UK Data (Use and Access) Act 2025: Comparison with EU GDPR and UK DPA 2018
- Ira Goel
- Jun 30
- 5 min read
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and represents the most significant update to UK data protection law since Brexit. Rather than replacing existing legislation, it amends and supplements the UK Data Protection Act 2018 to create a distinctly British approach to data protection while maintaining high standards.
In this article, we are sharing a very high-level analysis of the DUAA regulation in relation with UK DPA 2018 and EU GDPPR.
Key Changes Overview
The Act introduces comprehensive reforms across nine major areas of data protection, alongside provisions for smart data schemes, digital verification services, and enhanced regulatory powers. Implementation will be phased over 2-12 months following Royal Assent, with specific provisions taking effect at different times.
DUAA Section | UK GDPR Article Amended | Provision | Dependencies | UK DPA 2018 Section | EU GDPR Article | Deviation from EU GDPR/UK DPA |
|---|---|---|---|---|---|---|
Section 67 | Article 4 (definitions) | Scientific research definition expanded to include commercial research; genealogical research included in historical research; statistical purposes restricted to aggregate data only | None | Section 6 (amended) | Article 4 | Significant expansion: Commercial research explicitly permitted; genealogical research formally recognized; statistical purposes more restrictive than EU GDPR |
Section 68 | Article 4 (consent definition) | Broad consent permitted for scientific research where specific purposes cannot be identified at collection | Must be consistent with ethical standards; opportunity for partial consent required | None | Article 4 | Expansion: More permissive than traditional EU GDPR interpretation of consent requirements |
Section 70 | Article 6(1) - adds new basis (ea); Articles 6(5)-(12) added | Introduction of "Recognised Legitimate Interests" as new lawful basis | Conditions in new Annex 1 must be met; Secretary of State may amend by regulations | Multiple amendments removing "controller's" language | Article 6(1)(f) | Major expansion: New lawful basis covering national security, public security, emergencies, crime prevention, safeguarding - no balancing test required |
Section 70 | Schedule 4 inserts new Annex 1 | Recognised legitimate interests’ categories defined | Processing must fall within specified categories | N/A | N/A | New framework: No equivalent in EU GDPR - creates pre-approved categories |
Section 71 | Article 5(1)(b) amended; Article 6(4) omitted; new Article 8A inserted | Purpose limitation clarified with compatibility framework | Must meet compatibility test in new Article 8A; certain categories automatically deemed compatible | Sections 36(1), 87(1) amended | Article 5(1)(b), 6(4) | Significant restructuring: More detailed compatibility framework with "deemed compatible" categories |
Section 72 | Articles 6(3), 9(2)(g), 9(5), 10(1), 10(2) amended; Article 8A(3)(e) | Processing based on "relevant international law" permitted | Must meet conditions in new Schedule A1 | New Section 9A; New Schedule A1 | Articles 6(3), 9(2)(g) | New basis: International law as lawful processing basis not available in EU GDPR |
Section 76 | Article 12 amended; new Article 12A inserted | "Stop the clock" rule for subject access requests | Controller may pause response time if more information needed from requester | Sections 45(5), 54, 94 amended | Article 12 | Flexibility enhancement: New mechanism to pause timeframes not in EU GDPR |
Section 78 | Article 15 - adds subsection 1A | "Reasonable and proportionate search" standard for subject access requests | None - applies to all access requests | Sections 45, 94 amended | Article 15 | Scope limitation: Formal restriction on search extent not in EU GDPR |
Section 80 | Article 22 replaced with new Articles 22A-22D | Automated decision-making restrictions substantially relaxed | Safeguards required: information, representations, human intervention, contestation | Sections 49-50 replaced with new Sections 50A-50D | Article 22 | Major liberalization: Removes general prohibition; only restricts special category data processing |
Section 81 | Article 25 - adds paragraphs 1A-1B | Children's data protection by design requirements | Applies to information society services likely accessed by children | None | Article 25 | Child-specific enhancement: New requirements for children's services not in EU GDPR |
Section 85 | Schedule 7 - new Articles 44A, 45A-45C, 49A replace Articles 44-45 | International transfers simplified with "data protection test" | Secretary of State assessment; may consider transfer facilitation | Schedule 8 - new Sections 74AA-74AB | Articles 44-45 | Fundamental change: Replaces EU "adequacy" standard with UK-specific test; adds facilitation consideration |
Section 103 | Article 77 omitted; Article 57 amended | New data subject right to complain to controllers | Controllers must facilitate complaints and provide electronic forms | New Sections 164A-164B | Article 77 | Paradigm shift: Primary complaints mechanism moves from supervisory authority to controllers |
Section 74 | New Article 11A | Secretary of State power to designate new special category data | Regulations subject to affirmative resolution | New Sections 42A, 91A | Article 9 | Expansion potential: Power to add categories beyond EU GDPR's nine categories |
Section 86 | New Chapter 8A - Articles 84A-84D; Article 89 omitted | New safeguards framework for research, archiving, statistical purposes | Must meet "appropriate safeguards" test in new Article 84C | Section 19 omitted | Article 89 | Complete restructuring: Replaces Article 89 with more detailed UK-specific framework |
Section 114 | N/A - PECR Regulation 22 amended | Charities permitted to send direct marketing emails without consent | Must be for charitable purposes, contact from supporter, easy opt-out provided | N/A | N/A - ePrivacy Directive | New charity exception: Not available under EU ePrivacy framework |
Section 115 | N/A - PECR amendments | Enhanced Commissioner enforcement powers with higher penalties | New powers to compel attendance and impose fines up to £17.5m for PECR breaches | New Sections 148A-148C | N/A | Enforcement enhancement: Penalty alignment with GDPR not in EU ePrivacy |
Sections 112-113 | N/A - PECR amendments | Cookie consent rules relaxed for low-risk situations | Specific exceptions in new Schedule 12 | N/A | N/A | Liberalization: New exceptions for technical, statistical, and website functionality cookies |
Sections 117-120 | N/A | Information Commissioner replaced by Information Commission with board structure | Board of non-executive and executive members | New Section 114A; New Schedule 12A | N/A | Structural transformation: Corporate body replaces individual Commissioner model |
Major Innovations and Deviations
Revolutionary Changes
Automated Decision-Making: The most significant departure from EU GDPR removes the general prohibition, replacing it with a safeguards-based approach that permits automated decisions across all lawful bases except for special category data.
Recognized Legitimate Interests: Creates a new lawful basis (Article 6(1)(ea)) that eliminates balancing test requirements for specified public interest activities.
International Transfers: Abandons EU-style "adequacy" decisions in favor of a UK-specific "data protection test" that explicitly considers transfer facilitation.
Enhanced Protections
Children's Rights: Mandatory data protection by design consideration for services likely accessed by children, giving legal force to the Age-Appropriate Design Code principles.
Controller Complaints: New statutory right for individuals to complain directly to controllers, with mandatory electronic complaint forms and 30-day acknowledgment requirements.
Operational Flexibilities
Research Framework: Commercial research explicitly permitted with broad consent mechanisms and enhanced exemptions.
Subject Access: "Stop the clock" provisions and "reasonable and proportionate" search standards provide operational relief.
Charity Communications: New "soft opt-in" exception for charitable direct marketing not available under EU law.
Implementation Timeline and Transition
The Act's provisions will be implemented in phases between June 2025 and June 2026, with specific commencement dates set by secondary legislation. Some provisions, including the reasonable search requirements, are treated as having retrospective effect from 1 January 2024.
Regulatory Transformation
The replacement of the Information Commissioner with the Information Commission represents a fundamental shift from an individual-led to a corporate governance model, with enhanced enforcement powers including interview notices and penalty alignment across all privacy regulations.
The Act represents a balanced evolution of UK data protection law, maintaining core GDPR principles while adapting the framework for British priorities including innovation support, regulatory efficiency, and enhanced international cooperation capabilities.
Disclaimer: This article provides a high-level analysis of the key data protection-related changes in the Data (Use and Access) Act 2025. It is not exhaustive and should not be considered legal advice. Organizations should consult the full text of the legislation and seek professional legal counsel to ensure compliance with their specific obligations. To book a consultation contact us for support with compliance and implementation.