The UK’s Data (Use and Access) Act 2025

At a Glance

• The Act makes targeted reforms by amending the UK General Data Protection Regulation 2021. The aim is to ease the compliance burden for businesses and encourage scientific research and innovation, while at the same time maintaining the high level of privacy protection which is required for the United Kingdom to maintain its adequacy status with regards to transfers of personal data from the European Union.
• The Act makes notable changes to the Privacy and Electronic Communications Regulation. In particular, it adjusts the cookie consent rules.
• The Act facilitates data portability and secure sharing of customer and business data with regulated and authorized third parties under “smart data schemes”, intended to improve data portability between suppliers, service providers, customers and relevant third parties.

The UK Parliament has recently introduced significant and wide-ranging new legislation relating to data use. The Data (Use and Access) Act 2025 (Act) introduces new laws in a number of areas including: data sharing and smart data schemes, digital verification services, and deepfake images. It also makes significant changes to the UK General Data Protection Regulation (UK GDPR).

Key Changes to the UK GDPR and Data Protection Act 2018

The Act makes targeted reforms by amending the UK GDPR 2021 (which adopted, largely unchanged, the EU GDPR post-Brexit) and the Data Protection Act 2018 (which implemented the EU GDPR in UK law). The aim is to ease the compliance burden for businesses and encourage scientific research and innovation, while at the same time maintaining the high level of privacy protection which is required for the United Kingdom to maintain its adequacy status with regards to transfers of personal data from the European Union. The key changes made by the Act likely to impact U.S. businesses are in the areas outlined below.

New Lawful Basis for Processing Personal Data

The Act introduces a new lawful basis for processing personal data on the basis of a “recognised legitimate interest” (for example, safeguarding national security, responding to emergencies, or preventing and detecting crime). Such activities, which are deemed inherently legitimate, will no longer require a balancing test to be carried out (although the UK GDPR’s other principles, such as the test of necessity of processing, continue to apply).

Automated Decision-Making (ADM)

Restrictions on ADM (decisions made with no meaningful human involvement) are relaxed in respect of nonsensitive data. This will allow organisations to make solely automated decisions in a broader range of circumstances and narrows the prohibition on ADM to decisions involving sensitive categories of personal data (e.g., biometric or health data). This removes, at least in respect of nonsensitive personal data, the protections under Article 22 of the GDPR; these limited ADM to circumstances where (i) it is necessary for entering into or performing a contract; (ii) a decision is required or authorised by law; or (iii) the data subject has explicitly consented.

The Act balances these relaxations with new safeguards including: a requirement for the controller to provide information to the data subject about any significant decisions being taken in relation to them based solely on automated processing, the right of the data subject to contest or make representations about any such decision, and the right for the data subject to require human intervention.

Data Subject Access Requests (DSARs)

The Act codifies the principle in existing UK case law that controllers only have to carry out reasonable and proportionate searches for information and personal data requested, thereby reducing the administrative burdens and technical challenges for organizations responding to DSARs.

Scientific Research and Data Use

The Act expands the definition of scientific research to include both public and privately funded and both noncommercial and commercial activities. This is intended to encourage broader use of personal data for research purposes. It clarifies rules on further processing and compatible processing of data, in an attempt to balance innovation with privacy safeguards.

The Act amends Article 4 of the UK GDPR by providing that data controllers processing personal data for scientific research purposes can obtain consent relating to an area of scientific research even where it is not possible to identify fully all of the purposes for which the personal data is to be processed at the time of collection. However, the process of seeking consent must be consistent with generally recognised ethical standards, and thus data subjects must be given an opportunity to consent to only processing for part of the research.

Privacy and Electronic Communications Regulation (PECR) Updates

In addition to the changes to the UK GDPR, the Act makes notable changes to the PECR. In particular, it adjusts the cookie consent rules in order to:

• Permit the use of cookies to collect information for statistical purposes about how online services are used or to allow users to adjust the appearance or functions of websites according to their preferences.
• Allow the use of cookies where storage or access is “strictly necessary” to provide an information society service, and includes nonexhaustive examples including security, fraud prevention, fault detection and authentication.

Enforcement powers under PECR will now be aligned with UK GDPR, increasing the maximum penalties to 4% of annual worldwide turnover or £17.5 million. The requirement to establish that a contravention of PECR has caused substantial damage and distress has been removed, thereby making it easier for claimants to bring claims.

Data Sharing and Smart Data Schemes

The Act facilitates data portability and secure sharing of customer and business data with regulated and authorized third parties under “smart data schemes”. The Act is intended to improve data portability between suppliers, service providers, customers and relevant third parties with the aim of:

• Rebalancing the information asymmetry between suppliers and customers
• Enabling customers to make better use of their personal data, e.g., for customer tariff comparisons
• Providing new services in and across the sectors, such as those which may help consumers save and manage their money and services

These provisions are intended to expand the UK’s open banking model and establish similar frameworks in other sectors, such as open finance.

Digital Verification Services (DVS)

The Act introduces a framework for digital ID verification services, enabling trusted digital identities for individuals and businesses — for example, right-to-work and right-to-rent checks.

Deepfake Images

Clause 138 introduces new offences of creating or soliciting the creation of intimate images without consent.

AI and Copyright

The Act stops short of introducing specific transparency requirements for the use of copyright works in AI training datasets. Instead, it mandates the Secretary of State to:

• Publish, within 9 months, an economic impact assessment of the four policy options in the Copyright and AI Consultation Paper, taking into account the impact of those options on copyright owners and developers of AI systems. By way of reminder, the four options are:
  1. Express licensing requirements for training AI
  2. A broad data-mining exception
  3. A data-mining exception allowing rights owners to reserve their rights in respect of access by AI
  4. No change to the current system
• Report on the use of copyright works in AI development, considering licensing, enforcement mechanisms and technical standards.

Timeline and Phased Implementation

Only a limited number of provisions of the Act have come into force immediately:

• Section 78, setting out “reasonable and proportionate searches” for DSARs
• Sections 124 to 128, relating to the retention of biometric data for law enforcement purposes

Most other provisions will be introduced through secondary legislation within a phased timeline, expected to take up to 12 months for full implementation.