The UK Data (Use and Access) Bill (DUA Bill) is nearing the end of its legislative progression after extensive debates between the House of Commons and the House of Lords. This bill, expected to take effect within about a year of final passage, marks a major overhaul of the UK’s existing data protection laws, including the UK General Data Protection Regulation. Lawmakers have pitched the DUA Bill as a modernization effort aimed at aligning the country’s data framework with digital realities and fostering innovation, yet with significant emphasis on robust privacy safeguards.
Central to the Bill is a contentious debate over the regulation of Artificial Intelligence models. The House of Lords pressed for strict transparency standards, requiring developers to disclose the datasets used in training and to provide mechanisms for copyright owners to identify their works. The House of Commons, however, argued these measures warranted a separate legislative initiative and removed the specific Artificial Intelligence transparency mandates, replacing them with a requirement for the secretary of state to propose new laws on the matter. The Bill also introduces the new lawful basis of ´recognised legitimate interests´ for personal data processing, permitting certain activities—such as national security and public safety—without a formal assessment, while broadening permissible data sharing in others, including direct marketing and IT security, albeit with established oversight.
International data transfer rules will be recalibrated: adequacy decisions become ´transfers approved by regulations,´ permitting transfers where the receiving country’s protections are ´not materially lower´ than the UK´s, but practical changes for businesses are expected to be minimal. The Bill seeks to ease the administrative load of data subject access requests by requiring only reasonable and proportionate search efforts and extending timelines in complex cases. Automated decision-making restrictions are relaxed, providing more leeway for algorithmic processes unless special category data is involved, so long as meaningful safeguards are in place.
The DUA Bill also redefines scientific research to include commercial ventures and eliminates public interest testing for such projects, broadens the compatibility test for further data processing, and heightens protections for children´s data through explicit duties for companies delivering digital services to minors. Key changes to cookies and tracking technology rules mean some non-essential cookies—chiefly for site performance and user experience enhancement—no longer require consent, while penalties for violations are now aligned with the UK GDPR’s upper tier.
The structure of the Information Commissioner’s Office will be overhauled with the creation of a new Information Commission, and complaint procedures will place more responsibility on organizations to address grievances before escalation. The legislation also expands provisions for smart data sharing and digital verification services and strengthens standards for healthcare system interoperability. As the UK government remains optimistic about satisfying the European Commission’s adequacy requirements, organizations are urged to review their compliance processes and prepare for the modernization set to unfold under the DUA Bill’s regime.
