10 Things to Know About UK's Data (Use and Access) Act

July 08, 2025

Key Takeaways

  1. The Data (Use and Access) Act 2025 (“DUA”) introduces wide-ranging provisions, including reforms to UK data protection laws.
  2. The DUA impacts areas such as international data transfers, cookie consents, automated decision-making, legitimate interests, data subject requests, scientific research, and enforcement.
  3. Most provisions do not come into force until the Secretary of State makes specific regulations, which are expected to come within the next twelve months. Businesses will therefore want to get to grips with the changes being made by the DUA and assess and revise their privacy compliance programmes as needed.

Background

Following a prolonged ping pong process between the House of Commons and House of Lords, the two Houses finally reached agreement, and the Data (Use and Access) Act 2025 (“DUA”) received Royal Assent on 19 June which finalised its passage to becoming law.

The DUA makes amendments to the UK data protection regime, impacting areas such as international data transfers, cookie consents, automated decision-making, legitimate interests, data subject requests, scientific research and enforcement. The UK government has stated that these changes will make the rules simpler for organisations, encourage innovation, and allow responsible data-sharing while maintaining high data protection standards. The UK Information Commissioner, John Edwards, has been overall supportive of the Act “as improving the effectiveness of the data protection regime in the UK”.

Most provisions do not come into force until the Secretary of State makes specific regulations. The Information Commissioner's Office (“ICO”) indicates that this is expected within the two-to-six-month period after Royal Assent, although some may take up to twelve months. However, the clarification that searches in response to data subject access requests need only be reasonable and proportionate was backdated to 1 January 2024 and is therefore in effect now.

1. New Recognised Legitimate Interests for Processing

The DUA makes two main amendments to the provisions on lawful bases for processing. Firstly, it pulls in the examples of legitimate interests that were previously provided for in the UK GDPR recitals, namely:

  • direct marketing;
  • intra-group transmission of personal data for internal administrative purposes; and
  • ensuring the security of network and information systems. This could, for example, include preventing unauthorised access to electronic communications networks and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Secondly, and more significantly, it adds a new lawful basis of where “processing is necessary for the purposes of a recognised legitimate interest”. This basis does not require a balancing exercise (which is still required when relying on the original legitimate interests basis) – instead, where applicable, controllers can simply point to Annex 1 to the DUA and say that their recognised legitimate interest is set out there. The new basis is designed to give businesses greater confidence in processing personal data for these purposes, which include:

  • disclosure to a person carrying out a public interest task;
  • safeguarding national security;
  • protecting public security and defence purposes;
  • responding to an emergency;
  • detecting, investigating, or preventing crime; or
  • safeguarding vulnerable individuals.

2. Clarification of Purpose Limitation

The UK GDPR’s purpose limitation principle restricts processing of personal data to the purposes for which they were collected and prohibits further processing in a manner incompatible with those original purposes. The DUA essentially moves around some of the UK GDPR language and then sets out the circumstances where processing for a new purpose is to be treated as compatible with the original purpose, including where:

  • the data subject consents to the new purpose;
  • the processing is for scientific or historical research, archiving in the public interest or for statistical purposes; or
  • the processing is for any purpose specified in Annex 2 which covers similar purposes to those set out above as “recognised legitimate interests”, as well as compliance with legal obligations.

3. Automated Decision-Making

Automated decision-making (“ADM”) is a significant decision that has been based solely on automated processing. The DUA starts by clarifying that a decision is based solely on automated processing if there is no meaningful human involvement in the decision. There is no real change to what constitutes a significant decision – these continue to be those which produce a legal, or similarly significant, effect for the data subject.

Under the DUA, subject to the prohibitions set forth below, ADM is generally permitted as long as certain safeguards are in place, such as transparency measures, enabling the data subject to make representations about, and to contest such, decisions and enabling human intervention. These largely reflect the existing safeguards mentioned in the UK GDPR.

ADM is prohibited:

  • where the decision is carried out in reliance on a “recognised legitimate interest” basis; or
  • in relation to special categories of data (such as health data or racial or ethnic origin data), unless:
    • the data subject gave explicit consent; or
    • the decision is necessary for reasons of substantial public interest and for one of the following reasons:
      • entering into or performing a contract with the data subject; or
      • required or authorised by law.

These amendments are intended to create a more permissive framework for ADM to enhance productivity, while retaining stringent safeguards. 

4. Children’s Data

Controllers are already subject to a general requirement to implement appropriate technical and organisational measures to ensure data protection by design and by default. The DUA builds on this by adding an express duty for information society services likely to be accessed by children to take account of children’s needs when designing their services. Such needs include how children can best be protected and supported when using the services and the fact that children merit specific protection and have different needs at different ages and stages of development.

5.  International Data Transfers

The DUA introduces a new data protection test for adequacy decisions about third countries or international organisations. Although not expressly set out in the main provisions of the UK GDPR, the current test is that the third country must offer “essentially equivalent” protections in order to be considered for adequacy. The new test under the DUA for the Secretary of State to consider is whether the standard of protection in the third country is “not materially lower”. In addition, the four-year review period for adequacy decisions is removed, although such decisions must remain subject to ongoing monitoring and review by the Secretary of State.

Importantly for businesses, this same test of “not materially lower” protection is also to be applied when using safeguard mechanisms such as standard contractual clauses to export personal data. The exporter must consider if this test is met “acting reasonably and proportionately”. This is in place of the detailed transfer impact assessment currently required. However, for those businesses exporting data from both the EU and the UK, this may make little practical difference given that the detailed transfer impact assessment will still be required for EU purposes.

There are some concerns that the new “materially lower” test will give the EU pause when it comes to consider the UK’s own adequacy decision. Some rights groups have even warned that this represents a divergence from GDPR standards and suggested that the UK’s adequacy decisions should not be renewed. The current adequacy decisions have been extended until 27 December of this year while the European Commission evaluates the new data protection regime, as amended by the DUA.

6. Data Subject Rights

The DUA predominantly aligns the provisions in the UK GDPR with existing ICO guidance and case law. For example, the DUA codifies the ICO’s “stop the clock” guidance whereby a controller’s time to respond to an access request is paused until it receives required further information. In addition, it codifies case law confirming that searches in response to access requests are to be “reasonable and proportionate”. However, it does not provide any further detail on what a reasonable and proportionate search might entail.  

7. Complaint Handling Processes

There is a new requirement for controllers to put in place a complaint handling process (such as by providing a complaint form), which is intended to ensure that data subjects are able to lodge complaints directly with the controller. Controllers are required to acknowledge receipt of the complaint within thirty days, and to take appropriate steps to respond to it and inform the complainant of the outcome without undue delay.

8. Research, Archiving and Statistical Purposes

The DUA clarifies the definition of scientific research, defining it as “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. In practice, this is unlikely to result in a major shift for businesses operating in the UK, as the recitals to the UK GDPR previously indicated that the term should be interpreted broadly.

Again, in keeping with the UK GDPR recitals, the DUA clarifies that consent in the research context can still be valid even when it is not necessarily possible to fully identify the scientific research purposes at the time of data collection, subject to certain safeguards.   

In addition, if a controller wants to use personal data for a different purpose to that which it was originally collected for, the DUA exempts the controller from the requirement to inform the data subject of that purpose where it is solely for scientific or historical research, archiving in the public interest or statistical purposes, and informing the data subject is impossible or would involve disproportionate effort. 

9. Additional Cookie Exceptions

The DUA provides additional exemptions to the requirement to obtain consent to set cookies and similar technologies for situations deemed to be of low privacy risk. These exemptions include the following, which are each subject to certain conditions being satisfied, including providing clear and comprehensive information and allowing the user to opt-out:

  • statistical cookies with a view to making improvements to a service or website by means of which a service is provided; and
  • functional and personalisation cookies enabling the display of an information society service website, such as those which automatically authenticate repeat visitors of a digital service or website to maintain previously selected settings.

There is also an exemption for cookies set for the sole purpose of ascertaining a user's geographical location in response to an emergency situation with a view to providing requested emergency assistance.

In addition, the DUA clarifies situations where cookies can be considered strictly necessary, such as to provide the service requested, to prevent or detect fraud in connection with the provision of the service requested, and to ensure that the security of the user’s terminal equipment is not adversely affected by the provision of the service requested. It also provides that “consent” to cookies may be given by amending or setting controls on the user’s internet browser or by using another application or programme.

10. ICO Powers

A number of changes have been made to the ICO’s enforcement powers. Firstly, there is a clarificatory amendment to make it clear that information notices from the ICO can require recipients to provide documents as well as information. There are also two new powers for the ICO, designed to enable it to obtain the evidence it needs to inform investigations and monitor compliance:

  • requiring an organisation to commission and pay for a report to assist in an investigation; and
  • requiring a person to attend an interview to answer questions through an interview notice.

The six-month period for the ICO to issue a final penalty notice after a notice of intent also gets some added flexibility, allowing the final penalty notice to be sent within that six-month period or as soon as reasonably practicable thereafter.

 The DUA also sets the ICO's enforcement powers for violations of the Privacy and Electronic Communications Regulations (“PECR”) (which govern, inter alia, direct marketing and cookies) to be in line with that of the UK GDPR, with maximum fines of £17.5 million or 4% of worldwide annual turnover, whichever is greater.

Finally, the DUA also changes the structure of the ICO, and re-names it the “Information Commission”.  

Next Steps

The most significant risk shift is in terms of fines for breach of PECR. The ICO has historically tended to issue more fines under PECR (for things like direct marketing or cookie violations) than under the UK GDPR. The changes aligning the fines with the UK GDPR regime mean that businesses cannot treat these requirements as “second tier”.

Although most provisions do not come into force until the Secretary of State makes specific regulations (which could be as soon as within the next couple of months for some provisions), businesses will want to get to grips with the changes being made by the DUA and assess and revise their privacy compliance programmes as needed.

If you have any questions about how the DUA impacts your business, or would like assistance with reviewing your privacy compliance programme, please do not hesitate to contact a member of our Cyber, Privacy and AI team.


Contributors

The authors wish to thank Trainee Solicitor Holly Alderton for her contributions to this OnPoint.

Related Professionals

Subscribe to Dechert Updates