UK: Data (Use and Access) Bill passes through Parliament

By Rachel de Souza on June 16, 2025

On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUA Act“) was passed and received Royal Assent on 19th June 2025.

The government first announced plans for the new DUA Act in the King’s speech back in July 2024. The DUA Act introduces reforms to data protection and e-privacy laws and also includes a strong emphasis on wider data related policy initiatives, focussed on facilitating digital identities and securing access to ‘smart’ or ‘open’ data sets.

The long awaited DUA Act proposes very limited changes to the UK data protection regime which are unlikely to have a material impact on day-to-day compliance for most businesses operating in the UK.

The specific areas of reform include (see our previous Privacy Matters blog for more information on the changes) :

Creating a statutory definition of scientific research to help clarify how the various provisions in the UK GDPR which refer to ‘research’ are intended to be applied.
Introducing the concept of ‘recognised legitimate interests’ to provide a presumption of legitimacy to certain processing activities that a controller may wish to carry out under Article 6(1)(f) (legitimate interests).
Removing the requirement to establish a qualifying lawful basis before conducting automated decision making (the requirement currently at Article 21(2) UK GDPR), except where special category data is used.
Granting the Secretary of State the authority to designate new special categories of personal data and additional processing activities that fall under the prohibition of processing special category data in Article 9(1) of the UK GDPR.
Introducing reforms to the rules on cookie consent.
Aligning the UK GDPR / DPA and PECR enforcement regimes.
Introducing amendments that are designed to clarify the UK’s approach to the transfer of personal data internationally and the UK’s approach to conduct of adequacy assessments.
Introducing reforms to the ICO, including a name change to an Information Commission, rather than a Commissioner, introducing a formal Board structure with an appointed CEO.

In the final stages of the DUA Act’s passage through Parliament, much of the debate focused on the House of Lords’ repeated proposed amendments to ensure transparency around data scraping and the use of text and data to train GPAI models. The proposed amendments required developers of AI models to publish information used in the pre-training, training, fine-tuning and retrieval-augmented generation of the AI model, and to provide an effective mechanism to allow copyright owners to identify all individual works that they own. However, the government argued that the DUA Act was not the correct place to deal with this difficult issue and the amendments were ultimately dropped.

What next?

Although some key changes have been introduced, the majority of the DUA Act simply reflects established principles or guidance and introduces minor changes around the edges of existing governance requirements, without overhauling them completely. Some of the more innovative elements (around smart data access and use) are still unclear as we await the detail of secondary legislation.