request, any further information it has requested, and reasonably needs to identify that the relevant personal data has been received and/or that any fee it has requested for a manifestly unfounded or excessive request has been received.

International Data Transfers

The DUAA establishes a new data protection test for assessing the level of protection offered by third countries to personal data. The threshold has arguably been lowered in that the standard of protection of personal data should not be materially lower than the UK GDPR, rather than requiring the protection guaranteed by the UK GDPR not to be undermined. This data protection test applies to controllers when conducting transfer risk assessments (TRAs) — the DUAA also introduces an express requirement for TRAs — and to the government when assessing the adequacy of third countries for the purposes of adequacy arrangements.

Cookies and Tracking Technologies

The DUAA amends the current rules relating to cookies under PECR to allow the placement of non-strictly necessary cookies without consent for a limited number of purposes. These include collecting statistical information (subject to transparency and user opt-out), adapting the appearance or functionality of a website to meet user preferences (subject to transparency and user opt-out), and ascertaining user location if emergency assistance is requested.

The DUAA further amends PECR by extending the scope of the cookies rules to include those who “instigate” the storage of or access to information on devices in addition to those who place the cookies on users’ devices. Maximum fines for breaches of PECR are increased from £500,000 to the general UK GDPR levels.

Online Services

The DUAA introduces a number of changes specifically relevant to providers of online services:

  • Providers of online services likely to be accessed by children will be expressly required to consider the needs of children in data protection by design and default measures aligning with the ICO’s Age Appropriate Design Code.
  • Providers of services regulated by the Online Safety Act must retain informationin connection with investigations into child deaths (on receipt of a binding retention notice from Ofcom); this amendment came into force on 19 July 2025.
  • Providers of online services featuring user content may need to amend content moderation processes to capture new sexually explicit deepfake offences.

ICO Structure and Powers

The DUAA replaces the ICO with a new corporate body, the Information Commission, and introduces a new interview power.

Practical Implications

Whilst the DUAA introduces several changes to the UK data protection regime, the implications in practice for organisations are limited, particularly for businesses relying on a GDPR base standard for their regional and/or global privacy compliance. Businesses preparing for the implementation of the DUAA in the coming months should focus on:

  • Updating data subject rights policies and processes and privacy notices to integrate the new data subject right of complaint and to clarify the “reasonable and proportionate” search obligation in relation to data subject access requests.
  • Identifying any gaps in TRA documentation and updating TRAs to reflect the new data protection test.
  • Reviewing existing ADM processing to ensure safeguards are adequate (the new safeguards requirements largely mirror existing requirements for ADM).
  • Reassessing existing risk-based approaches to cookies compliance in light of the somewhat relaxed cookie rules but significantly increased fines under PECR and ongoing ICO scrutiny in this area.

This blog post was prepared with the assistance of Britney Laryea in the London office of Latham & Watkins.

  1. If the original processing was based on consent, the DUAA exhaustively lists the further processing purposes that can be considered compatible with the original purpose. These include receiving data subject consenting to the new purpose and ensuring the new purpose of processing is in the public interest. The controller cannot carry out its own compatibility assessment in this context. ↩︎
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Latham & Watkins LLP

Written by:

Latham & Watkins LLP
Latham & Watkins LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide