Written by: Haim Ravia, Dotan Hammer
The UK Data (Use and Access) Act 2025 (“DUAA” or “the Act”) received Royal Assent on June 19, 2025. This wide-ranging Act introduces significant changes to the UK’s existing data protection and privacy legislation. While it will not replace the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or the Privacy and Electronic Communications (EC Directive) Regulations 2003, it aims to amend these laws to simplify rules for organizations, encourage innovation, assist law enforcement, and enable responsible data-sharing while maintaining high data protection standards.
Key changes introduced by the DUAA include:
- A more permissive framework under the UK GDPR for automated decisions with legal or similarly significant effects, requiring mandatory safeguards like providing information, enabling challenges, and allowing human intervention. Similar provisions apply to law enforcement, with limited exemptions for reasons like national security, provided the decision is reconsidered with meaningful human involvement promptly.
- Time limits for responding to SARs, introducing a “stop the clock” rule if organizations need more information from the requester, and requiring only reasonable and proportionate searches.
- New rules require certain online services accessed by children to consider how to protect and support them during the design phase.
- Clarification that scientific research may include commercial research, permission to seek consent for broad areas of related research, and an outline of necessary safeguards for using personal data.
- A new lawful ground for processing personal data is introduced, offering businesses more confidence for purposes such as crime prevention, safeguarding, and emergency response.
Simplified rules for transferring personal data internationally. - New requirements for organizations that handle complaints from individuals concerning data protection breaches, for example, by providing an electronic complaint form and informing the individual of the outcome.
- Permission to use cookies without explicit user consent in certain low-risk situations, such as website analytics.
These changes to data protection law will be implemented in stages, with commencement dates set in regulations between 2 and 12 months after Royal Assent.
Click here to read the UK Data (Use and Access) Act 2025.
