A gap between political and legal aspects of new UK law

When Royal Assent was announced on 19 June in the House of Lords and the House of Commons for the Data (Use and Access) Act (DUAA) 2025, it became clear to me that this was not only the end of years seeking a new direction for data protection law in the UK under successive governments, but also a divergence in its significance.

Lawyers discussed the finer aspects of “modest” changes, while civil society organisations have complained about the new law threatening privacy protections and accountability for data processing, in short a “systematic weakening of privacy and data protection.”

Political benefits from the new law

By contrast, throughout the process, while not waving the Brexit flag, the government is now reaping the political and economic benefits of a freer hand in developing the law without having to move slowly with the EU consensus on a more flexible approach to data protection law.

It might come as a surprise to close watchers of the bill’s, and its predecessor’s progress into law over recent years, that the government proudly announced to the media the benefits(1) from the new law in the following terms:

• “New data regime
• Will reduce time people spend stuck in traffic and
• Give NHS staff more time with patients.
• New laws will inject £10 billion into the British economy over ten years, helping the government deliver on its growth mission in the Plan for Change and key manifesto commitments.”

The Technology Minister, Peter Kyle stated “These new laws will finally unleash that power for hardworking people – putting cash back in pockets and boosting vital public services, all part of our Plan for Change.”

So the political and economic dimensions of enacting this legislation are clear, although one wonders whether anyone will come back in 10 years from now to check whether the:

• “New laws will inject £10 billion into the British economy over ten years” or
• “Enabling data sharing across platforms will save NHS staff 140,000 hours a year in admin” or
• By legislating on digital verification services and introducing trusted digital verification tools, … as well as increasing trust in the market, these efficiency gains will boost the UK economy by £4.3 billion over the next decade.”

It is inevitable that the government will seek to reap political gains from its success in enacting this legislation.

Changes will be phased in over a year

Meanwhile the ICO has been busy helpfully preparing a factual summary of the changes that each relevant section of the DUAA makes, but it says that it does not cover how you interpret or apply the law.

The ICO has now published 3 overviews and 11 updates on the schedules.

Everyone could start with the “In brief” section(2) but there are many detailed explanatory sections. I will quote from only three of them:

International transfers simplified: Regarding transfers of personal data to 3rd countries “the standard of protection provided now “is not materially lower” than the standard of the protection provided under the UK GDPR and the DPA 2018. This is now referred to as the data protection test.” A simpler approach to assessments for transfers states that an organisation must meet the data protection test “reasonably and proportionately”.

Scientific research more flexible: Companies will be pleased that the section on definitions explains “scientific research can include: commercial research; processing for technological development or demonstration, so far as these activities can reasonably be described as scientific….” This is a broader approach than seemed likely in previous drafts.

Legitimate interest guidance now legally binding: Examples of processing that may be necessary for a legitimate interest are:

• Direct marketing;
• Intra-group transfers for administrative purposes; and
• Ensuring the security of network and information systems.

“These examples are taken from the recitals to the UK GDPR, so the effect is to make existing interpretative guidance in the recitals legally binding” explains the ICO.

Questions to your legal advisors

This brief snapshot of some of the changes will, no doubt, encourage you to ask questions to your internal and external legal advisors, auditors and data managers, such as:

1. What is the impact of these changes in my organisation?
2. What is the scope for more flexibility in our use of personal data which we already process to develop new services?
3. How can we obtain personal data in more creative ways?
4. Are there any significant differences relevant to our organisation between the new UK law and the EU GDPR?
5. If so, what would be a proportionate effort to overcome these differences?

The Good, The Bad and The Good Enough: 7-9 July, St. John’s College, Cambridge

We at Privacy Laws & Business appreciate the perfect timing of Royal Assent to the UK’s new law. It was exactly 3 weeks before the session on the new UK law at our 38th International Conference in Cambridge, featuring two speakers from the DSIT government department and two speakers from the ICO.

Before that, there will be 27 other sessions from which you can learn, and network with a host of regulators, companies and law firms from 19 jurisdictions, and a sprinkling of academics to raise the questions which you might not want to ask in public.

Earlier on the same day, Wednesday 9 July, we will cover the international issue which many organisations are raising – what is the potential for flexibility for the EU GDPR? We have a speaker direct from the previous day’s plenary of the European Data Protection Board which will look for a consensus view on this issue from the 30 national Data Protection Authorities.

In-person places are filling fast, as you would expect, so now is your last chance to register before we reach capacity.

Laura Linkomies, Editor, I and the rest of the PL&B Team look forward to welcoming you to the conference, which many of you have told us is the highlight of your professional year.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

July 2025