Data Protection

Data Use and Access Act 2025

The Data Use and Access Act 2025 (DUAA) marks a significant evolution in the UK’s data protection landscape. Building on the foundations of the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), the DUAA introduces targeted reforms aimed at balancing innovation with robust privacy safeguards.

The DUAA reflects the Government’s ambition to position the UK as a global leader in data-driven innovation, while maintaining high standards of privacy and security. It also aligns with international trends, including the EU’s Data Act, though with notable UK-specific differences. The DUAA also strikes an important balance between fostering growth and innovation on the one hand, with the maintenance of high data protection and data privacy legal standards on the other. This is important, as the UK needs to demonstrate that its data laws are essentially equivalent to those of the EU to be deemed ‘adequate’ to receive frictionless flows of personal data from the EU.

The DUAA received Royal Assent in June 2025 and is being phased in during 2026. It does not replace existing data protection laws but introduces reforms to:

Increased powers to fine under PECR

The DUAA increases fines for breaches of e-Privacy rules. It does so by increasing the current fine ceiling under PECR to align with the UK GDPR regime. This means an increase in potential fines from a current maximum of £500,000 to £17,500,000/4% of turnover for the most egregious infringements. Whilst this change ‘tidies up’ the current disparity between the two regimes, it emphasises the importance for organisations of complying with obligations in relation to electronic direct marketing and other activities regulated by PECR. It remains to be seen how the Information Commission exercises this new fining power. We recommend that organisations who rely heavily on electronic direct marketing and cookies for marketing and advertising monitor the Information Commission’s output for future guidance on regulatory policy and enforcement actions in this area.

Automated decision-making (ADM)

The restrictions on use of ADM are relaxed - to a limited extent. The former restriction on use of ADM for making significant decisions about people without human involvement has been removed. Instead, it now only applies to significant decisions involving (even partly) special category personal data.

Organisations will also be able to rely on broader lawful bases to justify their use of ADM than previously, such as recognised legitimate interests. This is a welcome change for organisations, as legitimate interests is a more flexible basis for processing than obtaining an individual’s consent.

The DUAA will introduce certain mandatory safeguards on use of ADM, such as requirements to inform impacted individuals that ADM is taking place and provide them with rights to make representations, obtain human review, and contest significant decisions.

Whilst the DUAA relaxes the previous law in this area, its reforms are subtle. We recommend that organisations continue to take care in their use of ADM (and the new opportunities offered by the DUAA).

Recognised legitimate interests

Where an organisation relies on ‘legitimate interests’ to process personal data, it is normally required to identify the legitimate interest and undertake a high-level balancing test against the rights and interests of data subjects. The DUAA introduces a statutory category of ‘recognised legitimate interests’, removing the need for a balancing test for certain purposes, including:

• fraud prevention
• public security
• intra-group data transfers; and
• direct marketing

The intention behind this reform is to simplify compliance for routine processing activities and reduce administrative burden while maintaining accountability.

Data Subject Access Requests (DSARs)

We have seen a rising tide of organisations receiving DSARs from individuals, particularly as an information-gathering tool in disputes. The DUAA provides some ‘light relief’ by codifying an organisation’s responsibility to do a ‘reasonable and proportionate’ search for personal data. This will be helpful to organisations faced with potentially extensive and onerous search requests from individuals who are reluctant to narrow down their request scope to more reasonable and proportionate parameters.

Data subject complaints

The DUAA requires organisations to implement procedures for handling data privacy complaints from individuals. Organisations are obliged to acknowledge complaints within 30 days and must, without undue delay, take appropriate steps to deal with the complaint (including making any appropriate enquiries and updating on progress) and inform the individual of the outcome.

International transfers

The DUAA recognises that cross-border data flows are a crucial part of international commerce. Again, it introduces a subtle shift from the current law to facilitate commercial activity between parties located in different territories. The Government sets a new test to decide whether a third country in which a transferee is located is ‘adequate’ to receive frictionless transfers of personal data from the UK. Whereas before it had to determine whether the third country’s laws were ‘essentially equivalent’ to the UK’s; now the test is whether that country’s laws are ‘not materially lower’ than UK standards.

Cookies and marketing

The DUAA also relieves a bit of the compliance burden on businesses that use website cookies. It now provides an exception to the need for website operators to obtain prior opt-in consent for non-essential cookies. This exception covers cookies whose sole purpose is to collect information for statistical purposes about how an online service or website is used with a view to making improvements.

It is still necessary for a website operator to:

• provide privacy information to website users in respect of such cookies; and
• provide an ‘opt-out’ to users in relation to the placing of such cookies

Whilst this change eases some regulatory ‘friction’ for organisations, we refer to our comments above regarding the Information Commission’s increased powers to fine where use of cookies is non-compliant with PECR.

Children’s data

The DUAA strengthens protections for children’s personal data, embedding privacy by design principles. Organisations offering online services likely to be used by children must review age-appropriate design measures and parental consent mechanisms.

The Information Commission

The DUAA replaces the Information Commissioner’s Office with the Information Commission, giving it a more ‘corporate’ structure. The newly minted Information Commission will get enhanced powers, including the ability to compel witness attendance and request technical reports and an expanded authority to issue GDPR-level fines for PECR breaches (as noted above).