ARTICLE
2 July 2025

UK Data Use And Access Bill Becomes Law

KG
K&L Gates LLP

Contributor

At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
The UK's major post-Brexit reform of the UK General Data Protection Regulation (UK GDPR), the Data Use and Access Act (DUAA), became law on 19 June 2025.
United Kingdom Privacy

The UK's major post-Brexit reform of the UK General Data Protection Regulation (UK GDPR), the Data Use and Access Act (DUAA), became law on 19 June 2025.

The DUAA had a long gestation in the form of two previous draft laws, the Data Protection and Digital Information Bills No. 1 and 2, the second of which failed when the UK general election 2024 was called. The new government resurrected most elements of the previous proposals as the DUAA.

The UK Information Commissioner's Office has published guidance on the effects of the DUAA for businesses, but some of the more eye-catching changes include:

  • Of particular interest to businesses considering AI solutions – the removal of restrictions on use of personal data for automated decision-making, as long as there are some safeguards in place.
  • Consent no longer required to set statistical and functionality cookies.

The wider impact of the DUAA on UK–EU data transfers remains to be seen, with the EU due to review its UK adequacy decision by the end of 2025. However, as the EU has announced its own intention to reform the GDPR, more change could be on the way.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More