by Andrew Sparrow and Demi Darbey
The Uk's evolution of Data Protection law
In a move by the UK to implement evolutionary changes to data protection laws in order to promote innovation and economic growth across sectors, The Data (Use and Access) Act 2025 (DUAA) received Royal Assent this summer. The changes will be phased in between June 2025 and June 2026.
The aim of the DUAA is to make things easier for organisations, whilst still protecting people and their rights. It supplements, but does not replace the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
In this article, we examine the extent to which the DUAA updates privacy laws, whether there is much departure from existing pan European laws, and what it means for you.
In particular, the DUAA facilitates the expansion of digital verification services, allowing for secure sharing and use of data between organisations. This will likely be of benefit to organisations.
One change which has more significance to the UK’s governance regime, rather than direct compliance obligations by organisations, is that the Information Commissioner’s Office (ICO) will be re-structured and replaced with the Information Commission (IC) as the UK’s supervisory authority, to improve its powers and accountability.
We have summarised below the key reforms of the DUAA on the data protection and ePrivacy landscape:
Automated Decision-Making (ADM) |
There are amendments in respect of ADM (i.e. the use of data, machines and algorithms to make decisions), an issue which Artificial Intelligence (AI) is bringing to the fore.
Unless special category personal data (i.e. personal data considered more sensitive and therefore requiring greater protection) is involved, the DUAA has removed the restrictions around significant decisions that are made solely by ADM. This means businesses will have a greater ability to innovate and integrate more tech into their operations. |
Data Subject Access Requests (DSAR) |
Under the UK GDPR and the DPA 2018 individuals have the right to issue a DSAR asking an organisation if they are using or storing their personal information and requesting copies of the personal data. DSARs helps individuals understand how and why organisations are using their data, and check whether they are doing it lawfully.
The DUAA introduced a ‘stop the clock’ rule, which allows organisations to pause the response time if they need more information from the subject requester. This will be helpful for organisations, which hitherto were compelled to race to provide a response, even when the request was inadequately expressed.
In addition, a new onus has been put on organisations by requiring them to make reasonable and proportionate searches when responding to requests. This change specifically applies retrospectively from 1st January 2024. |
Children’s Data Protection |
The DUAA adds explicit obligations for online services directed at children, requiring design that accounts for their different awareness and needs. |
Scientific Research |
The definition of scientific research has been broadened to include commercial scientific research. This will be useful for researchers, considering that the GDPR provides specific exemptions for scientific research, allowing organisations to process personal data without violating certain rights of individuals.
The DUAA has also simplified consent rules, enabling researchers to seek consent for broad areas of research which allows personal data to be processed within general areas while the specific purpose for its use may be unknown at the time of collection. |
Recognised Legitimate Interests |
The DUAA introduces new lawful grounds for processing data for specified legitimate purposes such as public safety, reducing the need for balancing tests in these situations. |
International Data Transfers |
The rules around international data transfers have been simplified; specifically, the rules of the destination jurisdiction must not be materially lower than those in the UK. |
Responding to Complaints |
Controllers of personal data are required to have clear complaint processes, they must acknowledge receipt of a complaint within 30 days and respond without undue delay.
Individuals also have a statutory right to raise a complaint. |
Storage and Access Technologies |
Charities will now have a soft opt-in right to email, without obtaining explicit consent, those who have shown interest in their work, provided the purpose of such emails are to further the charity’s charitable purpose and they offer individuals the opportunity to opt-out at the time their data is collected.
In addition, low-risk cookies (providing low risk to privacy and including those used for analytics and website display) may be used without explicit consent being provided, on the basis that there is transparency, and opt-out options are available. On the other hand, consent will still be required for marketing and advertising cookies.
In respect of infringements of the PECR, these will be brought in line with the fines levied under the UK GDPR. This means breaches of e-privacy rules can attract a maximum penalty of £17.5 million or 4% of worldwide turnover. |
Smart Data & Digital ID |
The DUAA creates a framework:
- for the creation of legal structure for smart data, requiring businesses to share customer data through standardised APIs, to expand its use beyond open banking models into other sectors; and
-to enable the introduction of trusted digital verification services. This facilitates the expansion for areas such as Fintech, ID management and e-commerce. |
You can view the ICO’s summary of the changes to data protection law here. Further guidance will be released in due course.
Heralded as a new approach to privacy to adapt to the era of AI, does the DUAA constitute a major change to UK data laws? The answer is, the UK is still materially aligned with the EU.
The DUAA does lighten some compliance burdens and expands opportunities for digital innovation. However, businesses will face tougher enforcement, stricter accountability in AI/children’s services, together with formalised complaint handling duties.
Large organisations may benefit most from the new flexibility.
SMEs will need to adapt processes to remain compliant.