UK Data (Use and Access) Bill passes

Parliament yesterday passed the Data (Use and Access) Bill which now awaits Royal Assent before becoming law. A long ping-pong between the two Houses about AI training and copyright delayed the last stages of the Bill which had broad cross-party support. The new law does not alter the UK’s current data protection regime as dramatically as was proposed under the Conservative government.

Sarah Pearce, Partner at Hunton said: “The DUA Bill represents a reform of the data protection laws in the UK and will replace the existing legislation. There has been some concern that the reform will call into question the UK’s adequacy decision with the EU which is due to expire in December and therefore impact data transfers. While extensive, the changes proposed by the Bill do not go so far as to alter the underlying principles of the GDPR that the existing regime is based on. As such, the new legislation should not impact the UK’s adequacy decision when it is reviewed by the European Commission at the end of this year.”

However, EU civil society organisations have, in an open letter to EU Justice Commissioner Michael McGrath, criticised the Bill and warned that it means a systematic weakening of privacy, and that the Commission should be mindful of that when reassessing UK adequacy.

Some of the most notable changes are around automated decision-making and legitimate interests. The Data and Marketing Association says it welcomes greater certainty around the use of legitimate Interests as a lawful basis, and extending soft opt-in to charities, as well as more flexible rules on cookies.

See:

Data (Use and Access) Bill [HL]

Privacy Laws & Business 38th International Conference has a session on 9 July entitled The UK’s new Data (Use and Access) Act 2025: Opportunities and Risks. The speakers are from the government’s Department for Science, Innovation and Technology (DSIT) and the ICO.