The UK’s Next Data Chapter: DUAA 2025 Explained
The Data (Use and Access) Bill was granted Royal Assent on June 19, 2025, coming into force as the Data (Use and Access) Act 2025 (DUAA). The DUAA implements various measures concerning data usage in the UK and aims to enhance the economy, improve public services, establish a digital identity verification system, and reform data protection laws. The majority of the provisions within the DUAA will come into force in two or six months, though some may take as long as 12 months.
This Advisory explains the history of the DUAA, provides an overview of the changes to UK data law that the DUAA would introduce, with a particular focus on changes to the UK data protection regime, considers the likely effect of the DUAA on the UK adequacy decision, and gives practical suggestions on how businesses should comply with the new law.
UK Data Protection Reform — A Brief History
The DUAA represents the culmination of various efforts by both the current and previous governments to reform data protection legislation in the UK. The announcement of the then-Conservative government’s plan to reform the UK data protection framework through the Data Protection Reform Bill was made during the 2022 Queen’s Speech. The Data Protection and Digital Information Bill (DPDI) was presented in July 2022 and aimed to implement substantial amendments to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) as a purported “Brexit Dividend,” promoting innovation and growth, while protecting individuals’ rights.
The DPDI sparked controversy, particularly due to the potential risk it posed to the European Commission’s adequacy determination in favor of the UK, allowing the free flow of personal data to continue following Brexit. The DPDI was slated for a second reading in September 2022, but this was postponed indefinitely. A revised version, the Data Protection and Digital Information (No. 2) Bill, was introduced in March 2023. However, following the Conservative government’s defeat in the General Election of July 2024, the No. 2 Bill did not complete the parliamentary “wash-up” process and was ultimately abandoned.
The new Labour government’s intention to reform UK data protection legislation was revealed during the King’s Speech in July 2024 as the Digital Information and Smart Data Bill. This bill was later renamed the Data (Use and Access) Bill (DUA Bill) and was presented to the House of Lords on October 23, 2024. The DUA Bill incorporated many of the amendments suggested by the DPDI, omitting the more contentious provisions. After successfully passing through parliament, the DUA Bill was granted Royal Assent on July 19, 2025, and is now enacted as the Data (Use and Access) Act 2025.
High-Level View of the DUAA
The DUAA reforms UK data protection legislation by amending the UK GDPR, the DPA 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR); however, it also introduces changes that regulate the use of data generally. The DUAA is divided into eight parts:
Part 1: Smart Data Schemes: These provisions grant the Science and Technology Secretary and HM Treasury the power to introduce smart data schemes. These schemes are to be established by enacting regulations that will specify the details of a scheme, including identifying the relevant data providers, categories of data and how they must be provided, and mandating any relevant security measures.
Part 2: Digital Verification Services: Part 2 of the DUAA establishes digital verification services, by which the Secretary of State is required to set out rules around trusted digital verification tools. These tools are intended to enable individuals to prove their identity online, with the aim of simplifying important tasks (such as renting a home or starting new employment).
Part 3: The National Underground Asset Register (NUAR): The NUAR provisions establish a government scheme intended to provide authorized users with instant access to a national map of underground conduits (such as pipes and cables). Currently, asset owners such as gas, water, electricity, telecom providers, and local authorities provide this information voluntarily, but accessing the information can be time-consuming. Under the NUAR, asset owners will be subject to a mandatory obligation to provide data. The NUAR will provide a comprehensive view of underground infrastructure, which is intended to enable construction and repair work to be conducted safely and efficiently, avoiding accidental strikes to buried cables and pipes.
Part 4: Registers of Births and Deaths: The DUAA migrates national registers of births and deaths from paper records to an electronic format.
Part 5: Data Protection Reform: Part 5 reforms UK data protection legislation by amending the UK GDPR, the DPA 2018, and PECR, and is explained in more detail in the next section.
Part 6: Information Commissioner: The legislation replaces the Information Commissioner with a new body called the Information Commission.
Part 7: Bereaved Parents: Part 7 is intended to help bereaved parents obtain information from social media providers where social media is linked to their child’s death. A data preservation process will be established, which will require Ofcom to issue a data preservation notice to social media companies, on request by a coroner, to support their investigations into the child’s death.
Part 8: Miscellaneous Provisions: The miscellaneous provisions primarily deal with the legal and procedural mechanisms for implementing and adapting the DUAA.
Data Protection Reform Under DUAA
As mentioned in the preceding section, Part 5 of the DUAA reforms existing data protection legislation. It is a refinement of existing legislation rather than a radical overhaul. The changes include the following:
1. Scientific Research: The DUAA defines “scientific research,” which covers any research that may reasonably be classified as scientific, regardless of whether it is commercial or non-commercial in nature. This definition encompasses technological advancements, fundamental and applied research, and public health studies conducted for the benefit of the public. Furthermore, it explicitly includes genealogical research as a form of “historical research” and clarifies what constitutes statistical processing. The provisions underscore that such processing must yield aggregate, non-personal data and must not be utilized for making decisions regarding individuals. Additionally, the consent requirements under the UK GDPR are broadened to cover situations where the complete research objectives cannot be detailed when consent is acquired, provided that ethical standards are upheld and partial consent is attainable.
2. Recognized Legitimate Interests: The DUAA provides an additional lawful basis for processing where there is a “recognized legitimate interest.” The new lawful basis permits processing for a number of specified purposes, including direct marketing, internal group transmission, and cybersecurity. In effect, the DUAA aligns the operative provisions with the recitals of the UK GDPR. Annex 1 provides a list of recognized legitimate interests, which the Secretary of State may amend.
3. Relaxation of the Purpose Limitation Principle: The DUAA clarifies the principle of “purpose limitation,” emphasizing that processing should be exclusively for the purpose for which personal data was originally collected unless the new purpose aligns with the original purpose. The DUAA outlines several scenarios in which further processing is deemed compatible with the original purpose for which personal data was collected. These scenarios include instances where the data subject has provided new consent for the new purpose, the processing is intended for scientific or historical research, archiving serves the public interest, or the processing aligns with any of the purposes listed in Annex 2. The purposes specified in Annex 2 encompass situations where processing is necessary for disclosure to an individual performing a public interest task, ensuring public security, responding to emergencies, detecting, investigating, and/or preventing crime, protecting the vital interests of a data subject, and safeguarding vulnerable individuals. The DUAA grants the Secretary of State authority to add, modify, or remove provisions from Annex 2.
4. Clarification of Data Subjects’ Rights: The DUAA aligns the UK GDPR’s subject access provisions with the existing guidance from the Information Commissioner’s Office. It codifies the concept of “stopping the clock” when the controller is unable to proceed with the response due to the need for additional information from the data subject or verification of the data subject’s identity. Furthermore, the DUAA specifies that controllers are only required to perform a “reasonable and proportionate” search for information and personal data in response to a subject access request, which is in line with current case law (although the legislation does not elaborate on what amounts to a “reasonable and proportionate” search).
The DUAA does not include the proposal from the DPDI that would have allowed controllers to refuse a subject access request because it is vexatious. Therefore, controllers will still be required to prove that a request is manifestly unfounded or excessive to refuse to comply.
5. Automated Decision-Making: The DUAA specifies that a decision made by automated decision-making has no meaningful human involvement. It eases certain existing limitations regarding the utilization of personal data, yet maintains restrictions on the use of special categories of personal data, including health data, in the context of automated decision-making. Data controllers are required to assess the degree to which a decision is influenced by profiling to determine if human involvement is indeed “meaningful.” A “significant decision” is defined as one that produces legal consequences or similarly important effects on a data subject. Any significant decision that relies entirely or partially on processing any of the special categories of personal data is prohibited unless the data subject has consented, the processing is necessary for entering into or performing a contract, or the processing is required by law.
6. Data Transfers: When assessing adequacy, the DUAA requires the Secretary of State to consider whether the standard of data protection in the country under consideration is materially lower than that in the UK and apply a “data protection test,” which must be considered in relation to the appropriate safeguards. The DUAA’s provisions replace Chapter V of the UK GDPR.
7. Changes to PECR: The DUAA makes a number of changes to PECR. In particular, it:
- Increases the maximum permissible fine for breaches from £500,000 to £17.5 million, or 4% of total revenue, in line with the maximum penalties under the UK GDPR.
- Extends the categories of cookies (and similar technologies) which may be set without users’ consent to include cookies that are used for collecting statistical information to improve the service, functional, and personalization cookies (which automatically authenticate a repeat user of digital services or repeat visitor to a website, and maintain a record of settings or preferences). In addition, cookies whose sole purpose is to ascertain users’ locations in response to emergency communications do not require users’ consent.
- Extends the scope of the “soft opt-in” to charities, which were previously not permitted to rely on this exemption.
The DUAA and the UK Adequacy Decision
A significant concern with the DPDI bill was that it risked the UK adequacy decision that the European Commission had granted. While it retains much of the DPDI, the DUAA notably dropped the more controversial provisions. For instance, the DUAA does not include the DPDI’s proposals to replace data protection officers or amend the definition of personal data.
Following its departure from the European Union, the UK became a “third country” for the purposes of the GDPR, to which the transfer of personal data is generally prohibited. The European Commission granted two adequacy decisions on June 28, 2021, which enabled the transfer of personal data from European Member States to the UK to continue following Brexit. Both decisions were set to expire on June 27, 2025.
The European Commission extended the decision by six months, expiring on December 27, 2025, to allow time to assess the impact of the DUAA on UK data protection standards. After December 27, the European Commission may (but is not obliged to) make a new adequacy finding, depending on its assessment of the DUAA. Given the DUAA’s relatively minor changes to UK data protection legislation, a positive adequacy finding seems likely, though not certain.
What Should Companies Do?
The DUAA marks a subtle evolution rather than a revolution of UK data protection legislation. As such, businesses should review their data protection compliance frameworks. However, the DUAA seems unlikely to result in wholesale changes.
The most significant developments appear to be the changes to PECR and the DUAA’s impact on the UK adequacy decision. In light of the higher fines for PECR breaches, businesses should pay close attention to their digital marketing activities and monitor the adequacy decision later this year when it falls for renewal.
© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.