After years of political back-and-forth, the UK’s new Data (Use and Access) Act 2025 has finally cleared Parliament and is awaiting Royal Assent. The Act introduces the most significant reforms to UK data law since the country retained the EU’s GDPR after Brexit. While it doesn’t completely rewrite the rules, it does mark a shift toward greater flexibility, stronger support for digital innovation and a clearer break from some of the European data protection orthodoxy.

What’s in the Act?

At its core, the Act updates UK GDPR, revises the Privacy and Electronic Communications Regulations (PECR), and lays the groundwork for broader data-sharing and digital infrastructure reforms. It contains both targeted legal tweaks and broader structural changes.

A major development is the formal creation of digital ID frameworks in the UK, enabling secure, reusable digital identification for public and private services from applying for benefits to, theoretically, buying a pint. The Act also introduces standards for NHS data interoperability, aiming to reduce the friction in sharing patient information between hospitals and GPs.

On the regulatory side, the Information Commissioner’s Office (ICO) is being replaced with a more formalised Information Commission, structured like other UK regulators, with a board and a chair for which the current commissioner, John Edwards, will serve as the first.

There are also substantive changes to data protection law. Scientific research provisions have been expanded, including a statutory definition of research and modifications to how consent applies in that context. The Act introduces a set of “recognised legitimate interests”, allowing organisations to process data without having to conduct a Legitimate Interest Assessment in certain common cases. Automated decision-making (ADM) rules have also been eased, now only applying where special category data is involved,  a significant deregulation of everyday AI systems.

For marketing and online services, the Act raises the maximum fines under PECR (governing cookies and direct marketing) to GDPR levels, potentially increasing enforcement risk for non-compliant organisations. It also subtly expands the scope of technologies covered by cookie rules, while creating broader exceptions. For instance, some analytics cookies may no longer require user consent.

Internationally, the Act allows international data transfers based on a “not materially lower” standard of protection, replacing the more stringent EU test of “essentially equivalent” protections. Though a subtle change in language, this could have serious implications for how the UK handles data flows with countries outside the EU.

What the Act notably does not include is any firm position on the use of copyrighted material in AI model training. Despite pressure from the House of Lords, all proposed AI-related copyright amendments were removed. The government is instead preparing a separate proposal, with a report due within six to nine months of Royal Assent.

Why did it take so long?

The road to this Act was a long, winding one and at times politically fraught. The reforms originally appeared as the Data Protection and Digital Information Bill (DPDI), introduced by the Conservative government. However, that bill faced repeated delays, particularly during a period of political instability marked by leadership changes and two general elections. The second version of the DPDI Bill failed to survive the wash-up period before the 2024 general election.

When Labour came into power, they revived the proposal under the new name: The Data (Use and Access) Bill. While the substance remained largely the same, the Labour version dropped some of the more controversial Conservative proposals, making it easier to gain parliamentary consensus. Even so, the Bill faced heavy scrutiny in the House of Lords, particularly on AI and copyright issues, with repeated attempts to introduce transparency and opt-out requirements for AI training data. In the end, the Lords accepted a government compromise: A formal report on AI copyright enforcement will be published within the next nine months.

While the Bill ultimately passed in June 2025, the delays reflected broader tensions between innovation and regulation, privacy and commercial use and national autonomy and alignment with the EU.

How is it different from UK GDPR and the DPDI bill?

Compared to the EU’s GDPR, the Data (Use and Access) Act introduces more flexible, innovation-focused standards reflecting the UK government’s ambition to be a leader in pro-innovation regulation. It departs from the GDPR in some significant ways:

• Automated decision-making protections are now limited to decisions using special category data, making it easier to deploy AI tools without prior human oversight. 
• The recognised legitimate interests concept means organisations no longer need to carry out a balancing test for certain types of processing, reducing compliance burden. 
• The threshold for international data transfers is lowered to “not materially lower” rather than the GDPR’s “essentially equivalent, “ which may make it easier to transfer data to non-EU countries but could complicate the UK’s adequacy agreement with the EU. 
• Administrative requirements such as appointing a DPO and conducting DPIAs have been replaced or removed, streamlining governance requirements. 

The Data (Use and Access) Act closely resembles the DPDI Bill in structure and intent. However, it trims back some of the ideological edges of its predecessor and incorporates new elements, such as reforms to NHS data standards and provisions on digital identity. Perhaps most importantly, the new government took a more cautious approach to AI and copyright, preferring to defer that debate rather than legislate prematurely.

What about enforcement?

Alongside the policy shifts, the Data (Use and Access) Act also marks a notable evolution in how data protection will be enforced in the UK. Some changes signal a firmer hand, especially around marketing and cookies, while others suggest a lighter, more flexible regulatory touch, especially for organisations struggling with GDPR red tape.

We will see a clear increase in enforcement firepower when it comes to the rules that cover spam, direct marketing and cookies. Under the new Act, these fines can reach up to £17.5 million or 4% of global turnover. This aligns the sanctions with the seriousness of modern digital harms, and given that much of the ICO’s past enforcement activity has been in this space, we may see a jump in both the size and frequency of fines. For marketers, this should put cookie practices, SMS and email campaigns firmly back on the compliance radar.

But while the risk has gone up in some places, the Act also dials it down in others. Several of the more rigid requirements of the UK GDPR have been removed or softened. Organisations are no longer required to appoint a Data Protection Officer (DPO), and Data Protection Impact Assessments (DPIAs) have been replaced by more flexible risk assessments. New provisions also mean that some processing activities, particularly for things like fraud prevention or national security, will automatically qualify as having a legitimate interest, removing the need for complex balancing tests. In practice, this may reduce the number of enforcement actions triggered by purely procedural errors, especially for smaller organisations and charities.

When it comes to AI and automated decision-making, the new rules may have the opposite effect: Fewer restrictions, but potentially more scrutiny. The Act now limits restrictions on automated decisions to those involving special category data, such as health or political views. Most commercial AI tools don’t process this kind of data, so the change could effectively deregulate many AI-powered decisions. While this aligns with the government’s pro-innovation stance, it may also raise new ethical or legal questions if harmful outcomes aren’t clearly caught by the existing framework.

And it’s worth noting that the Act is just the start. Much of its implementation will come through secondary legislation, particularly around digital ID, NHS data sharing, smart data schemes, and international transfers. This means enforcement priorities could shift again depending on how these rules are drafted and how actively the new Information Commission chooses to act.

What’s next?

As noted, much of the Act’s implementation will depend on secondary legislation, so the full picture won’t emerge immediately. Those changes are expected to take effect relatively soon, so organisations should review their cookie practices, automated decision-making systems and data subject access request (DSAR) response protocols to ensure compliance.

Those involved in scientific research or further processing of personal data should familiarise themselves with the new definitions and legal grounds introduced by the Act. Similarly, international businesses should keep a close eye on the EU’s adequacy review, which has been extended to the end of 2025, as any divergence could affect data transfers from Europe to the UK. 

The Data (Use and Access) Act 2025 is not a wholesale replacement for UK GDPR, but it is a definitive step in the UK’s move toward a more tailored, independent data protection framework. It simplifies some rules, raises others and signals a future in which the UK’s regulatory direction could steadily diverge from the EU’s with both opportunities and risks for those who process data in or from the UK.

Don’t miss our on-demand webinar: Navigating the Data (Use and Access) Bill – Preparing for the UK’s GDPR changes