Introducing the UK Data (Use and Access) Act 2025 (DUAA)

One of the more material practical changes involves the expansion and clarification of use of legitimate interests as a lawful basis for processing. The DUAA amends Article 6 UK GDPR to allow controllers to rely on "recognised legitimate interests" listed in Annex 1 and to establish that legitimate interests assessments won't be required in relation to "recognised legitimate interests" .

The "recognised legitimate interests" include activities such as direct marketing, intra-group transmission of personal data for internal administration purposes and ensuring the security of network and information systems.  There are also a number of public interest related legitimate interests that are called out including disclosure of data to a person exercising public interest functions, national security and response to emergencies and prevention and detection of crime.

This represents a clearer route to reliance on legitimate interests as the lawful basis for processing personal data but, in most cases, there will still be the requirement to conduct a nuanced legitimate interests assessment.

The DUAA replaces Article 22 of the UK GDPR with new Articles 22A-22D and seeks to apply a more permissive framework for making decisions based solely on automated decision making (where those decisions have legal or similarly significant effects for individuals). It does this by applying the same level of restriction as previously existed in the GDPR where special category data is being used but otherwise permits ADM based on normal personal data subject to adoption of safeguards. Those safeguards are that the individual:

• has been given information about the decisions that will be made;
• is able to make representations about those decisions;
• can obtain human intervention in relation to the decision; and
• can contest the decision.

This relaxation of the ADM regime will be particularly useful in the context of implementation of AI enabled systems that have ADM features.

There are both helpful and concerning features for businesses in the reforms related to handling individuals' data rights requests. 

On the helpful side, DUAA codifies the position created by UK case law and guidance around only a "reasonable and proportionate" search being required. There is also a "stop the clock" mechanism that allows businesses to pause the response time on a DSAR if they need the individual to clarify or refine their requests identify the information or processing activities to which the DSAR relates.

Businesses will be less pleased with the changes related to the application of the legal professional privilege exemption which formally requires the controller to provide information about the application of that exemption and a right to complain to the Information Commissioner (ICO) in relation to the use of that exemption as well as the right to apply to a court for a compliance order. In addition, the controller must record the rationale for relying on the exemption and provide that to the ICO on request.  This is in line with the ICO's current guidance but the DUAA formalises it. 

The ICO's authority regarding information notices has been expanded to include the ability to order the disclosure of documents to the ICO. Courts have also been given the power to require a controller to disclose documents so the Court can determine whether these should be provided to an individual in response to a DSAR.

The DUAA sets up more formal requirements related to complaints handled by controllers.  Companies are required to facilitate complaints by taking steps "such as providing a complaint form which can be completed electronically".  As a result, companies must review their websites and other channels to provide a ready means for data subjects to send complaints and ensure that there is a robust process for recording, tracking and responding to complaints. The DUAA requires that companies respond to complaints without undue delay and there is the prospect of future regulations requiring reporting on numbers of complaints to the ICO.

The DUAA restates GDPR provisions on purpose limitation and brings into the legislation concepts that the ICO has applied in its guidance on purpose limitation, i.e. the factors to be considered in determining whether a new purpose for processing data is compatible with the original purpose. The DUAA also provides a list of compatible purposes which includes processing associated with complying with or demonstrating compliance with the data protection principles in Article 5(1). Annex 2 also introduces a list of purposes which are deemed compatible with the original purpose. This includes disclosures to public authorities and regulatory compliance activities, providing businesses with greater flexibility in data use whilst maintaining fundamental protection principles.

The Act introduces significant changes to international data transfer mechanisms. The amendments re-work Article 45 of the UK GDPR so the framework comprises "transfers approved by regulations" as opposed to "transfers on the basis of an adequacy decision". This change provides the UK government with greater flexibility in determining which countries receive approval for data transfers.

There is also a new test that will be applied by the Secretary of State to assess whether the destination country's standard of data protection is appropriate and the same test should be applied by data exporters.  That new test is whether the level of protection for a data subject will be "not materially lower" than under UK law. Although the terminology may have been adjusted, in practice, this is unlikely to substantially alter the transfer risk assessments that controllers are currently performing.

There are some long overdue reforms to bring the Privacy and Electronic Communications Regulations into line with GDPR requirements and to apply some relaxation to some of its requirements. Most notably:

• the notification timeframe in which communication service providers must notify personal data breaches is changed to 72 hours (from 24 hours) to align it to GDPR reporting requirements

• cookies may be deployed to collect statistical information about how a website or app is used with the aim of improving the service or to improve the functionality of the website or app without having to get the consent of the user.  This will prompt website / app owners to revisit their cookie banners and notices to place these sorts of cookies alongside "strictly necessary" cookies as cookies that are applied by default

Importantly, given that many of the ICO's enforcement actions relate to PECR breaches, the DUAA brings the enforcement powers under PECR into line with UK GDPR, so that enforcement mechanisms and penalties are the same in most cases.

The DUAA introduces enhanced provisions for scientific research, reflecting the UK's ambition to become a global leader in data-driven innovation. It also clarifies that companies can use personal data for research and development projects, as long as they follow data protection safeguards.

Additionally, the DUAA contains a regulation-making power to create a framework allowing researchers access to data relating to online safety held by tech companies. This will enable academic and policy research into online harms and digital platform operations.

There is a regulatory framework set out in the DUAA around those who provide digital verification services which establishes a comprehensive framework for trusted digital identity verification services. This creates new regulatory requirements for organisations providing identity verification services whilst potentially streamlining digital identity processes across multiple sectors.

The DUAA also includes provisions around smart data, establishing frameworks for enhanced data sharing between businesses and customers. These provisions will enable consumers to share their data more easily with third parties, with the aim of enhancing competition and innovation in sectors such as financial services, energy, and communications services.

The DUAA will allow patient healthcare records to be accessed by all NHS trusts, GP surgeries and ambulance services. This represents a fundamental shift in healthcare data sharing, enabling integrated care records across the entire NHS system. The changes will facilitate better patient outcomes through comprehensive data sharing whilst maintaining appropriate privacy safeguards.

The DUAA includes provisions for retention of information by internet service providers (ISPs) in connection with a child's death, and requires online service providers to keep records related to children's online safety. These provisions create new obligations for ISPs and online platforms to maintain records that may be crucial for child safety investigations.

The DUAA includes proposals in relation to smart meter schemes, establishing frameworks for enhanced data sharing in the energy sector. This will enable more efficient energy management and potentially new tariff structures based on usage patterns.

The DUAA represents an opportunity for the UK to embrace open finance in a way that has not been possible so far. It extends open banking principles to broader financial services, enabling consumers to share financial data more easily with third parties.

The DUAA includes provisions for data sharing to improve public service delivery, enabling government departments and public bodies to share data more effectively. This could lead to more joined-up government services and reduced administrative burdens on citizens.

The DUAA introduces new criminal offences targeting the non-consensual creation and sharing of intimate images, including deepfakes. These provisions make it a criminal offence to share or generate sexually explicit material using AI or other technologies without the subject's consent  - closing a gap in existing legislation. The reforms reflect growing concerns around the misuse of generative AI for harmful or exploitative content and aim to provide better protections for individuals against emerging digital threats.