The Data (Use and Access) Act (DUAA) is the UK’s most significant data protection and privacy reforms since the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018).
On 20 August 2025, the first wave of DUAA provisions took effect via the Commencement Regulations. Our latest blog explores these changes in three categories:
- New powers for the government and regulators
- Institutional reforms
- Amendments to existing data protection and privacy law
New and amended powers
Part 1, and Sections 74, 92, 107, 125, and 135-137 of the DUAA.
A key theme of the DUAA is to give the Secretary of State and the Information Commissioner new powers and obligations around regulations and guidance, particularly in fast-moving areas like AI and online safety.
The first and most significant of these provisions is Part 1 of the DUAA, “Access to Customer and Business Data”, the legal foundation for new “smart data” schemes similar to open banking.
Section 74 allows the Secretary of State to make regulations that can create new special categories of personal data under the UK GDPR: Sensitive types of data for which special rules apply.
Section 92 empowers the Secretary of State to make regulations directing the Information Commissioner to prepare new Codes of Practice, while Section 107 creates a new, standardized framework within the UK GDPR for making such regulations.
Section 125 allows the Secretary of State to create regulations that will require service providers (such as social media platforms) to provide data to independent, accredited researchers, subject to certain safeguards.
Finally, three provisions relate to copyright and AI:
- Section 135 mandates an economic impact assessment weighing the economic consequences of different policy options regarding the use of copyrighted material to train AI models.
- Section 136 goes further, requiring a full report on the use of copyright works in AI systems.
- Section 137 acts as an accountability measure, requiring the Secretary of State to report to Parliament on the progress of both the economic assessment and the AI report within six months.
Institutional reform and oversight
Sections 91, 93, 95, 102, 117, and Schedule 14.
These provisions represent a fundamental change to the structure and operation of the UK’s data protection regulator, moving the Information Commissioner’s Office to a modern Information Commission with new duties and oversight mechanisms.
Section 91 establishes a new principal objective for the regulator: To secure appropriate data protection while also considering the desirability of promoting innovation and competition.
Section 93 introduces new procedural requirements for creating codes of practice. The Information Commissioner will now be required to establish panels of experts and affected stakeholders to review draft codes.
Under Section 95, the Information Commissioner will have to prepare and publish an annual analysis of its performance against a set of key performance indicators, while Section 102 mandates an annual report on regulatory action.
Section 117 formally establishes the Information Commission (formerly the Information Commissioner’s Office). Schedule 14 provides the blueprint for this new body. The key takeaway is that it establishes the Commission as a corporate body with a board structure.
Amendments to data protection law
Sections 72, 104, 106, 108, 109-111, 113, 129, 134, and Schedule 11
These provisions cover a series of important, but in some cases, quite technical amendments to existing data protection and privacy law.
Section 72 on processing in reliance on relevant international law permits the processing of personal data under the legal basis of “public task” based on obligations in international law, such as a treaty. Previously, this legal basis had to be in domestic law.
Section 104 clarifies court procedure in connection with subject access requests. Stating that when a court is deciding on a subject access dispute, it cannot order an organization to conduct a search for information that is more extensive than what is “reasonable and proportionate”.
Section 106 deals with the protection of prohibitions, restrictions, and data subject rights. If another law imposes a duty to process data, that duty does not automatically override the core requirements of data protection law.
Section 108 introduces further minor provision about data protection via Schedule 11: A raft of small but important technical fixes to the law.
The next provisions relate to the Privacy and Electronic Communications 2003:
- Section 109 defines “the PEC Regulations” for the Act.
- Section 110 clarifies definitions, such as “call” and “direct marketing”.
- Section 111 standardizes the time period for notifying the Commissioner of a data breach under PECR (not later than 72 hours after becoming aware of the breach).
- Section 113 specifies how the 7-day time period in relation to emergency alerts should be handled.
Finally, some Sections 129 and 134, and Schedule 11, make some fairly technical and relatively obscure legal amendments, including to the eIDAS Regulation, the UK GDPR, and the DPA 2018.
“First, Section 129 defines ‘the eIDAS Regulation’. This is a definitional provision that sets the stage for the next section, which deals with electronic identification and trust services.”
Still to come…
Many DUAA provisions are not included in the 25 August Commencement Regulations, including:
- A new “recognized legitimate interests” legal basis
- New exceptions from cookie consent
- Clarity on data subject rights requests
We’ll keep you up to date about these parts of the law, which should take effect over the coming months.
You might also like to read:
