Top five takeaways from the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework - particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

The DUAA aims to clarify good practice, reduce compliance burdens in certain areas, and launch new initiatives to support smart data access. Below are the top five key developments to be aware of:

1. Automated Decision-Making – A More Permissive Framework

The DUAA relaxes restrictions on certain forms of automated decision-making under the UK GDPR, particularly in relation to decisions that have legal or similarly significant effects on individuals.

Under the revised rules, organisations may now rely on automated processing for such decisions without requiring explicit consent in all cases. However, the DUAA also introduces new transparency and procedural safeguards. Individuals must:

• be informed about any significant decisions made solely by automated means;
• have the right to request human intervention; and
• have the right to contest the decision.

This reform is especially relevant to organisations using AI-driven tools, such as for customer profiling, credit decisions or automated eligibility assessments.

2. Complaints Handling – A New Statutory Right for Data Subjects

Historically, individuals have been able to lodge complaints with the Information Commissioner’s Office (ICO) if they believed their data protection rights had been infringed.

The DUAA introduces a new statutory requirement for individuals to first raise their complaint directly with the data controller before escalating it to the ICO. Controllers must now:

• implement a formal complaints procedure (e.g. via an electronic complaints form);
• acknowledge complaints within 30 days; and
• inform complainants of the steps being taken and keep them updated on progress.

This change formalises expectations around complaint handling and places a greater onus on organisations to resolve data concerns proactively and transparently.

3. PECR Reform – Cookie Consent Exemptions and Increased Fines

The DUAA brings targeted reforms to PECR, including the following key updates:

• Cookie Consent Exemptions:

User consent is no longer required for certain low-risk, non-essential cookies, such as first-party analytics cookies used to collect statistical data aimed at improving website performance. This is intended to reduce ‘consent fatigue’. However:

• Users must be clearly informed about such processing; and
• A prominent opt-out mechanism must be provided.

Note: Consent is still required for third-party tracking cookies or those used for profiling or targeted advertising.

• Increased Fines for PECR Breaches:

The maximum penalty for breaches of PECR has increased from £500,000 to £17.5 million or 4% of global annual turnover - aligning with UK GDPR penalty levels. This signals a tougher enforcement stance, particularly concerning unlawful electronic marketing (e.g. unsolicited emails, cold calls, SMS).

4. International Transfers – Lowered Threshold for Adequacy

The DUAA replaces the previous requirement that third countries offer “essentially equivalent” data protection to that of the UK. Under the new framework, personal data may be transferred where the protection is not materially lower than UK standards.

While this change makes it easier to facilitate international data flows, organisations are still expected to undertake transfer risk assessments and ensure appropriate safeguards are in place - particularly where no adequacy decision exists.

5. Recognised Legitimate Interests – A New Lawful Basis

The DUAA introduces a new category of lawful basis for processing, known as ‘recognised legitimate interests’. Under this provision, no balancing test is required where the processing is necessary for purposes such as:

• safeguarding national security;
• protecting public security; or
• defence.

The DUAA also clarifies other types of processing that may fall within the legitimate interests lawful basis, though these still generally require a balancing of the organisation’s interests against individuals’ rights. Examples include:

• Direct marketing;
• Intra-group data transfers for internal administrative purposes; and
• Security of network and information systems.

This new basis provides greater legal certainty but does not eliminate the need for careful assessment, especially where personal data is processed at scale or for commercial purposes.

Conclusion

The DUAA 2025 represents a pragmatic evolution of UK data protection law, aiming to balance regulatory certainty for businesses with continued safeguards for individuals.

Businesses should:

• update internal policies and procedures;
• revise privacy notices;
• reassess marketing practices; and
• refresh cookie and data transfer frameworks

to ensure they are aligned with the updated legal standards.

What About EU Adequacy?

While the DUAA 2025 offers welcome clarity and flexibility for UK-based organisations, it also introduces changes that diverge from the EU GDPR - raising potential concerns about the UK’s EU adequacy status.

The UK currently benefits from an adequacy decision, which allows for the free flow of personal data from the EU without additional safeguards. However, several DUAA reforms may be viewed by the European Commission as a lowering of data protection standards, including:

• The more permissive approach to automated decision-making;
• The lower threshold for international data transfers;
• Broader recognition of ‘legitimate interests’ as a lawful basis; and
• New cookie consent exemptions.

These changes could prompt the EU to reconsider the UK’s adequacy decision, particularly during its upcoming renewal review. Revocation of adequacy would require UK businesses to implement alternative safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for EU-UK data transfers.

What should organisations do?

In light of this uncertainty, businesses receiving EU personal data should:

• Monitor developments in the UK-EU adequacy relationship;
• Prepare for the possibility of using contractual transfer mechanisms;
• Review cross-border data flows and ensure transfer risk assessments are up to date.

In short, while the DUAA aims to modernise UK data protection law, organisations operating internationally should remain vigilant to any future impact on EU data flows.

further information

If you have any questions regarding this blog, please contact Christopher Perrin or Caroline Sheldon in our Corporate, Commercial & Finance team.

About the authors

 Christopher Perrin is a highly experienced solicitor who leads the Corporate, Commercial and Finance team’s general Commercial & Technology Contracts, Outsourcing & Data legal advisory services.

Caroline Sheldon joined the Corporate, Commercial & Finance team in August 2022 as an associate and specialises in advising on commercial matters. She advises entrepreneurs, startups and established businesses across a variety of sectors, with a focus on those in the technology sector.