The UK Parliament Passed the New Data (Use and Access) Act

The UK Parliament Passed the New Data (Use and Access) Act
Source: pexels - pixabay

The UK Parliament passed the Data (Use and Access) Act on June 11, 2025, which received Royal Assent on June 19, introducing significant modifications to the United Kingdom's data protection framework. The Act contains comprehensive reforms to the current UK General Data Protection Regulation and Privacy and Electronic Communications Regulations, while placing special emphasis on digital identities and secure access to smart data sets. The legislative amendment package, put forward by the Labour Party in October 2024, includes several key innovations, such as the statutory definition of "scientific research," the introduction of the concept of "recognised legitimate interests," and modifications to rules on automated decision-making, removing the requirement to establish a qualifying lawful basis before conducting automated decision making, except where special category data is used.

The Act introduces changes in numerous specific areas, although it is not expected to have a significant impact on the day-to-day compliance practices of most businesses. The new legislation contains reforms to rules on cookie consent, aligns the enforcement mechanisms of the UK General Data Protection Regulation and Privacy and Electronic Communications Regulations, and clarifies the United Kingdom's position on international transfers of personal data and the conduct of adequacy assessments. A notable institutional change is the renaming of the Information Commissioner's Office to the Information Commission, as well as the introduction of a formal Board structure with an appointed CEO. In the final stages of the Act's passage through Parliament, debates centered around amendments proposed by the House of Lords aimed at ensuring transparency around data scraping and the use of text and data to train AI models, but these amendments were ultimately dropped as the government argued this issue should not be dealt with within the framework of the current Act.

The adoption of the new Act is crucial for the December review of the data adequacy agreement between the EU and the United Kingdom. Although several European civil society organizations, including the Open Rights Group and European Digital Rights, expressed concerns about the United Kingdom's data protection standards in an open letter to EU Justice Commissioner Michael McGrath, the UK government does not consider the agreement to be at risk. According to Debbie Heywood, senior counsel at law firm Taylor Wessing, the government insists that nothing in the Data (Use and Access) Act jeopardises the EU adequacy decision, and so far neither the European Data Protection Board nor the European Commission have signaled serious danger, although they emphasized that they will be closely monitoring developments. Beyond the Data (Use and Access) Act, the UK Investigatory Powers Act and recent news that the government required Apple to circumvent encryption protections for users could potentially pose a greater problem for the EU adequacy assessment.

Sources:

1.

Data (Use and Access) Act 2025
A comprehensive UK law, enacted on 19 June 2025, enhancing data access and verification services, adjusting data protection rules under the UK‑GDPR

2.

UK: Data (Use and Access) Bill passes through Parliament
On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUA Act”) was passed and received Royal Assent on 19th June 2025. The government first

3.

IAPP