/>iThe UK’s data protection regime is undergoing its most significant transformation since the adoption of the UK GDPR. With the successful passage through both the House of Lords and the House of Commons on 11 June 2025, the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent on 19 June 2025. Positioned as introducing incremental change rather than major reform, the DUAA is intended to address the UK government’s aim to recalibrate the balance between privacy, innovation, and regulatory pragmatism with the ultimate goal of promoting economic growth.
There had been concerns that the previous (Conservative) government’s attempt to dilute UK GDPR protections through the failed Data Protection and Digital Information Bill could end up costing the UK its European Commission adequacy decision under the EU GDPR. The current government’s focus, however, has been to implement more targeted reform through the DUAA aimed at streamlining compliance in some areas and clarifying legal uncertainty in others, while retaining the core protections offered by the UK GDPR and, importantly, maintaining the UK’s adequacy status. It appears that the UK government has been successful in this goal; the European Commission announced on 22 July 2025 that it was launching the process to adopt new adequacy decisions[1] to allow the continued free flow of personal data between the European Economic Area and the UK.
Although the DUAA aims to reduce regulatory compliance requirements in certain areas, this does not mean that compliance will become more straightforward in all cases. It is worth keeping in mind that many of the benefits introduced under the DUAA are most likely relevant to UK-focused organisations or operations only – for those also doing business in the EU, any practical benefits of the DUAA are likely to be limited, given the additional compliance burden of having to cope with a UK regime that is diverging in many (and sometimes subtle) ways from the regime under the EU GDPR.
This article is the first in a series that will look at changes brought by the DUAA. We will examine what they mean from a practical perspective, and unpack the key changes introduced by the act, positioning them within the broader evolution of the UK’s post-Brexit data strategy.
Automated Decision-Making: Relaxed Rules, Core Protections Retained
One of the most notable changes under the DUAA lies in the relaxation of the rules around automated decision-making (“ADM”)[2]. Under the revised regime, the UK GDPR will be amended generally to allow organisations to make decisions that have legal or similarly significant effects on individuals (such as those affecting their legal status or rights, or having an equivalent impact on their behaviour, circumstances or choices), using solely automated processing (i.e. without meaningful human involvement), provided the processing does not involve special category data. Further, ADM that does not involve special category data will be permitted under any applicable UK GDPR lawful basis and, importantly, on the basis of organisations’ legitimate interests (except the “recognised legitimate interests” described in further detail below). However, organisations must still apply appropriate safeguards in these cases. These include giving individuals the right to contest the decision, present their views, and request meaningful human review. The Secretary of State will also have the power to supplement these safeguards or otherwise require specific, additional measures be put in place.
Since the introduction of the GDPR, more restrictive rules have applied to the use of special category data to make decisions that have legal or similarly significant effects on individuals using solely automated processing. Under the UK GDPR, this processing is currently only permitted either with explicit consent from the affected individuals or where the processing is necessary for reasons of substantial public interest (i.e. the processing satisfies one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the Data Protection Act 2018). However, subject to the same safeguards described above, the DUAA will also amend the UK GDPR to relax these rules slightly. This will mean that, in addition to permitting such processing based on explicit consent, the use of special category data will be allowed for such decisions where the decision is necessary for entering into or performing a contract with the relevant individuals or is otherwise required or authorised by law and, in either case, the processing is necessary for reasons of substantial public interest (as above)[3].
These changes are designed to give businesses greater flexibility in deploying AI and algorithmic tools, while preserving essential procedural rights for individuals. The ICO announced that it will be reviewing its current ADM guidance, with a public consultation expected later this year and the final guidance due for publication in late 2025 or early 2026.
Reinforcing Data Subject Rights and Complaint Mechanisms
The DUAA also enhances individual rights by introducing a formal right for individuals to lodge complaints directly with controllers[4]. In practice, this will require organisations to revise their privacy notices to refer to this new right, as well as establish accessible and appropriate internal complaint mechanisms – typically through online forms or portals. The expectation is that this should ultimately ease the regulatory burden on the new Information Commission (“IC”) (see below for more detail regarding the IC), by effectively requiring individuals to exhaust internal complaint procedures with controllers before raising issues directly with the regulator.
Specifically, if a controller receives a complaint, they will be required to acknowledge receipt within 30 days and, without undue delay, take appropriate steps to respond to the complaint and inform the complainant of the outcome. This includes making enquiries into the subject matter of the complaint, to the extent appropriate, and informing the complainant about its progress on the complaint. These provisions reinforce the need for timely, transparent, and proactive complaints-handling processes and procedures on the part of controllers.
The Secretary of State will also have the power to introduce new regulations, requiring controllers to notify the IC of the number of complaints received over certain periods.
Alongside this, the DUAA codifies key aspects of existing ICO guidance on data subject access requests (“DSARs”). In particular, it confirms that controllers are only expected to conduct “reasonable and proportionate”, rather than exhaustive, searches when responding to DSARs[5]. Unlike the other changes introduced under the DUAA described in this article (which generally require secondary legislation to be passed before taking effect), this change came into force on the passing of the DUAA on 19 June 2025 (and is, in fact, deemed to be backdated to 1 January 2024). The DUAA will also introduce changes to clarify when the data subject request clock can be paused, such as during identity verification or clarificatory requests, providing organisations with welcomed procedural certainty[6].
e-Privacy: Higher Penalties, New Cookie Exemptions, New Data Breach Reporting Timeline, “Soft Opt-In” for Charities
In a significant shift, the longstanding £500,000 cap on fines under the Privacy and Electronic Communications Regulations (“PECR”) will be aligned with UK GDPR levels – up to £17.5 million or 4% of global annual turnover, whichever is greater[7]. This is a clear signal of the UK government’s intent to bolster enforcement capabilities in areas involving, for example, the making/sending of nuisance calls, texts and emails and the use of cookies and similar technologies in breach of PECR consent requirements. However, it seems unlikely that we will see record-breaking fines for non-compliance with direct marketing and cookie requirements in all but the most egregious cases.
At the same time, the DUAA will introduce new exemptions to the existing PECR cookie consent rules[8]. Functional cookies used for analytics, preference management, site optimisation, or security will no longer require opt-in consent, though organisations must still provide clear and comprehensive information about any such cookies deployed and offer opt-out mechanisms. These changes are intended to modernise the UK’s e-privacy rules to reflect the operational realities of digital service delivery, while reinforcing individual autonomy through transparency and control. However, at least for the UK, organisations will likely be able to default their switches for such cookies to “on” in their cookie consent mechanisms.
Personal data breach notification obligations for providers of public electronic communications services (i.e. entities which provide any service allowing members of the public to send electronic messages, including telecoms providers and internet service providers) under PECR will be relaxed and brought in line with UK GDPR obligations. In particular, changes to be introduced under the DUAA will mean that, instead of being required to notify the ICO of a personal data breach within 24 hours, such providers will be required to notify the new IC without undue delay and, where feasible, not later than 72 hours after becoming aware of a breach[9].
In a long-overdue change, charities will be able to rely on the soft opt-in exemption when sending email marketing to individuals, provided (and subject to the normal opt-out requirements) such marketing is for the sole purpose of furthering the relevant charitable purposes and the contact details were collected in the course of the recipient supporting, or expressing an interest in, the charity’s work[10].
International Data Transfers: Risk Assessments Recast
The UK GDPR’s approach to international data transfers will also be materially revised[11]. Rather than requiring an “essentially equivalent” standard as under EU law, the UK will now assess whether third countries offer protections that are not “materially lower” than the UK baseline. This lower threshold is accompanied by a codified risk assessment framework with expanded flexibility.
The Secretary of State will also have powers to establish blacklists of prohibited destinations and introduce statutory contractual clauses that automatically satisfy the requirement for appropriate safeguards – removing the need for transfer risk assessments entirely.
These developments aim to streamline global data flows while retaining government oversight in respect of cross-border risks. However, while the potential introduction of risk assessment-free standard contractual clauses would undoubtedly be welcomed by all involved in carrying out restricted international transfers under the UK GDPR, for organisations also transferring personal data subject to protection under the EU GDPR, the introduction of such clauses is ultimately unlikely to offer any significant or practical benefit.
Legitimate Interests: Recognised Categories Introduced
The DUAA introduces the concept of “recognised legitimate interests”, which will allow certain types of processing to proceed automatically, without the need to carry out a balancing test[12]. These include processing for purposes such as IT and network security, safeguarding vulnerable individuals, intra-group administrative transfers, direct marketing, crime prevention, and disclosures to public authorities acting in the public interest.
While these processing purposes were largely already referred to in the recitals to the UK GDPR (and EU GDPR), this change nonetheless provides businesses with greater legal clarity and reduces the compliance burden under the UK GDPR, especially in routine or socially beneficial processing activities. However, transparency obligations remain, and organisations must still document their reliance on these interests appropriately.
Special Category Data: Powers to Expand the Definition
In a forward-looking move, the UK government will have new powers to expand the definition of “special category” personal data[13]. While current categories such as health and ethnicity data remain unchanged, the door is now open for future inclusion of other sensitive areas – such as children’s personal data or payment information. This anticipates evolving public concerns and emerging risks in the digital economy, allowing the UK regime to remain responsive without requiring further primary legislation.
However, any changes to the definition of special category personal data should be monitored closely – such a change could have the capacity to severely impact certain businesses, requiring the establishment of additional legal bases, updating records of processing and privacy notices and, in some cases, carrying out further data protection impact assessments and appointing a data protection officer.
Reforming the Regulator: The Information Commission
The existing Information Commissioner’s Office will be replaced by a new statutory body corporate – the IC[14]. This structural change will not alter the continuity of the ICO’s existing functions, but it will enhance its regulatory capacity. In particular, the IC will have expanded powers, including the ability to summon individuals for interviews (including the previous employees of organisations being investigated), compel organisations to produce specific documents, and order external expert reports (at the organisation’s cost) in the wake of a suspected breach. These powers are designed to enable more effective investigations and signal a more assertive stance on enforcement.
The changes will certainly place an increased compliance burden on recipients of information notices; having to supply documents, rather than merely respond to questions from the IC, is likely to make it challenging for any respondents hoping to be able to manage the narrative selectively in their responses. Being required to commission breach reports is intended to create a baseline version of events to assist in IC investigations – however, this will ultimately add to the breach costs and it remains to be seen whether such costs will be covered by insurance.
More Protection for Children Under Online Services
Organisations providing online services that are likely to be used by children will also be explicitly required to take their needs into account when deciding how to use their personal data[15]. As part of its guidance on the DUAA, the ICO has noted that organisations should already satisfy this requirement if they conform to the ICO’s Age Appropriate Design Code[16].
Using Personal Data for Scientific Research Purposes and Assumption of Compatibility
The DUAA makes it clearer when organisations can use personal data for the purposes of scientific research, including commercial scientific research[17]. It will also allow organisations to re-use individuals’ personal data for scientific research without giving them a privacy notice where providing a privacy notice is impossible or would involve disproportionate effort[18]. What would involve a “disproportionate effort” will depend on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing[19].
The DUAA will also enable organisations to assume that some re-uses of personal data are compatible with the original purpose for which it was collected, without having to carry out a compatibility test[20].
Other Changes Impacting the Use of AI
a) Copyright works and artificial intelligence systems
The process to finalise and approve the DUAA involved much debate and parliamentary “ping-pong” about various amendments introduced by the House of Lords regarding copyright and AI, with the House of Lords pushing for proposals which would give greater protection and transparency to the creative industries, requiring AI providers to disclose their use of copyright material when training AI tools so that they could not access / train AI models on U.K. content without paying for it. Although the DUAA stops short of immediate licensing mandates or transparency obligations for AI providers, the DUAA imposes a binding schedule on the government to assess the implications of copyright use in AI training[21]. Specifically:
- within six months (by 19 December 2025), the Secretary of State must publish a progress report outlining developments toward an economic impact assessment and a detailed “AI/copyright report”; and
- within nine months (19 March 2026), a full economic impact assessment and a comprehensive report on the use of copyright works in AI systems must be submitted to Parliament, covering technical measures (i.e. through the use of web crawlers) and standards, access controls, developer disclosure practices, licensing models, regulatory enforcement and consideration of AI systems trained abroad.
This staged review process signals a clear intent: to build toward a framework that balances innovation with cultural and economic protection for creators, domestically and internationally. However, it remains to be seen whether this will result in further legislative changes.
b) Purported Intimate Images – New Offences
With the rise of deepfakes, the DUAA will introduce significant legal protections against the non-consensual creation or request of purported intimate images – a term that covers AI-generated deepfakes that appear to show an adult in a sexual or intimate context[22]. Crucially, new offences under the Sexual Offences Act 2003 will make it illegal to intentionally generate or even request the creation of such images without the subject’s consent, where there is no reasonable belief that consent was given. This squarely targets deepfake pornography and similar abuses, even if no real image or footage of the person in such a state exists.
When Are The Changes Coming Into Force?
A limited number of provisions under the DUAA took effect upon Royal Assent on 19 June 2025. These include the requirement that searches related to DSARs be reasonable and proportionate – and, as noted above, this duty has been applied retrospectively to 1 January 2024. Additional measures, such as enhancements to the IC’s powers to issue notices and request documentation, are scheduled to come into force on 19 August 2025 (two months after Royal Assent). The remaining provisions of the DUAA (which will primarily amend the UK GDPR, Data Protection Act 2018 and PECR) will be implemented through secondary legislation to be laid before Parliament in due course between August 2025 and June 2026[23] (though the precise timing of such secondary legislation currently remains unclear).
Looking Ahead: What Should Organisations Do Now?
The DUAA represents a shift towards a more agile and business-friendly data protection framework, without abandoning the core principles that underpin individual privacy. Its success will, however, ultimately depend on thoughtful implementation, informed regulatory guidance, and responsible adoption by organisations across the public and private sectors.
Although the exact dates of the majority of changes coming into force is still unknown, organisations should begin their compliance preparations now. This includes:
- Reviewing and revising (i) privacy notices; and (ii) DSAR processes;
- Implementing or updating internal complaint mechanisms;
- Auditing international transfer tools and tracking the rollout of additional guidance from the IC and the issuance of any standard contractual clauses or country-specific blacklists; and
- Assessing cookie practices.
Multinational organisations should pay special attention to areas where the UK and EU regimes are beginning to diverge – particularly in respect of the rules on ADM, international transfers, legitimate interests and (potentially) special categories of personal data. These changes will, for the most part, be welcomed by domestically-focused businesses. However, for those that also do business in the EU and beyond, many of the incoming changes are unlikely to offer any significant practical benefits and may create additional burdens, given the likely need to comply with diverging obligations in some areas. That does not mean potential benefits should not be considered – even for multinational organisations, the relaxed rules on ADM could, for example, prove particularly beneficial for UK-specific activities outside the scope of the EU GDPR, including in connection with domestic recruitment and HR-related processing by UK businesses.
One area of strategic concern is the potential impact of these reforms on the UK’s EU adequacy decision, which is set to expire on 27 December 2025. In some key respects, the DUAA could be considered to deviate from core GDPR concepts – such as in its more permissive approach to the rules on ADM, the redefined threshold for international transfers, and the expanded powers granted to the Secretary of State. Although the European Commission announced on 22 July 2025 that it was launching the process to approve new adequacy decisions for the UK, the DUAA’s reforms may yet prompt scrutiny from other EU institutions. The Commission still needs to obtain an opinion from the European Data Protection Board, as well as approvals from a committee of EU Member State representatives. The European Parliament will also have a right to scrutinise the draft adequacy decisions. It remains possible therefore that, ultimately, the Commission could conclude that unless adjustments are made to the UK regime, it will not formally approve the new UK adequacy decisions.
Our view, however, is that it currently seems highly unlikely that this process will result in the UK losing its adequacy status – particularly on the basis that, even with the changes to be introduced by the DUAA, the UK GDPR effectively still represents the legal regime most closely aligned to the EU GDPR out of all other regimes that have been deemed to be adequate by the European Commission. It is also worth keeping in mind that there are similar calls for relaxation of certain EU GDPR requirements to promote innovation and economic growth within the EU, and as an initial step, the European Commission is currently considering extending current EU GDPR derogations in respect of SMEs to larger Small and Mid-Cap organisations. Ultimately, the European Commission may wait and see how the changes introduced by the DUAA play out in practice and consider similar changes of its own, if successful.
However, loss of UK adequacy remains a possibility for the moment and businesses should closely monitor legal and political developments in this area, particularly in the event of further regulatory fragmentation in the future. Equally importantly, businesses operating in the UK and the European Union need to start work now on developing their approach to compliance across both regions – not a straightforward task when some processing activities may be subject to both UK GDPR and EU GDPR. Of course, this has been a challenge since Brexit, but the UK government’s moves to streamline compliance for some companies has certainly increased compliance complexity for many others.
[2] Article 80 DUAA
[3] Article 80 DUAA – new UK GDPR Articles 22B (1)-(4))
[4] Article 103 DUAA
[5] Article 78 DUAA
[6] Article 76 DUAA
[7] Article 115 and Schedule 13 DUAA
[8] Schedule 12 DUAA
[9] Article 111 DUAA
[10] Article 114 DUAA
[11] Article 85 and Schedule 7 DUAA
[12] Article 70 DUAA
[13] Article 74 DUAA
[14] Part 6 DUAA
[15] Article 81 DUAA
[17] Article 67 DUAA
[18] Article 77 DUAA
[19] Article 77(1)(b)(6) DUAA
[20] Article 71 DUAA
[21] Articles 135-137 DUAA
[22] Article 138 DUAA
[23] Articles 142 and 143 DUAA
