The Data (Use and Access) Bill (now the Data Use and Access Act 2025 (“Act”)) received Royal Assent on 19 June 2025 after a prolonged period of back-and-forth between the House of Lords and House of Commons. The Act represents a major shift in the UK’s data landscape, with far reaching implications in relation how organisations share and control data. While the Act supports innovation and consumer protection, it introduces legal duties that commercial teams will need to address head-on in contracts and risk management processes.
The information commissioner, John Edwards stated the following:
“The Data (Use and Access) Act 2025 gives organisations using personal information new and better opportunities to innovate and grow in the UK, and further enhances our ability to balance innovation and economic growth with strong protections for people’s rights.”
What does the Act change?
The Act amends, but does not replace, the UK General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (“PECR”). The changes will be phased in between June 2025 and June 2026.
Examples of change:
The ICO has set out how they think the Act will help organisations to innovate, such as:
- Automated decision-making: it opens up the full range of reasons, or ‘lawful bases’, that an organisation can rely on when they use people’s personal information to make significant automated decisions about them. So long as they continue to apply appropriate safeguards. This potentially includes allowing them to rely on the legitimate interests lawful basis for this type of processing. This doesn’t apply to special category data which is more protected. The Act also arguably relaxes the definition of what is solely automated and possibly brings a few decisions previously thought of as automatic decision making, out of scope;
- Cookie rules: allows organisations to set certain types of cookies without having to get consent from users such as those used in order to collect information for statistical purposes and improve user functionality;
- Privacy notices: allows organisations in certain situations to re-use people’s personal information for scientific research without giving them a privacy notice; and
- Research provisions: makes it clearer when organisations can use personal information for the purposes of scientific research, including commercial scientific research. It clarifies that people can give ‘broad consent’ to an area of scientific research.
The Act will make things easier for organisations, such as:
- Making things clearer: it improves the way the law is written and structured to make it easier for organisations to follow and apply, but without materially changing how organisations can use personal information. For example:
- it clarifies that direct marketing can be a legitimate interest; and
- it rewords the test organisations need to apply when transferring personal information outside the UK.
- Disclosures that help other organisations perform their public tasks: it allows organisations to give personal information to public organisations such as the police, without having to decide whether such organisation needs the information to perform its public tasks or functions. Instead, the public organisation making the request is responsible for this decision.
- ‘Soft opt in’ for charities: if an organisation is a charity, it allows them to send electronic mail marketing to people whose personal information they collect; and
- Subject access requests (SARs): it makes it clear that organisations only required to make reasonable and proportionate searches when someone asks for access to their personal information.
Data protection complaints
The Act requires organisations to take steps to help users who want to make complaints about how they use their personal information, such as providing an electronic complaints form. Organisations will also be required to acknowledge complaints within 30 days and respond to them ‘without undue delay’.
Changes to the ICO
A key change as a result of the Act is the replacement of the current Information Commissioner’s Office with a new Information Commission (“IC”). The change is expected to take effect in 2027. The aim is to bring the ICO into line with other UK regulators, making the IC a full corporation with board members. This body will have a corporate structure similar to OFCOM.
The IC’s powers:
- The power to issue interview notices and to require the production of documents or the preparation of a report. These new powers are wide ranging, for example, an interview notice may be issued to any individual who is currently, or who was at any time previously, employed by the controller or processor;
- The Act also provides the IC with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under PECR; and
- While the power to require documents will come into force 2 months after Royal Assent (19 August 2025), other new powers will be brought into force by secondary legislation.
Conclusion
As the Act comes into force, organisations should:
- Review affected contracts, namely data use clauses;
- Consider the risk allocation and governance framework for shared data; and
- Stay informed on ICO and sectorial guidance expected later this year.
Speak to a specialist
For further information please contact our corporate and commercial team.
Posted:
