The UK's Data (Use and Access) Bill was passed on 11 June 2025 after a protracted 'ping pong' between the Houses of Parliament. It received Royal Assent on 19 June 2025 and is now known at the Data (Use and Access) Act 2025. It reforms the UK GDPR and Privacy and Electronic Communications Regulations, and sets up frameworks for sharing of business and customer data, and digital identity verification. You can read an overview here, and more detail here.

What took so long?

The new data legislation has been a long time coming. The Data Protection and Digital Information Bill (DPDI Bill) was originally proposed by the Conservative government not once, but twice during the turbulent period of changing governments. The second iteration of the legislation eventually failed after failing to make it through wash up just before the general election. 

Labour's Data (Use and Access) Bill (DUA) was published on 23 October 2024, borrowing heavily from the DPDI Bill. While substantially the same, it had dropped some of the more controversial provisions, but retained (albeit not necessarily in exactly the same form):

• changes to scientific research provisions including to the definition of consent and by the addition of a definition of scientific research (currently in the Recitals of the GDPR) (see here for more)
• the concept of recognised legitimate interests which will mean there is no need to carry out a Legitimate Interest Assessment where the processing is carried out for a recognised interest
• changes to the purpose limitation and clarification of what constitutes further processing
• changes to rules on automated decision-making (ADM)
• changes to rules on data exports including the ability of the Secretary of State to approve third countries, and the introduction of a data protection test to assess whether the third country or international organisation has a standard of data protection not materially lower than that in the UK
• changes to information requirements for DSARs where organisations withhold information based on legal professional privilege or client confidentiality
• changes to the Privacy and Electronic Communications Regulations (see here for more)
• changes to the role of the ICO (see here for more).

It also included a significant addition in the form of powers to the Secretary of State to make changes to the types of data classed as special category data.

Ironically, the opposition to the Bill in its final stages did not focus on the data elements. Most of the initial amendments proposed by the Lords were overturned in the Commons and were not re-introduced, although Parliament used the Bill to add new offences in respect of sexually explicit images created without consent (deepfakes). There were, however a few hold-out areas.

Most notably, the House of Lords began introducing successive amendments relating to the use of copyright materials to train AI. Amendments to require transparency around data scraping and use of text and data to train GPAI models, either in the Bill itself or under separate legislation, ultimately failed.

The debate around AI and copyright inserted itself into the DUA Bill amid concerns that the government favoured allowing data scraping and use of copyright materials to train AI unless the rightsholder opts-out (similar to the EU Copyright Directive TDM exception) in its ongoing consultation on copyright and AI. The government consistently argued that it was not appropriate to deal with such a complex issue in the DUA Bill, but also rowed back from supporting a particular stance on the issue pending the outcome of the consultation. In addition, the High Court is in the process of hearing the long-awaited Getty Images v Stability AI case which has major ramifications for the issue of using copyright materials for AI model training, adding weight to the government's viewpoint.

The Lords were ultimately able to get the government to agree to publish a report on its copyright and AI proposals, including on enforcement and AI models trained abroad, within nine months of the DUA Bill getting Royal Assent, with an interim report to be published within six months. While there was reported dissatisfaction with the compromise, the Lords finally accepted the Bill, allowing it to pass to Royal Assent.

What does the DUA Act mean for data transfers?

The European Commission has extended the current UK adequacy decision to the end of the year to allow it to assess the impact of the DUA Act on data transfers. The Act introduces a subtle change to the UK data transfer regime. The Secretary of State will be able to carry out a new data protection test to determine whether the destination country's standard of data protection is "not materially lower" than the standard in the UK. The current standard is that the destination country must offer "essentially equivalent" protections.

This change has not passed unnoticed by the European Commission and civil society groups are on high alert. On 4 June 2025, EU civil society organisations including Open Rights Group and European Digital Rights, sent an open letter to EU Justice Commissioner McGrath, warning that the UK was preparing to diverge from GDPR and Law Enforcement Directive Standards. The groups suggest this meant the EC should re-evaluate its UK adequacy decision, arguing that the DUA Act represents "a systematic weakening of privacy and data protection standards". 

The government insists that nothing in the DUA Act jeopardises the EU adequacy decision, and so far neither the EDPB nor the EC have rung serious alarm bells, despite underlining they will be paying close attention. The letter does, though, also mention other legislation including the Investigatory Powers Act and the use of Technical Capability Notices to undermine encryption, as well as what it calls unregulated use of live facial recognition technology in the UK. These issues may ultimately cause more of a problem for adequacy renewal than the DUA Act itself.

What to do now?

The majority of the Act will be brought in by secondary legislation, however, amendments to the UK GDPR and PECR are expected to come in quickly. This means DSAR response protocols, use of ADM, and cookie policies should be reviewed and updated if necessary. Organisations carrying out scientific research and looking to use data for further processing will also want to assess what the changes in the DUA Act mean. The non-personal data related aspects are likely to take longer to be fully operational. As a result, organisations should maintain a watching brief on issues around data transfers and the secondary legislation that will bring non-personal data related aspects of the DUA Act into application.