UK Parliament passes Data (Use and Access) Bill following parliamentary “ping-pong”

19 Jun 2025 | 1 minute read

On 11 June 2025, the UK Parliament passed the long-awaited Data (Use and Access) Bill ("DUA Bill"), after a gruelling nine rounds of "ping-pong" between the House of Commons and the House of Lords. First introduced in October 2024, the Bill is now set to receive Royal Assent, which will set in motion an overhaul of the UK’s data governance framework.

Removal of AI and copyright reforms

Central to the Bill's delay through Parliament was the issue of copyrighted material in AI training. The Lords repeatedly attempted to insert provisions requiring transparency around the use of copyright works in the development of AI systems. However, the government resisted, arguing that it was already conducting a separate review of AI and copyright.

Ultimately, Parliament accepted a compromise amendment requiring the Secretary of State for Science, Innovation and Technology ("DSIT") publish a progress report within six months of the Bill becoming law, and full government report to be expected within nine months. While this solution leaves the regulatory landscape around AI largely unchanged for now, it delays formal action and raises questions over how – and when – the UK will legislate in this space.

Core aims

The government has stated that the DUA Bill is intended to:

Grow the UK economy through responsible data use.
Improve public service delivery, particularly in health and infrastructure.
Make people’s lives easier by simplifying digital identity and access.

Key provisions of The Bill

The DUA Bill is broad in scope, but the key elements include:

There are a number of small but pragmatic reforms which impact the current data protection legislative framework. The most notable reforms include:

- Clarification of the rules around opt-in consent. This will not be required for cookies that collect information for statistical purposes, or that enhance the appearance or functionality of a website or allow its appearance or functionality to adapt to user preferences.

- Introducing the concept of “recognised legitimate interests” which allows organisations to process data in wider circumstances such as in cases of national security, emergencies, detection, investigation or prevention of crime and safeguarding vulnerable individuals.

- Updating data subject access request (“DSAR”) rules, allowing for more flexible, proportionate responses. The Bill clarifies that organisations need only conduct “reasonable and proportionate” searches for information putting into law something that has been good practice for some time.

- Relaxing the rules around automated decision-making (“ADM“). The Bill states that the levels of greater scrutiny and safeguards presently found in UK GDPR will only now apply to “significant decisions” where ADM involves special category data. The intention is to make use of AI easier. ICO plans to issue new guidance on AI and ADM in the coming year.

- Revising the test for international data transfers. The Bill moves from the concept of “adequacy decisions” and instead destinations of data transfers must offer protections “not materially lower” than UK standards.

- Clarification of the rules around opt-in consent. This will not be required for cookies that collect information for statistical purposes, or that enhance the appearance or functionality of a website or allow its appearance or functionality to adapt to user preferences.

The Bill replaces the ICO with a reformed Information Commission, overseen by a Chair and non-executive board, with a stronger mandate to support innovation and competition.

DUA will increase the maximum fines issuable under the Privacy and Electronic Communications Regulations (“PECR“) to bring them in line with UK GDPR powers (up to £17.5 million or 4% of global turnover). It will also align the PECR breach reporting timeframe with UK GDPR, requiring communications service providers to report breaches within 72 hours of becoming aware of them.

The DUA Bill will grant the government powers to introduce secondary legislation to require data holders to provide access to customer and business data under smart data schemes, similar to the introduction of Open Banking.

The DUA Bill will introduce a legal framework for trusted digital identities, supported by a Trust Framework setting baseline standards. The Trust Framework will be published by the Secretary of State which will set out the rules and standards of providing DVS.

The DUA Bill will provide secure digital access to location data about pipes and cables. By providing instant access to data, NUAR hopes to reduce the time it takes to locate underground assets, as well as preventing accidental strikes on underground utilities.

What's next

The Information Commissioner welcomed the final version of the Bill, calling its amendments "pragmatic" and "proportionate". He added, “overall, the Bill remains one which I support as improving the effectiveness of the data protection regime in the UK.”

With Royal Assent in the near future, much of the Bill's practical impact will depend on the timeline for secondary legislation and implementation. The AI copyright debate, though deferred, is not over and may soon become a central issue in broader UK digital policy. However, changes to the UK GDPR and PECR are expected to come into force quickly. This means organisations should now review their current data protection policies including DSAR procedures, ADM practices, and cookie compliance.

Get in touch with our expert team to find out more about the expected changes under the DUA Bill or to receive wider data protection support.