The Data (Use and Access) Bill – A new era for innovation and data governance

The Data (Use and Access) Bill (or “DUA Bill”) has finally passed on 11 June 2025, after nine rounds of back-and-forth. Both the House of Commons and the House of Lords have agreed on the text of the bill, which now awaits the final stage of Royal Assent after which the bill will become law.

The DUA Bill is set to reform UK data protection law, proposing to modernise the UK’s approach to handling non-personal and personal data.  The DUA Bill builds upon current UK data protection laws (the Data Protection Act 2018 (“DPA 2018”), the UK General Data Protection Regulation (“UK GDPR”), and the Privacy and Electronic Communications Regulations (“PECR”), which will all still apply) whilst introducing new mechanisms to improve data accessibility without foregoing data security.

Key changes

The bill introduces a number of important changes to UK data protection and privacy law.  The key changes include:

Use of legitimate interests

The DUA Bill provides greater certainty around the use of Legitimate Interests as a lawful basis for processing data. The bill sets out a list of ‘recognised legitimate interests’ under Article 6 of the UK GDPR which allow for the use of personal data in certain circumstances without having to carry out a legitimate interests assessment. The DUA Bill sets out that processing for the purposes of direct marketing, processing for intra-group transfers of data for internal administrative purposes, and processing to ensure security of network and information systems are to be considered necessary for the purposes of legitimate interests.

Enabling ‘beneficial’ AI and solely automated decision-making (“ADM”)

The DUA Bill relaxes the rules on ADM where it is beneficial and low risk, permitting more flexibility in using automated systems (including AI) to process personal data (a stricter approach still applies to the use of special category data).

Cookies and tracking technologies reform

The DUA Bill introduces a more flexible approach to the use of cookies and similar tracking technologies under PECR. The bill provides exemptions from the requirement to seek consent for certain non-essential ‘low-risk’ cookies. Cookies that are being deployed for strictly necessary purposes, for statistical analysis purposes, improving website functionality and appearance, and tracking for emergency assistance no longer require user consent.

Soft opt-in for charities

This change restores a soft opt-in for email communications where the sole purpose of the direct marketing is to further the charity’s charitable purposes and the recipients have provided their details in the course of expressing interest or providing support.

Fines and penalties

The cap on fines under the PECR (which regulate the use of cookies and electronic direct marketing) is amended to align with the UK GDPR. The maximum penalties for breaches of PECR will now be brought up to £17.5 million or 4% of global turnover, a vast increase from the previous cap of £500,000. The change aligns enforcement across the two regimes and is especially relevant as many ICO enforcement actions are focused on breaches of the PECR.

Data subject access requests (“DSARs”)

The new provisions relating to DSARs predominantly mirror existing case law and Information Commissioner’s Office (“ICO”) guidance. The DUA Bill clarifies that data subjects are only entitled to ‘reasonable and proportionate’ searches; controllers can stop the clock to calculate the applicable time period for providing a response; and extensions for the appliable time period will be allowed under certain circumstances.

Boosting research and innovation

According to the Department for Science, Innovation and Technology (“DSIT”), the bill aims to “boost the UK economy by £10 billion” through the power of data. The DUA Bill expands the definition of scientific research to explicitly include commercial activity. Market research, product development, and technological innovation (whether private or publicly funded) will now benefit from the same status as academic research.

ICO modernisation

The DUA Bill modernises the structure and remit of the ICO (newly named the Information Commission). The ICO will transition to a corporate body overseen by a Chair and non-executive board. The ICO will now be required to consider the public interest in advancing innovation and competition alongside privacy and data protection.

Improving efficiency in public services

According to DSIT, the DUA Bill will save front-line NHS workers “140,000 hours of time” and relieve police forces from bureaucracy. Police officers benefit from the removal of unnecessary manual logging requirements when accessing personal data to work on a case. NHS staff benefit from quicker access to patient healthcare information (pre-existing conditions, appointments, lab tests) in real time across all NHS trusts, GP surgeries and ambulance services, no matter what IT system they are using. Relevant health and social sector IT suppliers must now ensure their systems meet common standards to allow data sharing across different platforms.

Implications for businesses

The DUA Bill’s focus on streamlining data access may well create opportunities for businesses to collaborate and innovate on new projects, particularly in the technology and healthcare sectors.

The changes imposed by the bill should prompt businesses to revisit their current processing activities, existing data-sharing agreements, procedures and policies (especially around research, marketing and AI) to ensure that they comply with (and take advantage of) the new legislation.

How we can help

As specialists in commercial, technology, and data privacy law, Cripps are here to help your business navigate the complexities of the DUA Bill.

If you would like assistance with compliance, please get in touch with our commercial team to discuss how we can support you in preparing for the future.