On 11 June 2025 Parliament passed a Bill that will shortly gain Royal Assent and become the Data (Use and Access) Act 2025 (the DUAA). The DUAA will implement a raft of reforms across the UK data law landscape. In particular, the DUAA will introduce reforms to the UK’s data protection and ePrivacy regimes that are relevant to almost all companies.
This article explains some of the most significant data protection and privacy law changes that will impact those doing business in the UK. Click here to read more about other aspects of the DUAA.
Background
The UK’s current data protection and ePrivacy regimes are largely based on the EU’s ‘GDPR’ and ePrivacy laws, except for some minor amendments that were required as result of Brexit
The DUAA will now result in more material divergence from the EU’s regulatory regime.
The top six most consequential reforms for most businesses include:
| At-a-glance | Summary of the reforms |
| Replacement of the ICO by the Information Commission | The Information Comissioner’s Office (ICO) currently regulates the UK’s data protection and ePrivacy regime along with many other information laws. The DUAA will replace the ICO with a new supervisory authority called the ‘Information Commission’ and also make various reforms to the regulator’s organisation and duties. For example the Information Commission will be:
|
| A mixed bag of changes to data subject requests and complaints | The DUAA will give individuals a statutory right to make complaints to the controller and impose a statutory obligation on those controllers to put in place processes to facilitate complaints and respond to them within certain timeframes. The DUAA will also make changes to the calculation of timeframes within which responses to data subject requests must be provided and clarify the scope of searches the controller is obliged to undertake. These changes will often benefit data controllers, including by specifying they may:
|
| Facilitating international transfers of personal data | The DUAA will introduce a more liberal ‘risk-based’ approach to international transfers of personal data, and therefore facilitate more transfers of personal data outside the UK. This includes:
This is one of the most significant reforms and will be explored separately in a forthcoming blog post. The DUAA also includes reforms to authorise certain data processing necessary for the purposes of responding to a request by US authorities made in accordance with the Agreement between the UK and US on Access to Electronic Data for the Purpose of Countering Serious Crime. |
| Facilitating automated decision making and use of AI | The DUAA will empower organisations to implement automated decision-making in additional scenarios. This is one of the most significant reforms and will be explored separately in a forthcoming blog post. The government has also committed to using its secondary legislation powers to require the Information Commission to produce a new code of practice on solely automated decision-making and AI. |
| Changes to the ePrivacy regime governing aspects of direct marketing plus the use of cookies and other tracking tech | Key changes include:
|
| Protection of children’s data | The DUAA will amend controllers’ data protection by design obligations for those processing personal data in the course of providing information society services (which includes most online services) likely to be accessed by children. Under the reforms in-scope controllers must take account of certain ‘higher protection matters’ when assessing what are appropriate technical and organisational measures. It remains to be seen how significant this is in practice. The head of the ICO has said: ‘Whilst I remain committed to ensuring that children are appropriately protected, it is important to clarify that although an organisation might need to take different steps when handling children’s data as opposed to adults, the underlying data protection principles themselves remain the same…I do not want this amendment … to suggest that the [ICO’s Age Appropriate Design Code] reflects a higher legal standard than when processing data about adults’. The ICO has requested further clarity from the government on various aspects of this requirement. |
Other reforms that may be relevant to certain businesses include:
| At-a-glance | Summary of the reforms |
| Facilitating the processing of personal data for new purposes | Reforms are made to:
|
| Assisting organisations using personal data in connection with undertaking certain research | The DUAA will:
|
| Minor amends to information/transparency obligations | These include creating a revised ‘disproportionate effort or impossibility’ exemption in relation to the requirement for information to be given to data subjects where the data was not collected directly from them. The reform is intended to clarify that the exemption applies to all processing and provide a non-exhaustive definition. |
| Reformed notice period for personal data breaches impacting public electronic communications services | Providers of a public electronic communications service (ie entities which provide any service allowing members of the public to send electronic messages, including telecoms providers and internet service providers) are subject to a personal data breach notification regime under UK ePrivacy laws, which is distinct from that under the UK’s general data protection regime. Those obligations currently include notifying the ICO of a personal data breach within 24 hours. The ICO had already announced some relaxation in how it would enforce that deadline. The DUAA will specify the obligation is relaxed to require reporting of breaches without undue delay and, where feasible, not later than 72 hours after becoming aware of it (plus an obligation to explain any failure to notify within the 72 hours). |
| Express confirmation that certain activities ‘may’ be processed under the existing legitimate lawful basis | The DUAA will expressly confirm that certain processing may be lawful under this existing lawful basis if it passes a legitimate interests assessment, including processing necessary for: (1) direct marketing; (2) intra-group transmission of personal data for internal administrative purposes; and (3) ensuring the security of network and information systems. |
| Reforms focused on the public and third sector | The DUAA also includes various other reforms that are generally most likely to be relevant to processing by public authorities, NGOs and charities (which are out of scope of this article). Those include a new ‘recognised legitimate interests’ lawful basis for certain processing related to: (1) national security, public security and defence; (2) serious civil emergencies; (3) detecting, investigating or preventing crime and apprehending or prosecuting offenders; and (4) safeguarding vulnerable individuals. |
Future reforms
The DUAA includes extensive powers for the Secretary of State to make subsequent reforms to UK data protection laws through secondary legislation and without the need to pass further primary laws through Parliament. For example, the Secretary of State will be given power to add new items to the list of special categories of personal data that benefit from addition protections under the UK GDPR.
These powers make regulatory reform in various aspects of the data protection regime more likely going forward.
Implications and next steps
Most of the proposed reforms introduce relatively limited changes. Businesses that already comply with the current UK data protection and ePrivacy regimes will generally only need to make minor adjustments.
The DUAA promises greater flexibility and divergence in certain areas (eg, automated-decision making, data processing in connection with research and international transfers). However, many organisations will be subject to both UK and EU GDPR regulations. As a result, the government’s efforts to reduce burdens on organisations might not lead to cost savings if organisations find it more cost-effective or otherwise prefer to adhere to the stricter EU GDPR standards to meet the requirements of both regimes.
The DUAA will also introduce some new burdens on organisations and a need for them to consider how they should adapt their existing UK processes. For example, businesses will face potentially far higher fines for infringements of the ePrivacy regime, new enforcement powers and the requirement to put in place a process to facilitate data subject complaints.
Impact on transfers of personal data from the EU to UK
The UK government has made clear that it understands the importance of keeping the UK’s designation as an ‘adequate’ jurisdiction from the European Commission, which allows most personal data to be transferred from the EU to the UK without the need to put in place additional safeguards.
The UK’s current adequacy decision expires in June 2025. The European Commission is likely to grant the UK a six-month extension until a date in December so it can consider the impact of the DUAA.
We share the UK government’s assessment that the reforms in the DUAA are unlikely to cause the European Commission to decide to not extend the UK’s adequacy for further years.
However, any divergence from the EU’s regime may increase the odds of a successful challenge to the UK’s adequacy status before the EU’s Court of Justice, regardless of the European Commission’s view.
When the reforms will take effect
The government has yet to confirm the timetable for most of the provisions to be made applicable and some commencement dates may extend into 2026 or, in theory, beyond. The full transfer of all ICO functions, for example, will likely require a carefully managed process.
A delayed implementation that leaves key aspects of the UK data protection regime in flux close to the EU’s adequacy review deadline could be viewed negatively by the EU, potentially incentivising the UK government to commence a substantial package of the data protection reforms well in advance of December 2025.
Businesses and other organisations should start considering how they may adapt to, and take advantage of, the new reforms.
