From Parliamentary Ping-Pong to Policy Pillar: The Data (Use and Access) Bill Becomes Law in the UK

After a protracted legislative journey through Parliament, the UK’s Data (Use and Access) Bill (“DUAB”) finally passed on 11 June 2025 and is expected to receive Royal Assent today (19 June 2025). The DUAB, which has undergone multiple iterations and rebrandings since its original introduction in 2023, represents the first major divergence from the EU data protection regime since Brexit.

Originally tabled by the Conservative government as the ‘Data Protection and Digital Information Bill’ (“DPDI Bill”), the DPDI Bill stalled (for the second time) ahead of the 2024 General Election. The incoming Labour government reintroduced it as the ‘Digital Information and Smart Data Bill’ - before settling on the ‘Data (Use and Access) Bill’. The DUAB’s passage was delayed by months of legislative “ping pong” between the House of Commons and the Lords, particularly over provisions concerning the use of data for AI training and copyright. Whilst the DUAB stops short of resolving the copyright-AI tension, it lays the groundwork for a separate consultation on copyright and AI issues in the near future. We will write about that in more detail in the coming days.

A Broader Data Strategy with Targeted Data Protection Reform

While the DUAB is fundamentally about enabling better use of data across the UK economy – through smart data schemes, digital ID verification frameworks and sector-specific innovation – it also introduces a series of targeted reforms to the UK’s data protection regime. These changes are designed to reduce compliance burdens, support responsible AI deployment, and enhance individual rights.

The DUAB will build on existing UK data protection laws – including the Data Protection Act 2018 (“DPA 2018”), the UK GDPR, and Privacy and Electronic Communications Regulations (“PECR”), all of which remain in force – by adding new mechanisms to enhance data accessibility without undermining individual privacy rights.

Key Data Protection Reforms

The DUAB introduces a number of important changes to UK data protection laws – many of which have been carried over from the DPDI Bill (although not necessarily in their original form). Some of the more substantive reforms proposed under the DPDI Bill – for instance, appointing data protection officers, maintaining records of processing activities and conducting data protection impact assessments - have been dropped in the DUAB so the UK will continue to align with the EU’s approach on these particular areas.

Key changes include:

• Automated Decision Making (“ADM”): the current prohibition on ADM will be narrowed to apply only to decisions that significantly affect individuals and involve special category data (provided that suitable safeguards are in place).
• Recognised Legitimate Interests: the DUAB introduces a list of ‘recognised legitimate interests’, allowing for processing of personal data where these interests apply without having to carry out a legitimate interests assessment. ‘Recognised legitimate interests’ include safeguarding national security, responding to emergencies, detecting, investigating, or preventing crime, and safeguarding vulnerable individuals.
• Purpose Limitation: the DUAB amends the “purpose limitation” provisions under the UK GDPR, setting out additional factors to determine if a new purpose is compatible with the original purpose. The DUAB also provides that certain processing for a new purpose will be deemed compatible, including certain processing for research or archiving in the public interest, as well as on some broader public interest grounds or where fresh consent is obtained.
• Scientific Research: the DUAB introduces a broader definition of scientific research, to include research that “can reasonably be described as scientific”. It does not matter whether the research is publicly or privately funded or whether it is carried out as a commercial or non-commercial activity.
• Complaints: the DUAB introduces new rights for individuals to submit complaints directly to organisations. Controllers are required to take “appropriate steps” to facilitate data subject complaints, such as by providing a complaints policy or online form, and must acknowledge receipt within 30 days.
• Data Subject Access Requests (“DSAR”): the DUAB clarifies that if a controller reasonably requests further details to identify the processing activities to which the DSAR relates, then the ‘clock stops’ until that information is received. The DUAB also codifies existing ICO guidance that controllers only need to carry out “reasonable and proportionate” searches for information and personal data in response to a DSAR. 
• Cookie Consent: the DUAB introduces practical exemptions to the existing consent requirements. Notably, it removes the requirement for user consent when cookies or other tracking technologies are used exclusively to gather statistical data for service or website improvements, enhance website appearance or performance, or tailor the site to a user's preferences.
• PECR Fines: the maximum fines under PECR (which regulates the use of cookies and electronic marketing) will be increased to align with the UK GDPR. Breaches of PECR may now incur penalties of up to £17.5 million or 4% of global turnover, replacing the current £500,000 cap.
• Changes to the ICO: the DUAB makes significant changes to the structure and governance of the ICO. The role of Information Commissioner as a “corporation sole” will become the “Information Commission” and its structure will change to include board members. These changes bring it more in line with the structure of other regulatory bodies such as the CMA and Ofcom.

Beyond Data Protection

The following broader provisions will also come into force on a date to be specified by further regulations, including:

• Smart Data Schemes: the DUAB introduces a framework for new ‘Smart Data Schemes’ to be established, with the intention of increasing data portability between suppliers, service providers, customers, and relevant third parties. The aim is to build on the achievements of Open Banking and extend this to other key industries including energy and transport.
• Digital Verification Services (“DVS”): the DUAB also introduces a statutory framework for DVS, requiring the Secretary of State to establish a register of certified providers and issue trustmarks for digital identity providers. 
• Common standards for health records: the DUAB provides for the government to bring in standards to enable interoperability and sharing of health-related data. IT suppliers for the health and care sectors will need to ensure that their systems meet common standards to enable data sharing across platforms.

What should businesses be doing now?

It's worth noting that some of the DUAB is dependent on secondary legislation so it won't all come into effect immediately. 

We set out below some practical recommendations on what businesses should be focusing on now:

• Review your electronic direct marketing practices – the ICO’s enforcement powers under the PECR have been aligned with UK GDPR, so fines for breaches of PECR have risen. Reassess marketing strategies in light of this.
• Refine data subject access request processes – the DUAB codifies the ‘reasonable and proportionate’ search and ‘stop the clock’ rule already set out in ICO guidance. It also updates some of the exemptions so organisations should update DSAR response templates accordingly.
• Evaluate use of ADM – existing rules have softened (except for special category data) so revisit your policies and check if any opportunities arise as a result.
• Revisit legitimate interests analysis – introduction of the concept of ‘recognised legitimate interests’ means you may not always need to conduct a legitimate interests assessment.
• Review cookies banners – there are new exemptions for certain cookies so revisit your cookies banners and policies to reflect this.
• Complaint procedures – there are new requirements for handling complaints from data subjects to organisations, so ensure that your complaint handling procedures are updated accordingly.

On a final note, the EU has extended the UK's adequacy decision, which allows for the free flow of data between the EU and UK, until 27 December 2025. This extension provides time for the EU to assess the impact of the new UK law on data protection before making a final decision on the adequacy status. Businesses should monitor this area for further developments.

For advice on the proposed changes to UK data protection laws and other changes introduced by the DUAB, please contact Martin Cook, Madelin Sinclair McAusland, Amanda Leiu, Justin Barrow or a member of Burges Salmon's Commercial & Technology team.