Written by: Haim Ravia, Dotan Hammer
On February 5, 2026, the majority of the data protection provisions of the UK Data (Use and Access) Act 2025 (DUAA) came into force, bringing significant reforms to the UK’s data protection and e-privacy framework. The Act, which received Royal Assent on June 19, 2025, was commenced through the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026.
Among the key changes now in effect, the DUAA introduces new requirements for online services likely to be accessed by children. Such services must now take into account specified “children’s higher protection matters,” including how best to protect and support children when using the service and the fact that children merit specific protection regarding their personal data.
The Act also introduces the concept of “recognised legitimate interests,” establishing a presumption of legitimacy for certain processing activities carried out under the legitimate interests lawful basis. Additionally, the scope for relying on solely automated decision-making has been expanded, narrowing the restriction to cases where significant decisions are based entirely or partly on the processing of special category data. This represents a notable divergence from the EU approach under the GDPR.
The DUAA provides a statutory definition of “scientific research” and allows data subjects to give broad consent for the processing of their data for an area of scientific research. It also updates the international data transfer framework, replacing the EU’s “essentially equivalent” adequacy test with a new “not materially lower” data protection standard. The Act grants the Information Commissioner new enforcement powers, including the authority to compel witnesses to attend interviews, require technical reports, and issue fines of up to £17.5 million or 4% of global turnover under the Privacy and Electronic Communications Regulations.
A notable exception is Section 103, which requires organizations to implement a formal complaints procedure enabling data subjects to complain directly to controllers about infringements of data protection law. This provision is scheduled to take effect on June 19, 2026. Additionally, the Act criminalizes the creation of deepfake intimate images without consent, with that provision taking effect on February 6, 2026.
Click here to read the Data (Use and Access) Act 2025.
Click here to read the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026.
