ARTICLE
3 June 2025

UK Data Protection Reform Nears Final Approval: What The Data (Use And Access) Bill Means For Business Compliance

AP
Arnold & Porter

Contributor

Arnold & Porter is a firm of more than 1,000 lawyers, providing sophisticated litigation and transactional capabilities, renowned regulatory experience and market-leading multidisciplinary practices in the life sciences and financial services industries. Our global reach, experience and deep knowledge allow us to work across geographic, cultural, technological and ideological borders.
The UK data protection reform package is entering into its final stages, and looks set to become law in a matter of weeks. The Data (Use and Access) Bill (DUA Bill) returned to the House of Lords for consideration...
United Kingdom Privacy

The UK data protection reform package is entering into its final stages, and looks set to become law in a matter of weeks. The Data (Use and Access) Bill (DUA Bill) returned to the House of Lords for consideration of Commons amendments in the parliamentary "ping pong" process on May 19, 2025, after Members of the Lords first considered changes made by MPs in the Commons on May 12, 2025. The draft bill will now be passed between the two houses until they both agree to the wording, after which it can gain Royal Assent (approval from the king) and become law. As far as data protection is concerned, the legislation is more of a refinement of existing law than a radical departure. However, the changes are likely to require businesses to revisit their processing activities and policies, paying particular attention to direct marketing practices in light of significantly larger maximum fines for non-compliance.

Background

UK data protection reform has undergone a number of iterations since its original inception under the previous government. Following the Labour Party's election victory in July 2024, the King's speech included a Digital Information and Smart Data Bill. The bill was subsequently renamed the Data (Use and Access) Bill and was introduced to the House of Lords on October 23, 2024, through which it completed its passage and was the subject of significant debate and amendment. The DUA Bill supersedes the previous government's failed data protection reform attempts, the Data Protection and Digital Information Bill, and its successor and second iteration, the Data Protection and Digital Information (No. 2) Bill (DPDI Bill), which failed to complete its journey through Parliament prior to the end of the wash-up period under the outgoing Conservative government in 2024.

Speaking at the International Association of Privacy Professionals (IAPP) Data Protection Intensive UK 2025 in London, U.K. Minister for State for Data Protection and Telecoms Chris Bryant said "The single most important thing for us is to improve trust in the use of data," adding "We'll finish this bill by Easter or a couple weeks after."

Information Commissioner John Edwards has been broadly supportive of the DUA Bill, stating on the Information Commissioner's Office (ICO) website:

Overall, the Bill remains one which I support as improving the effectiveness of the data protection regime in the UK, upholding people's rights, providing regulatory certainty and clarity for organizations and improving the way the ICO regulates.

Changes the DUA Bill Would Introduce

The DUA Bill is an evolution of the DPDI Bill, much of which it retains. The DUA Bill includes proposals in relation to smart meter schemes, digital verification services, data sharing to improve public service delivery, retention of biometric data, retention of information by internet service providers (ISPs) in connection with a child's death, and trust services.

The DUA Bill is divided into eight parts and 16 schedules. Part 5 makes various changes to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR). These changes include the following:

1. Definition of scientific research and changes to the rules on consent to scientific research

The DUA Bill introduced a new definition of scientific research, which would bring the substantive provisions of the UK GDPR into line with the existing recitals and regulatory guidance, encouraging a broad interpretation of the concept of "scientific research," as well as streamlining consent requirements. However, the specific rules around scientific research have been the subject of much debate in Parliament, and have yet to be finalized.

2. Changes to lawful bases for processing — examples of legitimate interests

The DUA Bill introduces a non-exhaustive list of examples of processing activities that can constitute a legitimate interest of the controller, for the purposes of Article 6(1)(f) UK GDPR. These include processing that is necessary for the purposes of direct marketing; intra-group transmission of client, employee, or other individuals' personal data for internal administrative purposes; and ensuring the security of network and information systems to largely reflect the recitals of the UK GDPR.

A new Article 6(1)(ea) provides for lawful processing for the purposes of a "recognized legitimate interest" where such processing meets a condition in Annex 1 of Schedule 4 of the bill.

The recognized legitimate interests are where the processing is necessary for:

  • Disclosure to a person carrying out a public interest task
  • Safeguarding national security
  • Protecting public security and defense purposes
  • Responding to an emergency defined in the Civil Contingences Act 2004
  • Detecting, investigating, or preventing crime or apprehending offenders
  • Safeguarding vulnerable individuals

The Secretary of State may add, omit, or vary the list of recognized legitimate interests, provided certain safeguards are met.

3. Clarification of the purpose limitation principle (and exemption to the associated transparency requirements)

The DUA Bill would insert a new Article 8A that sets out the conditions where further processing is compatible with the original purpose of processing for which personal data were collected. The circumstances are listed in Article 8A(3) and include where the data subject has given fresh consent to the new purpose; where the processing is for scientific or historical research; where archiving is in the public interest; or where the processing is for any of the purposes specified in Annex 2. Purposes specified in Annex 2 include where the processing is necessary for disclosure to a person carrying out a public interest task, public security, crime detection, investigation and prevention, protection of a data subject's vital interests, and safeguarding vulnerable individuals. As with the proposed Article 6(1)(ea), the Secretary of State may add, vary, or omit provisions to Annex 2.

4. Automated decision-making (ADM)

The DUA Bill relaxes some of the current restrictions on the use of personal data, but not the use of special categories of personal data such as health data, for the purposes of automated decision-making. The bill clarifies that a decision based on automated decision-making is one with no meaningful human involvement. Controllers must consider the extent to which a decision has been made on the basis of profiling when establishing whether or not human involvement has been "meaningful." A "significant decision" is one that results in legal or comparably significant effects on a data subject. A significant decision based wholly or partially on the use of any of the special categories of personal data is prohibited unless the data subject has given their consent, the activity is necessary for the purpose of entering into or performing a contract, or is required by law.

5. Data subjects' rights

The DUA Bill aligns the subject access provisions of the UK GDPR with existing ICO guidance. For instance, "stopping the clock" where the controller cannot proceed with the response without further information from the data subject or proof of the data subject's identity. Additionally, the bill clarifies that controllers need only carry out a "reasonable and proportionate" search for information and personal data in response to a subject access request, which reflects current case law (though does not provide further information on what constitutes a "reasonable and proportionate" search). However, the proposal from the DPDI for controllers to be able to refuse a subject access request on the grounds that it is vexatious has been dropped. Accordingly, controllers will still have to demonstrate that a request is manifestly unfounded or excessive in order to refuse to comply with a request.

6. Data Transfers

The DUA Bill introduces a more flexible, risk-based approach to data transfers, which aligns with the UK's broader strategy to diverge from the EU, though not so far as to jeopardize the UK adequacy finding made by the European Commission. The bill would replace Chapter V of the UK GDPR and require the Secretary of State, when assessing adequacy, to consider whether the standard of data protection in the country under consideration is materially lower than the UK, and apply a "data protection test," which must be considered in relation to the appropriate safeguards.

7. Changes to PECR

The DUA Bill makes a number of changes to PECR, in particular:

  • New exemptions to the requirement for consent to set cookies for collecting statistical information to improve the service; functional purposes (i.e., how an information society service is displayed); personalization cookies (which automatically authenticate a repeat user of digital services or repeat visitor to a website, and maintain a record of settings or preferences); or where the sole purpose is to enable the geographical position of a user to be ascertained in response to an emergency communication
  • Permitting charities to rely on the soft opt-in
  • Aligning the ICO's enforcement powers with those of the UK GDPR, i.e., maximum fines of the greater of £17.5 million or 4% of the previous year's worldwide annual turnover

Impact on EU-UK adequacy finding

While the DUA Bill retains many of the changes proposed by its predecessor the DPDI, some of the more controversial proposals have not been carried over. In particular, the DPDI's proposed replacement of data protection officers (DPOs); changes to the definition of personal data; amendments to data protection impact assessments (DPIAs); extending the requirement to maintain a record of processing activities (ROPA); and abolishing the requirement to appoint a UK representative. These more controversial proposals from the DPDI Bill threatened the UK's adequacy decision made by the European Commission. The UK adequacy decision, which, following Brexit, permits the free-flow of personal data from the EU to the UK was set to expire on June 27, 2025, unless extended.

On March 18, 2025, the European Commission published the draft technical extension of the UK adequacy decision, which extends the UK adequacy decision by a period of six months, expiring on December 27, 2025, in order to allow the European Commission to assess the adequacy of the protection of personal data under the UK data protection regime as amended by the DUA Bill. On May 6, 2025, the European Data Protection Board (EDPB) announced the adoption of Opinion 06/2025 regarding the extension of the European Commission Implementing Decisions under the GDPR and the Law Enforcement Directive on the adequate protection of personal data in the United Kingdom (Opinion 06/2025). Opinion 06/2025 provides that until December 27, 2025, personal data transferred from the European Economic Area to the UK will continue to benefit from an adequate level of data protection. After this date, the European Commission may make a new adequacy decision in favor of the UK, which will depend on its assessment of the DUA Bill when it becomes law. Given that the DUA Bill does appear to result in a significant divergence from the GDPR, such a finding does not seem unlikely.

Implications for businesses

The DUA Bill is in its final stages of parliamentary review and is expected to become law in June 2025. It is an evolution rather than a revolution, and many of its changes are subtle refinements rather than radical shifts. However, businesses will need to revisit their internal policies, especially around research, marketing and AI transparency. Probably the most significant risk the DUA Bill creates for companies arises from the higher fines available to the ICO for breaches of PECR (which align with the maximum fines under the UK GDPR) since historically, the ICO has tended to take more enforcement action for breaches of PECR than for breaches of the UK GDPR. In practice, this means that businesses engaged in direct marketing should revisit their policies before the new law takes effect. In addition, since website cookies are also regulated under PECR rather than the UK GDPR, and the ICO uses automated scanning to detect non-compliant cookies (see our March 2025 Advisory) website owners would be prudent to review their use of cookies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More