From debate to data: The UK's Data (Use and Access) Bill finally unveiled

The UK's Data (Use and Access) Bill (“DUA Bill”) which was passed on 11 June 2025, marks a significant milestone in modernising data protection laws, promising to reshape how organisations handle and access data.

Luke Dixon (Partner and Head of Data and Information) and Josh Day (Senior Associate, IT and Data) explore the DUA Bill’s prolonged journey through Parliament, providing a summary of its key provisions, including practical considerations for organisations to navigate the new data landscape effectively.

The DUA Bill has faced a protracted journey through Parliament, largely marked by changing governments. 

Initially introduced by the Conservative government in March 2023 as the Data Protection and Digital Information Bill (“DPDI Bill”), it failed to pass before the 2024 General Election. 

The newly elected Labour government re-introduced the DPDI Bill in July 2024 as the Digital Information and Smart Data Bill - which was later renamed the DUA Bill.
 
Since then, the DUA Bill has been subject to intense debate and scrutiny, particularly around the use of data for training AI tools and the associated copyright concerns. This led to a stand-off between the House of Commons and the House of Lords, causing the bill to 'ping pong' back and forth for months.

Despite significant opposition from high-profile artists, the UK government opted to pass the DUA Bill without the contentious AI amendment, agreeing to undertake a separate consultation on copyright and AI issues in the coming months. 

The date for Royal Assent of the DUA Bill remains “TBC” but it is likely that this will be announced imminently, alongside the promised government consultation. 

A timely arrival?

The enactment of the DUA Bill is timely for the UK’s status as an “adequate” country for receiving frictionless transfers of data from the EU. The UK’s current adequacy status expires in December 2025. The EU Commission has waited for the passing of the DUA Bill before it proceeds to assess whether UK’s regulatory framework for data protection remains adequate.  Organisations will hope that the DUA Bill walks the line between business-friendly liberalisation of the UK’s data laws and satisfying the EU Commission that those laws remain sufficiently robust.

The DUA Bill unpacked – what are the key reforms?

The UK government introduced the DUA Bill to unlock economic growth whilst maintaining protections for personal data. Once it gets Royal Assent, the legislation will be implemented in phases over the course of this Parliament.

The DUA Bill aims to modernise the UK's data protection framework, enabling data-driven innovation across various sectors. Key provisions within the DUA Bill include:

• Recognised Legitimate Interests: The DUA Bill sets out a limited number of processing activities for which “recognised legitimate interests” is a lawful basis. Organisations that can rely on such legitimate interests do not need to prepare a legitimate interests assessment (“LIA”). The DUA Bill also lists certain processing activities which “may” be a legitimate interest. These include intra-group sharing and direct marketing.  Organisations will still have to prepare a LIA for such processing, but the DUA Bill provides a bit more “comfort” that legitimate interests may apply to such activities.
• Data Subject Access Requests (“DSARs”): Organisations often find dealing with DSARs burdensome. The DUA Bill offers (light) relief by clarifying that their obligation is to conduct searches for information that are “reasonable and proportionate”.
• Automated Decision-Making (“ADM”): The DUA Bill seeks to foster the use of AI and ADM by relaxing the requirement for individual consent where special category data is not involved. It balances this against the need to protect individual rights and to promote fairness.  It does this by requiring “meaningful human intervention” in relation to ADM for “significant decisions” and allowing individuals to contest decisions and seek human review. Use of ADM in respect of special category data remains more restricted.
• Fines under the Privacy and Electronic Communications Regulations (“PECR”) increased: Organisations that conduct B2C electronic direct marketing should note that the potential fines for infringing PECR will increase from the current ceiling of £500,000 to 4% of global annual turnover or £17.5million, to align with the sanctions regime under UK GDPR.
• Cookies: The DUA Bill updates the rules for using cookies and other tracking technologies under PECR, focusing on consent requirements. It exempts certain non-essential cookies used for statistical data, website performance, user preferences, and service improvements from needing consent. Additionally, the DUA Bill creates a predefined list of purposes for using cookies and tracking technologies as “strictly necessary” (for example, security and fraud detection), eliminating the need for consent or opt-out options. Organisations will no doubt welcome such a simplification, as it will allow for a more streamlined data collection process.
• Reforms to the ICO (and complaints to it): The ICO will become the “Information Commission” and its structure will change to include board members. The Information Commission will seek to lighten its caseload by requiring individuals to seek satisfactory resolution of their complaints with organisations, before they escalate those complaints to the regulator. This will also be welcomed by organisations who would like the chance to resolve such issues with individuals first without becoming embroiled in a regulatory investigation.
• Purpose Limitation: The concept of “further processing” has been clarified under the DUA Bill, establishing criteria to determine whether the further processing aligns with the original purpose, whilst considering factors including: (i) the relationship between the new and original purposes, (ii) the context of initial data collection, and (iii) potential impacts on data subjects. This will no doubt be of use to organisations undertaking their own assessments of such processing. 
• Scientific Research: the definition of scientific research is to be widened under the DUA Bill to include any research that has been described as scientific, irrespective of its funding source and/or commercial status. The effect of this change is a broadening of exemptions for processing special category data under the UK GDPR. In addition, the DUA Bill removes the requirement for a public interest assessment in the context of processing scientific research, allowing data subjects to simply consent to the use of their data for scientific research purposes regardless of whether or not specific purposes are at that time, identifiable.

The DUA Bill also introduces the following changes:

• Smart Data Schemes: The DUA Bill retains provisions to enable ‘Smart Data Schemes’ in key sectors including transport, finance, and energy. These schemes ultimately aim to enhance data sharing and drive innovation.
• Digital ID: The DUA Bill places an obligation on the Secretary of State to implement a trust framework which sets out rules for providers of Digital Verification Services (“DVS”). This includes creating a register of certified DVS providers. 
• Access to Online Safety Data: New measures are introduced through the DUA Bill to facilitate researcher access to Online Safety Data, with the aim to promote safer online environments in the context of academic and scientific research.
• Children's Data Protection: The DUA Bill introduces provisions to enhance greater protection in the context of children’s data. This includes implementing a new requirement for the ICO to consider children's vulnerability in data processing.

What to do next?

We recommend that organisations determine the extent to which the DUA Bill applies to their processing activities and take steps to align their data protection compliance with the new legislation’s provisions.  For example, businesses that place cookies or that conduct ADM will want to explore how they can leverage the relaxing of the law in those areas. Alternatively, organisations that conduct B2C electronic direct marketing should re-assess the risk profile of such marketing, in light of the increased fine levels for infringements of PECR.