
After multiple attempts by successive governments over the last few years to bring about regulatory changes that would enhance and promote the use of data in the UK, an often heavily debated law has finally arrived in the form of the UK’s new Data (Use and Access) Act 2025 (“DUA Act”), which received Royal Assent on June 19, 2025. In this article, we provide an overview of key areas of change introduced by the DUA Act, which are subject to a phased implementation. While most provisions will require further secondary legislation by the Secretary of State to become effective, some however have come into effect upon Royal Assent.
Artificial Intelligence
The ‘ping pong’ between the Houses of Parliament on what the DUA Act should say, if anything, regarding the interaction between AI innovation and copyright rules eventually ended with the two sides agreeing on a compromise. The House of Lords wanted to ensure that AI developers would be required to disclose to copyright holders’ details of how their information was used as training data for AI model training. The amendments were rejected on the basis the government wishes to first examine the outcome of the IPO’s Copyright and AI Consultation which closed on February 25, 2025 (“Copyright Consultation”) and that, in its view, the DUA Act is not the appropriate vehicle for addressing AI-related concerns. Instead, the DUA Act requires the government to, within nine months of Royal Assent:
- Prepare an economic impact assessment in relation to the four policy options described in the Copyright Consultation which are summarized as follows: (i) leaving copyright law unchanged, (ii) requiring express copyright licensing in all cases meaning AI models may only be trained on copyright works if developers have an express license to do so, (iii) introducing a broad text and data mining (“TDM”) exception allowing data mining on copyright works including for commercial use with few restrictions, and (iv) introducing a TDM exception for training AI models on copyright works but subject to copyright holders being able to reserve their rights; and
- Prepare a report on the use of copyright works in the development of AI systems that discusses proposals for, among other things, technical measures for controlling use of copyright works, disclosure requirements by AI developers and the granting of licenses to AI developers to use copyright works.
The government must provide a progress statement on its efforts towards producing the above documents within six months of the DUA Act receiving Royal Assent.
Data Protection and e-Privacy Rules
While the DUA Act does not make substantial changes to the current data privacy regulatory framework, the below is a list of notable modifications to the UK GDPR and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) rules which will impact businesses in a range of sectors:
- Creating a new lawful basis known as “recognized legitimate interest” which sets out a prescribed list of purposes that do not require undertaking the traditional legitimate interest assessment.
- Introducing a list of “compatible” purposes to ease processing for scientific research purposes without the need for organizations to return to data subjects for consent to further processing.
- Allowing organizations acting as data controllers to ‘stop the clock’ on the time period that they have to respond to data subject access requests where they need more information from the individual.
- Enabling individuals to make complaints to data controllers directly regarding breach of their rights and requiring data controllers to acknowledge receipt within thirty days.
- Introducing a more flexible use of automated decision-making, except when processing special category personal data, that result in “significant decisions” to the extent certain safeguards are in place and when there is “meaningful human involvement”, meaning that organizations can lawfully undertake the foregoing without having to rely on the individual’s prior explicit consent.
- Clarifying that the definition of “scientific research” includes both commercial and privately funded research.
- Specifying the “higher protection matters” that organizations must consider when processing in the course of providing online platforms that may be accessed by children.
- Lowering the threshold test in the context of cross-border data transfers with the Secretary of State drawing up a list of adequate third country on the basis that their data protection legal framework is “not materially lower” than that in the UK.
- Creating new exceptions for cookie consent requirements including when using cookies to obtain statistics on website use for making improvements.
- Aligning administrative fine caps under PECR (currently £500,000) with those under UK GDPR so that the most serious offences under PECR could result in fines of up to £17.5m or 4% of global turnover, whichever is higher.
- Replacing the ICO with a new corporate regulatory body, the “Information Commission”, that will have additional powers, e.g., to issue information and interview notices and to prolong the time between a notice of intent and issuing an administrative fine.
Considering the upcoming review by the European Commission of the adequacy of the UK’s data protection regime at the end of 2025, some commentary suggests that data protection amendments relating to automated decision-making, DSAR processes and cookie related provisions will be prioritized for secondary legislation ahead of other changes.
Data Sharing Schemes
The DUA Act introduces a framework for enabling “Smart Data” schemes that will require businesses in various sectors to share both “customer data” and “business data” when requested. Unlike similar EU rules, these schemes are not limited to public sector or ‘IoT’ data – they can apply broadly across different industries. This is expected to give customers and authorized third parties better access to their data, promoting innovation and competition while putting consumers in greater control of their information. The implementation of Smart Data schemes represents a significant move toward data portability that could transform how businesses operate and how consumers interact with service providers.
Digital Verification Services
The DUA Act lays out proposals for a government framework to administer the provision of digital verification services, including the preparation of supplementary codes of conduct by the Secretary of State. This framework will entail the use of a mandatory ‘trust mark’ by digital verification service providers – this is intended to give consumers confidence that these digital identity services are secure and reliable for everyday activities like opening bank accounts or proving age online. It is hoped that the new framework (which is likely to involve private and public co-ordination) will facilitate greater uptake and use of digital ID providers who enable identification without the need to provide physical documents, and consequently greater security and economic benefits through the widespread use of digital IDs in daily life in the UK. The Secretary of State will also maintain a register of providers of digital verification services and is empowered to prepare and publish supplementary codes relating to such services. These proposals mirror similar plans in the EU in the form for the creation of a European ID.
Next Steps
In terms of timing, the DUA Act’s provisions come into effect on a staggered basis with a handful of changes already in force (e.g. the scope of searches relating to data subject requests). The ICO has commented that various other provisions will come into effect over the course of the next two, six and twelve months and we will be monitoring developments during this time as the data protection landscape in the UK continues to modernise and evolve.