Back to all Articles

Articles

Understanding the UK’s Data (Use and Access) Act 2025 

Freya

The UK’s data protection landscape is continuing to evolve. The Data (Use and Access) Bill (the “DUA Bill”) received Royal Assent last month and has been enacted as the Data (Use and Access) Act 2025 (the “DUA Act”). The DUA Act aims to complement existing UK data protection laws by enhancing transparency, promoting responsible data sharing, and reinforcing the protection of individual rights.  

This article explores some of the key changes being introduced by the DUA Act and outlines practical steps organisations can take to prepare for the new legislation and ensure ongoing compliance.   

One of the most hotly contested issues that stalled the DUA Bill’s progress was around the treatment of artificial intelligence (“AI”). The emergence of AI models raised significant concerns, particularly around copyright materials being used by developers for training their Large Language Models.  

The House of Lords pushed for amendments to the DUA Bill to include stricter provisions on the use of copyrighted content, advocating for mandatory transparency requirements. Some of the UK’s leading music artists, including Sir Elton John, Sir Paul McCartney and Dua Lipa, spoke out in support of these changes. (Dua Lipa’s high profile involvement even led to the legislation being jokingly referred to as the “DUA Lipa Bill”). These artists warned that, without such safeguards, tech companies could exploit intellectual property and be given free rein to use content without having to compensate the creators.  

However, the House of Lords’ efforts were unsuccessful. The Government ultimately resisted the proposed changes, arguing that the DUA Act was not the appropriate legislative vehicle to address such complex and evolving issues. Eventually a compromise was reached and a government report on AI and copyright is due to be published later this year, which will explore possible changes and enforcement measures. 

What does the DUA Act do? 

The DUA Act establishes a more robust legal framework for data access and sharing. It updates and reforms existing UK data provisions and e-privacy laws and includes broader data policy initiatives aimed to encourage use of data in the public interest, while maintaining safeguards for individual rights to privacy.  

Key changes include:  

  • Establishing new Smart Data Schemes to enable access to customer and business data. This will allow data holders to share data, such as order histories and service logs, with authorised third parties who can use it to provide improved services to the customer.  
  • Introducing a new structured system for digital verification services by using trusted providers, enhancing reliability and trust in digital ID systems.   
  • Replacing the former EU-style adequacy framework for international data transfers with a new test. Transfers will be permitted where the receiving country offers protections that are not materially lower than UK standards. 
  • Making various amendments to existing UK data legislation, such as:  
    • to introduce a new lawful basis for processing of “recognised legitimate interest”, including for national security and emergency response; 
    • to allow charities to take advantage of the “soft opt in” when sending marketing emails, thus bringing them more in line with the how businesses can operate; 
    • to relax the requirement for establishing a lawful basis before conducting automated decision-making where special category data is not involved; 
    • to clarify the “reasonable and proportionate” standard for responding to  data subject access requests (“DSARs”), offering more proportionality and greater flexibility to organisations managing complex / repetitive requests;  
    • to permit the use of low-risk cookies (e.g., for site performance or analytics), without the requirement for explicit consent, provided users are informed and can still opt-out; and 
    • to reform the ICO and replace it with the “Information Commission” – intended to give it a more modern structure as a full corporation and bring it in line with other UK regulators like OFCOM and the FCA.  

How can organisations prepare? 

While some critics argue the DUA Act simply reinforces and codifies existing legislation, the cumulative effect of the changes could be significant from a compliance and operational perspective.  

The new Information Commission will be issuing guidance on the DUA Act, but this is not scheduled to be coming out any time soon and may not be until next year. As we await further details and secondary legislation, organisations should take this opportunity to proactively review and assess their existing documentation and policies to ensure a smooth transition. 

  • Reviewing existing data policies including privacy policies and data protection impact assessments to assess its compliance with the new transparency and accountability requirements and the recognised legitimate interests provision; 
  • Considering the Act’s clearer reasonable and proportionate test to data subject access request processes and thinking about setting internal policies on what constitutes a reasonable / proportionate search; 
  • Assessing whether use of cookies will qualify for the new consent exemptions and considering a review of cookie banners and privacy notices accordingly, ensuring opt-out choices remain;  
  • Considering the appointment of a data protection officer (“DPO”) or compliance lead if not already in place to oversee regulatory compliance, particularly for businesses that operate across multiple jurisdictions; and  
  • Remembering that this is a change to UK legislation only. Where organisations must comply with other legislation from other jurisdictions, especially GDPR for Europe related activities, these regulations will still remain. Global organisations should consider how best to manage the different approaches when dealing with the UK and Europe.    

Final thoughts  

The DUA Act is part of a broader trend towards a more flexible and accountability-driven approach to how data is being governed in the UK. While some key aspects, such as AI and copyright, are subject to secondary legislation and further guidance to be published, the direction the Government is taking towards modernisation is clear.  

Organisations that begin reviewing and assessing their processes and provisions now, will be better placed to ensure legal compliance and avoid regulatory risk in the future. 

Our experienced Data Protection and & Privacy team is available to provide further advice or answer any questions you may have about the DUA Act. Please do not hesitate to get in touch.  

Freya Vale

Solicitor

Send us a message

Let’s Talk About Your Question

Untitled(Required)
Untitled

Insights

Related Posts

trusted legal excellence

Get in Touch

Contact us today to discover how we can support you with legal solutions that stand out from the rest.

Get in Touch