On 19 June 2025, the UK’s Data Use and Access Act 2025 (DUAA) received Royal Assent. The Act amends provisions in the UK relating to data protection legislation. The Act relates to the whole of the UK, including to individuals and companies in Scotland.
Background
Prior to exiting the European Union (EU), the UK was bound by European data protection law. At the point of exit, the UK adopted its own data protection legislation that essentially mirrored that of the EU.
The European Commission (EC) is responsible for determining whether non-EU countries offer ‘adequate levels of protection’ to personal data transferred from the EU.
In June 2021, the EC agreed that the UK legislation adopted post-EU-exit did give this ‘adequate protection’. This was an important step, as loss of ‘adequacy’ would have important ramifications to UK businesses which could have resulted in operational difficulties, additional legal costs and other additional steps for businesses when working within the EU.
The Data Adequacy decision was due to expire in June 2025. However, in March 2025, the European Commission proposed the adoption of an extension of the adequacy decisions for a further period of six months until 27 December 2025. This extension was supported by the European Data Protection Board and approved by EU Member States. The extension allowed time for the DUAA to come into force in the UK and for the European Commission to assess the new legal framework and decide on its ongoing adequacy.
Legislative change
The Conservative government introduced the Data Protection and Digital Information Bill in March 2023, aiming to amend the legislation in place in the UK. However, this Bill fell on 24 May 2024 when the UK Parliament was dissolved before the General Election.
This Bill was controversial as it made significant changes to the legislation adopted after exit from the EU, aiming to reduce the burden on organisations, which the government hoped would in turn boost the economy.
Due to concerns that this Bill put the EC’s ‘adequate protection’ rating at risk, the House of Lords’ European Affairs Committee undertook an Inquiry on UK-EU data adequacy in 2024. They made several recommendations to the new Labour government in October 2024, based on the evidence that they had received before the election.
After the Labour government came to power in July 2024, they chose to introduce a new Bill which became the Data Use and Access Act. While this Bill also aimed to make changes to the data protection system in the UK, the changes were different to those of the previous Bill. The aim of the legislation was:
“to harness the power of data for economic growth, support a modern digital government, and improve people’s lives.”
It will be up to the European Commission to determine if the changes to the data protection regime within the UK still meet their ‘adequate protection’ rating now that the Bill has received Royal Assent.
The Data Use and Access Act
The Act includes a number of changes to the existing data protection regime in the UK. Some of the main changes include:
- larger fines for breaches of the Privacy and Electronic Communications Regulations (PECR) which cover areas like direct marketing, cookies, and keeping communications secure; the new fines will be up to £17.5 million or 4% of an organisation’s global turnover, whichever is higher
- permitting organisations to use cookies without consent for the purposes of web analytics and to install automatic software updates
- changing marketing laws for charities to allow a ‘soft opt in’ to put them on the same footing as commercial organisations (although both must still give individuals the option to opt out)
- introducing a specific obligation on controllers to help people who want to make complaints, with some requirements as to how their complaints processes operate
- expanding the circumstances in which an organisation can make significant decisions based solely on its automated processing of personal information, subject to appropriate safeguards being in place
- formalising the requirement for organisations to do a risk assessment when transferring data outside of the UK, and requiring that the standard of protection provided in the receiving country or organisation is not materially lower than that of UK GDPR
- Allowing for the creation of a digital identity mechanism for individuals to use when using online services
The Act also makes changes to the governance structure of the Information Commissioner’s Office (ICO), and places new duties on the ICO to have regard to:
- promoting innovation and growth
- the importance of preventing and detecting crime
- safeguarding public and national security
- ensuring that children merit specific protection regarding their personal information.
What happens next?
The UK Government will phase implementation of the new law. While most provisions are expected to come into force either two or six months after Royal Assent, some may take up to 12 months.
The ICO will be publishing regular updates on their website to give organisations certainty on what they need to do and when. They also list the guidance that they are currently working on.
Two new requirements that the ICO is suggesting that organisations may wish to prepare for now are:
- Children and online services: if an organisation provides an online service that is likely to be used by children, the DUAA explicitly requires organisations to take children’s needs into account when they decide how to use their personal information. Organisations should already satisfy this requirement if they conform to the ICO’s Age-appropriate design code (AADC).
- Data protection complaints: the DUAA requires organisations to take steps to help people who want to make complaints about how they use their personal information, such as providing an electronic complaints form. Organisations will have to acknowledge complaints within 30 days and respond to them ‘without undue delay.’
The European Commission is likely to issue a decision on whether the new legislation meets their ‘adequate levels of protection’ rating towards the end of 2025.
Laura Haley, Researcher (Justice and Social Affairs)