The Data (Use and Access) Act: an eye towards developments in data protection practice

We have closely watched successive administrations’ efforts to reform the UK data protection regime, with varying degrees of ambition and – in some cases – hostility to data rights. AWO solicitor Alex Lawrence-Archer gave evidence to Parliament on the previous administration’s Data Protection and Digital Information (‘DPDI’) Bill and we wrote about that Bill in a previous blog, warning of a narrowing window to stop the UK being outpaced in AI regulation.

The UK has now passed the Data Use and Access Act 2025 (‘DUAA’). It retains many core DPDI ambitions: smart data, digital ID, and tweaks to data protection—but with significant recalibration to a more modest level of ambition.

Beyond relatively uncontroversial changes to smart data and digital ID and verification, there remain important reforms to the data protection regime in the Act.

Data protection reforms which made the cut:

  • Lawful basis and purpose limitation changes: The DUAA keeps the DPDI’s “recognised legitimate interests” (‘RLI’) basis for processing without undertaking a full balancing test (we wrote about these in the context of the DPDI Bill). The controversial ‘democratic engagement’ RLI is dropped, but the Secretary of State retains the power to create new RLIs in future. The purpose limitation test is reformed, primarily to make it easier for data to flow to and between public authorities.
  • Eased tests for UK adequacy decisions: Rather than “equivalence,” data can flow to countries “not materially lower” in data protection—placing more discretion in the Secretary of State’s hands.
  • Automated decisions: As in the DPDI Bill, the absolute right not to be subject to solely automated significant decisions is dopped from the UK GDPR. The DUAA replaces that right with a narrower ban (focused on significant automated decisions which use special category data) and a greater emphasis on safeguards.
  • The ICO – now the Information Commission - will be put into a more traditional form, with a Chair, Board, and CEO.
  • Research processing: a new up-front definition and changes to some exemptions will make it easier to process personal data for broad ‘scientific research’ purposes.

More ambitious (and concerning) data protection reforms which were dropped:

  • Personal data definition: confusing changes regarding the test for anonymisation, which could have significantly affected the GDPR’s scope.
  • Data rights: changes to make it easier to refuse data rights requests – which aroused significant concern among data rights advocates.
  • Accountability: A planned overhaul to the need for data protection officers, record-keeping etc. meant to ease the burden on small business.

Looking ahead

As the dust settles on a hotly-debated piece of legislation (with much of the recent debate on copyright issues as opposed to data protection) here are a few issues that we will be watching closely in our work on data protection and AI disputes as the Act comes into force:

  • RLIs in the wild: The significance of dropping the balancing test for some processing in reliance on RLIs remains to be seen. Arguably this processing must still be necessary and proportionate, so the impact on data subjects could be minimal. But we will need to see how RLIs crop up ‘in the wild’, and whether they give controllers cover to carry out more invasive processing which could harm data subjects.
  • Compliance burden on (small) businesses: this issue is unlikely to recede, particularly in light of developments and proposals in the EU on the same issue. We expect to see businesses continuing to lobby for a relaxation of requirements and a soft-touch approach from the Information Commission.
  • AI regulation: The Act is as notable for what it doesn’t do as for what it does. Despite the UK entering into the AI Convention in 2024, this Act does not regulate AI and has limited impact on key issues of concern around the latest AI models. The Government has recently said that a ‘comprehensive’ AI Bill could come in 2026.
  • Public authorities: the DUAA looks set to give public bodies a significantly freer hand in processing data, without countervailing protections for human rights. We may see increasing disputes – whether under the UK GDPR or in public law – about public bodies’ use of data, especially as they come under greater pressure to train and use AI.
  • The Information Commission: With such a wide remit and limited resources, the regulator’s approach makes an enormous difference to what data protection looks like on the ground for ordinary people. The Government dropped some of the more controversial DPDI provisions which could have limited the IC’s independence. But watch Chair, Board and CEO appointments closely for an indication of where enforcement – and therefore the UK’s data protection regime as a whole – is headed.
  • International Transfers: The Secretary of State could now use powers to grant UK adequacy decisions to a wider range of jurisdictions. As we have said previously, it is this issue more than any other that could feed into the European Commission’s review of the UK’s EU adequacy decision, delayed until December 2025. The Commission will be alive to the risk of the UK becoming a ‘staging-post’ for EU-originating data to be re-exported to jurisdictions which do not enjoy EU adequacy.

If you would like further information about the DUAA, please contact alex.lawrencearcher@awo.legal

Get in touch. Send an email or book a call directly with our specialists.