Data (Use and Access) Act 2025: A comparison with its predecessor, the Data Protection and Digital Information Bill (the

The DUAA covers a variety of data-related provisions, including amendments to UK data protection and ePrivacy laws, provisions for new smart data schemes, private sector access to public sector data, digital ID verification services, and changes to the structure and powers of the Information Commissioner's Office ("ICO"). It is broad in scope, addressing more than just personal data protection reform, and these additional areas of focus will be considered in more detail in the final part of this article series.

In this article, the fifth in our series, we reflect on the DUAA's prolonged and somewhat tumultuous passage through Parliament since it was introduced into Parliament as the Data (Use and Access) Bill (the "DUA Bill") on 23 October 2024. We also summarise the key thematic differences between the DUAA and its most recent predecessor, the Data Protection and Digital Information Bill ("DPDI Bill") and analyse what was kept and what was dropped from the DPDI Bill, now that the DUAA has entered into force.

Background to the DPDI Bill

The first version of the DPDI Bill was introduced in the 2022-23 parliamentary session, aimed at reforming the UK's data protection framework and modernising its approach to data management. A second iteration of the DPDI Bill was amended and reintroduced in March 2024, but ultimately did not progress due to the July 2024 General Election and subsequent dissolution of Parliament.

Many in the data protection community welcomed its demise, fearing it would have lacked proper scrutiny if rushed through Parliament during the "wash-up" period. The DUAA therefore represents the third attempt at data protection reform since 2022.

Enactment of the DUAA

The DUAA is now enshrined in law after close to eight months of back and forth between the House of Lords and the House of Commons. Much of the DUAA has yet to come into effect, which will require secondary legislation.

While much of the DUAA resembles the DPDI Bill, it diverges in scope and focus, with some notable omissions. As it passed through the House of Lords, the DUA Bill saw changes such as the removal of collective data rights management, amendments to automated decision-making ("ADM") restrictions, new provisions for children’s data protection, and changes to direct marketing requirements.

Interestingly, the hold-up to the DUA Bill's passage was mainly due to the debate over the introduction of provisions concerning intellectual property rights and the ability of rights holders to opt out of data scraping for AI training purposes. In a now-abandoned AI copyright code of practice initiative, the UK government considered the "lack of AI-related protection" in relation to data scraping and this was specifically raised during the DUA Bill's Second Reading in the House of Lords. This led to new clauses being proposed regarding transparency and compliance with UK copyright law by operators of web crawlers and general-purpose AI models. Debates over these amendments were rife as each iteration that was brought by the House of Lords was blocked by the Commons.

Ultimately, the Lords' transparency-focused AI copyright amendments failed and the provisions are not found in the DUAA. However, a compromise of sorts was reached, with the DUAA requiring the government to:

• publish a report (the "Report") on copyright and AI within nine months of the DUAA coming into force; and
• update Parliament on the progress of the Report and the publication of an economic impact assessment of each of the four policy options described in section B.4 of the Copyright and AI Consultation Paper within six months of the DUA Bill gaining Royal Assent.

While the government has appeared to favour the technology sector's interests in open data over protections for the creative industry, future AI legislation may address the concerns put forward by creators on this topic.

What influence did UK adequacy have on the DUA Bill?

The DUA Bill's development was arguably influenced by the UK's desire to maintain European Union ("EU") adequacy status, which is crucial for maintaining international data transfers and trade with the EU.

The European Commission's (the "Commission") adequacy decisions for the UK were initially set to expire in June 2025 but were then formally extended to December 2025 to allow time for the DUA Bill (now the DUAA) to be assessed by the Commission in advance of making follow-up formal adequacy decisions. Divergence from EU standards risk complicating the UK's adequacy status and the free data flows between the UK and the EU, although the UK Government remains confident that the reforms in the DUAA are unlikely to cause the Commission to decline to extend the UK’s adequacy for further years.

Key retained sections from the DPDI Bill

Automated decision-making

The DUAA retains the DPDI Bill's dilution of the prohibition on solely automated decision-making ("ADM") with significant effects. When the DUAA comes into force, ADM will be generally permitted with adequate safeguards: informing data subjects, enabling responses, human intervention, and contesting decisions. The Secretary of State can define significant effects and modify safeguards. However, ADM is still prohibited for "sensitive processing" (i.e. of special category data) unless explicit consent is given or if required by law, aiming to prevent misuse of sensitive information.

Recognised legitimate interests

As in the DPDI Bill, the DUAA creates a new lawful basis for processing personal data - recognised legitimate interests, covering a fixed list of purposes (e.g., public interest, national security, emergencies, crime prevention, safeguarding vulnerable individuals). In these cases, controllers are exempt from the balancing test, streamlining compliance but seemingly increasing the ethical burden on organisations to ensure responsible data use.

International data transfers

The DUAA mirrors the approach of the DPDI Bill, adopting a new "data protection test" for international data transfers, requiring that third countries' safeguards are "not materially lower" than the UK's. Importantly, the lack of a precise definition of "materially" could broaden eligible jurisdictions for data transfers, but may raise EU concerns and complicate adequacy assessments. Organisations considering international data transfers might consider seeking expert legal advice on whether and how local data protection laws comply with UK standards to mitigate any risks that might arise.

Charities direct marketing soft opt-in

The DUAA extends the Privacy and Electronic Communications Regulations ("PECR") soft opt-in for direct marketing to charities, allowing them to contact individuals who have donated or shown interest without explicit prior consent, provided there is an opt-out mechanism. This provision appeared in the DPDI Bill and was subsequently reintroduced into the DUA Bill in January 2025 by the House of Lords. This aims to help charities engage supporters for public benefit but requires transparent and proportionate application.

Scientific research

As in the DPDI Bill, the DUAA codifies a broad definition of "scientific research", including technological development and both public and private research. However, for public health studies, this definition only applies if the research can reasonably be considered in the public interest. In a recent development in May that was ultimately blocked by the House of Commons, the Lords voted in favour of amending the DUA Bill to, among other things, (i) narrow the definition of "scientific research"; (ii) introduce a threshold for the reasonableness test in relation to the use of personal data for scientific research; and (iii) grant the power to introduce safeguards to fulfil the aforementioned reasonableness test.

This failed in favour of the government's definition which deems "scientific research" as any research that can "reasonably" be described as scientific, regardless of funding source or whether it's carried out as a commercial or non-commercial activity. This conflict of opinion highlights topical concerns around safeguards for personal data used in scientific research.

Cookies

Schedule 12 of the DUAA expands exemptions under the PECRs, allowing the use of certain low-impact cookies (that pertain to functionality, analytics, and personalisation) without prior consent, provided users are provided comprehensive information and can object. Marketing cookies still require user consent. This change aims to ease compliance for organisations while preserving transparency and user control.

Key provisions of the DPDI Bill that were dropped

The DPDI Bill proposed several amendments that were not carried over into the DUAA, of which a number fall under the accountability umbrella. In summary, there is no change to the definition of "personal data" in the DUAA; DPOs, RoPAs and DPIA requirements remain the same; and the proposal to allow controllers to refuse to respond to "vexatious or excessive" data subject access requests ("DSARs") has now gone.

Record of Processing Activities ("RoPA")

The DPDI Bill proposed exempting organisations from RoPA except for high-risk processing. The DUAA retains the requirement for all controllers and processors to keep a RoPA, regardless of the type of data that is held.

Data Protection Officer ("DPO")

The DPDI Bill would have replaced DPOs with Senior Responsible Individuals. The DUAA keeps the DPO requirement unchanged, which should be a source of comfort to organisations, minimising changes to governance structures in the near future.

Data Protection Impact Assessments ("DPIA")

The DPDI Bill proposed more flexible "high-risk processing assessments", giving controllers more autonomy over when DPIA's are needed. The DUAA retains the current DPIA requirements, which make it necessary to carry out a DPIA if high-risk processing is likely.

DSARs

The DPDI Bill would have allowed refusal of "vexatious or excessive" requests. The DUAA omits this, retaining refusal only for "manifestly unfounded or excessive" requests, but importantly clarifies that searches should be reasonable and proportionate, and allows refusal if it would require disproportionate effort or involve legally privileged information.

Conclusion

The DPDI Bill aimed to streamline UK data protection post-Brexit by, among other things, reducing administrative burdens. The DUAA continues this approach but in an arguably more cautious manner, balancing innovation with the need to maintain EU adequacy and public trust in the UK's data protection regime.

While the DUAA has not fundamentally changed the UK data protection landscape, organisations must adapt to both new and retained requirements in the DUAA. As the EU considers GDPR reforms including simplification, it will be interesting to see if the UK's approach under the DUAA has any influence on future EU policy.

Next up

In our final article in this series, we'll examine a range of provisions in the DUAA that, while not directly related to data protection, remain highly pertinent to the ever-changing landscape of technology and record-keeping. These include the National Underground Asset Registry, the Electronic Register of Births and Deaths, and measures concerning the creation of deepfakes.