The Data (Use and Access) Act 2025

On 19 June 2025, the Data (Use and Access) Bill was given Royal Assent and became the Data (Use and Access) Act 2025 (the Data Act).

This followed months of prolonged Parliamentary deliberation and back and forth between the House of Commons and the House of Lords, reflecting the controversy surrounding several of the Data Act’s provisions.

Significantly, the Bill passed without proposed amendments requiring AI developers to disclose training data, despite strong opposition from artists including Elton John and Dua Lipa. The House of Lords had pushed for transparency to protect creators, but the House of Commons rejected these provisions. The government has instead promised a separate consultation on copyright and AI in the coming months.

The Data Act aims to modernise UK data protection law, balancing innovation with privacy safeguards. Whilst it does not completely overhaul the current UK data protection framework, it introduces several significant changes that organisations will need to be aware of.

In this article, we discuss:

• The key changes introduced to UK data protection legislation by the Data Act, including the new recognised legitimate legal bases for processing and changes to automated decision making, international transfers and the cookies regime;
• The implications of the Data Act for the UK’s adequacy status under EU law;
• When the provisions of the Data Act will come into effect; and
• The next steps that organisations should take in light of the new legislation.

Key changes to current data protection legislation

Whilst much of the current data protection regime remains unchanged, organisations will need to take note of several fundamental differences, including the following:

Recognised legitimate interests

The Data Act amends the UK GDPR to add a new “recognised legitimate interests” lawful basis for data processing, together with a list of what would qualify as a recognised legitimate interest.

In contrast to the current “legitimate interests” lawful basis for processing, it will not be necessary to balance the rights and freedoms of individuals against the legitimate interests of the controller when relying on a recognised legitimate interest. The Secretary of State may, subject to certain conditions, add to, vary or omit provisions from the list of recognised legitimate interests via secondary legislation.

Organisations should consider whether the new “recognised legitimate interests” lawful basis may apply to any of their processing activities and ensure that documentation such as privacy notices and Records of Processing (ROPAs) reflect the relevant lawful bases relied upon.

The Data Act also provides for a statutory list of examples of processing activities that will fall within the current “legitimate interests” lawful basis for processing under the UK GDPR. This list includes processing necessary for the purposes of direct marketing and intra-group transfers of personal data for internal administrative purposes. This clarification will assist organisations when determining and documenting their lawful bases for processing in these contexts.

Updates to the current ICO guidance which will cover these topics are due for publication in Winter 2025/26.

Automated Decision-Making

The Data Act introduces a relaxation of certain restrictions on automated decision-making (ADM). Under the current UK data protection framework, individuals have a general right not to be subject to decisions based solely on automated processing, including profiling, where such decisions produce legal or similarly significant effects.

The Data Act narrows the scope of this restriction. It permits solely automated decision-making provided that appropriate safeguards are in place. These safeguards include the right for individuals to:

• Make representations regarding the decision,
• Obtain meaningful human intervention, and
• Challenge the decision.

Importantly, the original prohibition and associated exemptions now apply only to ADM involving “significant” decisions based on special category data such as health information. A decision is considered “significant” if it produces a legal or similarly significant consequences for the data subject. For other types of personal data, ADM is permitted as long as the above safeguards are implemented.

New guidance on the Data Act's new lawful basis of recognised legitimate interests is due for publication by the ICO in Winter 2025/26.

International data transfers

The Data Act introduces a “data protection test” to be considered in the context of international transfers. Controllers will need to ensure that data protection standards in the recipient country are not materially lower than in the UK. The Secretary of State may make regulations approving international transfers and will – in addition to the data protection test – consider the wider context of data flows between the UK and another country and how the transfers may benefit the UK. These changes mean that the UK’s approach to international transfers could diverge from the EU’s approach, which requires an essentially equivalent level of protection to be given to the personal data following an international transfer.

Updated guidance on international transfers is due for publication by the ICO in Spring 2026.

Data Subject Access Requests

The Data Act introduces several important updates to the handling of Data Subject Access Requests (DSARs) under UK data protection law. These changes aim to provide greater clarity and statutory support for organisations while maintaining individuals’ rights to access their personal data.

The Data Act confirms that organisations are only required to conduct “reasonable and proportionate” searches when responding to DSARs. This codifies existing ICO guidance and case law, offering legal certainty for organisations in defining the scope of their searches. Data subjects are only entitled to information that can be retrieved through such searches.

The Data Act introduces “stop the clock” mechanisms, allowing organisations to pause the response timeline when verifying the identity of the requestor or seeking clarification about the scope of the request. This only applies where the controller cannot reasonably proceed with responding to the subject access request without this information. Once the necessary clarification is received, the response time resumes. These provisions ensure that the time taken for preliminary steps does not reduce the statutory response period.

The changes introduced are deemed to have come into force on 1 January 2024. This retroactive application aligns with existing case law, including the notable Mike Ashley v HMRC case, which highlighted the importance of proportionality in DSAR responses.

Updated guidance on the right of access due for publication by the ICO in Summer 2025.

Children and data protection

The Data Act strengthens safeguards for children, particularly in relation to digital marketing and online services. This includes a new requirement to consider children’s ‘higher protection matters’, which are:

• how children can best be protected and supported when using the services; and
• the fact that children:
  • merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing (this reflects wording already present in the UK GDPR); and
  • have different needs at different ages and at different stages of development

Guidance on safeguarding children and young people is due for publication by the ICO in Winter 2025/26.

Strengthened ICO enforcement powers and cookies

The Data Act will align the enforcement regimes under the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR), meaning there will be a dramatic increase in the fines that may be imposed for breaches of PECR. Organisations should ensure that they are complying with PECR’s requirements in areas such as cookie use and direct marketing.

The Data Act also removes the consent requirement under PECR in respect of cookies placed for specified purposes, e.g. to collect information for statistical purposes to make improvements to the service, provided that the user is provided with information about the purpose for placing these cookies. This change is intended to lessen the burden on organisations in relation to cookie requirements.

Updated guidance on PECR is due for publication by the ICO in Winter 2025/26.

Soft opt-ins for charities

Charities can now rely on a soft opt-in for direct marketing via email where individuals have previously donated or expressed an interest in the charity’s work and are given a clear and easy way to opt out at any time. The communication must be for sole purpose of furthering the charity’s purpose.

Updated direct marketing guidance is due for publication by the ICO in Winter 2025/26.

Scientific research

The Data Act introduces a statutory definition of “scientific research” to the UK GDPR. Scientific research is now defined as any research that can reasonably be described as scientific, regardless of whether it is publicly or privately funded, and whether conducted as a commercial or non-commercial activity. This clarification helps delineate the scope of lawful processing for research purposes and is intended to help encourage organisations to undertake scientific research.

The Data Act also removes the requirement to conduct a public interest assessment when processing personal data for scientific research. Under existing UK data protection law, consent must be clear, specific, and informed. However, in the context of scientific research, it is often not feasible to specify all future uses of the data at the time consent is obtained.

To address this, the Data Act allows for broader consent to obtained in the context of scientific research. Consent remains valid even if the individual is not informed of every specific purpose, provided the data is used solely for scientific research and it is genuinely not possible to fully define all purposes at the outset. The collection of consent must still adhere to widely accepted ethical standards in the relevant research field. Where feasible, individuals should be given the option to consent to specific parts of the research rather than being required to accept or decline the entire scope.

Additionally, the Data Act introduces an exemption from the obligation to provide further transparency information under Article 13(3) UK GDPR when personal data is further processed exclusively for scientific or historical research, statistical purposes, or archiving in the public interest. This exemption applies only when appropriate safeguards, as outlined in new Article 84B UK GDPR, are in place to protect the rights and freedoms of data subjects.

Updated guidance on Research, Archiving and Statistics Provisions is due for publication by the ICO in Spring 2026.

Implications of the Data Act for the UK’s adequacy status under EU law

The UK’s adequacy status under EU law depends on the European Commission’s assessment that the level of protection given to personal data in the UK is essentially equivalent to that in the EU. The current adequacy decision in respect of the UK was due to last until 27 June 2025, but the European Commission has extended the decision for a further six months, until 27 December 2025.  If the UK loses its adequacy status under EU law, organisations will need to implement additional data transfer mechanisms such as standard contractual clauses or binding corporate rules, incurring significant time and financial costs.  

Securing the renewal of the EU's data adequacy decision in respect of the UK is a key priority for the UK Government and, in November 2024, the Department for Science, Innovation and Technology (DSIT) confirmed its confidence that the then proposed Data Bill would allow the UK to preserve its adequacy status. Nevertheless, concerns have been raised that the Data Act may be seen by the European Commission as weakening privacy standards in the UK. The European Commission is likely to consider the changes introduced by the Data Act in detail before confirming its position on UK adequacy.  

When will the provisions of the Data Act come into effect?

Once given Royal Assent, some provisions of the Data Act automatically came into effect while others will be implemented in phases between June 2025 and June 2026. Many provisions require regulations to be made by the Secretary of State (a ‘Commencement Order’) to be implemented.

Provisions which came into force on Royal Assent:

• Section 66 (meaning of “the 2018 Act” and “the UK GDPR”)
• Section 78: searches in response to data subjects’ requests
• Part 1 of Schedule 16 and section 120: Grant of smart meter communication licences so far as it relates to that Part
• Section 126: retention of biometric data and recordable offences
• Section 127: retention of pseudonymised biometric data
• Section 128: retention of biometric data from INTERPOL
• Part 8: Final Provisions
• Any provisions that are needed to make regulations

Provisions which will come into force 2 months after Royal Assent:

• Section 69: consent to law enforcement processing
• Section 82: logging of law enforcement processing
• Section 96: notices from the Information Commissioner
• Section 97: power of the Information Commissioner to require documents

Next steps for organisations to take

While the Data Act does not completely reform the existing UK data protection regime, it has introduced significant changes in areas such as ADM, cookie usage and electronic marketing. Additionally, certain restrictions have been relaxed to benefit organisations, such as the soft opt-in for charities. Organisations should therefore assess how the new provisions apply to their data processing activities and update their compliance strategies accordingly. This is likely to include making any required changes to documents such as their DSAR response protocols, ROPAs and cookie policies. Entities engaged in scientific research or further processing of data in this context should also carefully assess how the Data Act’s changes may impact their operations.

For more information on practical steps to take, please see the ICO’s published guidance: The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations? | ICO

If you would like to discuss any issues raised in this article or relating to your data protection obligations, then please do contact the Clyde & Co team.