Data (Use and Access) Bill to become law

On Wednesday, 11 June 2025, the Data (Use and Access) Bill (DUA Bill) successfully cleared its final parliamentary hurdle in the House of Lords. 

UPDATE 170625: An update to the Parliamentary Bills webpage on Tuesday confirms that the DUA Bill is scheduled to receive Royal Assent on Thursday, 19 June 2025. Once it receives Royal Assent, it will be known as the Data (Use and Access) Act 2025. 

The passage of the DUA Bill follows a protracted journey between the UK's two parliamentary chambers. Throughout this time, the House of Lords made numerous attempts to add new transparency clauses related to artificial intelligence (AI) and copyright, but these were consistently rejected by the House of Commons. In the past week, significant concerns emerged about whether the nine-and-a-half hours of ping-pong between the two houses might jeopardise the Bill's passing into law. Watch the proceedings on the Parliament TV.

Considering that this outcome was the ultimate fate of the DUA Bill's predecessor, the Data Protection and Digital Information Bill (DPDI Bill)—not once but twice—after it was introduced by two previous Conservative governments, it's hardly surprising that ministers, industry practitioners and commentators began to doubt whether the government would get its way.   

But get its way, it did, albeit after agreeing to several concessions. The agreed compromises include provisions requiring the Secretary of State to publish an economic impact assessment and draft legislation aimed at providing transparency to copyright owners about how their works are used as data inputs for AI models within nine months of the Bill receiving Royal Assent.

Once passed into law, the Data (Use and Access) Act 2025 will introduce targeted amendments aimed at modernising and streamlining the UK's data protection legal framework. It reforms both the UK General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). Although many of the changes are technical in nature, they are nonetheless significant in several important areas. These include legitimate interests, international data transfers, automated decision-making (ADM), purpose limitation, scientific research, data subject rights, children's data, cookie requirements, PECR enforcement, and organisational changes to the Information Commissioner's Office (ICO), which will be replaced by the Information Commission.

Other provisions introduce new obligations covering data-related areas such as smart data, digital verification services and healthcare data. The UK government believes that these legislative amendments will encourage innovation and enhance public trust, while maintaining the country's vital data adequacy status with the European Union. 

In a statement, a spokesperson for the Department for Science, Innovation and Technology (DSIT) said: "This Bill is about using data to grow the economy and improve people's lives, from health to infrastructure and we can now get on with the job of doing that."

However, the question of whether the UK will maintain its two adequacy decisions is by no means assured. The European Commission agreed to a six-month extension from June to December in order to allow EU officials sufficient time to examine updated provisions. In June, a group of civil society organisations sent an open letter to EU Justice Commissioner McGrath, warning that the UK was preparing to diverge further from EU GDPR and Law Enforcement Directive standards. 

Responding to the news, the Open Rights Group warned that the DUA Bill contains "dangerous provisions that will not only make it harder for people to have control over their personal data and lives, but also threaten adequacy status with the EU."

A report by the House of Lords European Affairs Committee estimates that the financial cost of losing adequacy status would cost UK businesses £1 to £1.6 billion in compliance costs. 

Training announcement: Discover the key amendments in the Data (Use and Access) Act 2025. Join us for a comprehensive one-day workshop and learn about the implications to UK data protection law. Aimed at practitioners, public schedule and onsite course options are available. Find out more.