UK Data Use and Access Act Now in Force

On June 19, 2025, the UK Data Use and Access Bill (DUA Bill) finally received Royal Assent and passed into law as the Data Use and Access Act 2025 (DUA Act). The DUA Act amends the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PECR). 

Key Changes Under the DUA Act 

International Data Transfers

The DUA Act introduces a new data protection standard for international data transfers from the UK to other countries. The new standard is “not materially lower” data protection measures than the standard in the UK, as opposed to the current standard as being “essentially equivalent.”  This may impact the UK’s adequacy status with the EU. The current EU-UK adequacy decision is valid until December 27, 2025. We will monitor how the European Commission responds to the DUA Act's new standard. 

A New Legal Basis

The DUA Act introduces “Recognized Legitimate Interests” as new a legal basis for data processing. This new legal basis will permit certain security-related activities such as fraud prevention, public safety, and national security. With regard to these data processing activities, a controller will likely not be required to conduct a legitimate interest balancing test. The DUA Act also provides further guidance around what constitutes legitimate interest, such as direct marketing, intra group data transfers for internal administration, and processing necessary to ensure the security of network and information systems.

Data Subject Requests

The DUA Act modifies Data Subject Access Requests (DSARs) by introducing “reasonable and proportionate” searches when controllers are required to respond to DSARs. The DUA Act codifies ICO guidance related to DSARs. Organizations must now explain when they withhold information due to legal privilege. 

Automated Decision Making

Article 22 of the UK GDPR restricts solely Automated Decision-Making (ADM) that has a significant legal effect on individuals, requiring meaningful human oversight for all such processes. The DUA Act clarifies that “meaningful human intervention” necessitates that a competent person reviews automated decisions. Organizations conducting ADM must also offer appropriate safeguards. Organizations using AI-driven processes must uphold transparency and accountability in decision-making. Organizations are also required to inform individuals and comply with non-discrimination laws such as the Equality Act 2010. 

Cookies

The DUA Act provides new exemptions to the requirement for consent to set cookies for:

1. Collecting statistical information about how an organization's service or website is being used with a view to make improvements (such as analytics purposes); 
2. Optimization of content display or to reflect user preferences about content display (such as saving user preferences in relation to font or adapting the display to the size of the user's device); or
3. Where the sole purpose is to enable the geographical position of a user to be ascertained in response to an emergency communication.

Even with these exemptions, organizations must clearly inform users about the purpose of the cookies and provide a simple and effective opt-out mechanism.

Digital ID Trust Framework

The DUA Act establishes a Digital ID Trust Framework to establish rules for digital verification services in the UK. This is aimed at fostering innovation, while increasing oversight and consultation. Key provisions of the framework include simplifying regulations to make digital verification services more efficient and accessible.

Children's Data

The DUA Act introduces several provisions aimed at strengthening the protection of children’s personal data. It outlines that children’s “higher protection matters’” as considerations for how best to safeguard and support children when using services. 

Complaints

The DUA Act outlines new rules requiring controllers to respond to complaints within 30 days before being reported to the Information Commissioner's Office (ICO).

Role of the ICO

The ICO will now see increased oversight by the Secretary of State, potentially leading to shifts in enforcement priorities. The ICO will transition to a corporate body formally established as the Information Commission led by a Chair and supported by a non-executive board.

Next Steps for Organizations

The DUA Act will enter into phased implementation from now through June 2026. Organizations should:

• Review and update their data maps and inventories globally.
• Assess and audit any ADM and AI related activities.
• Review DSAR processes and procedures.
• Identify and update how cookies are being used.
• Update and/or create complaints handling procedure.