The Data (Use and Access) Act 2025 received royal assent this week. Among other things, the new act will amend the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the Data Protection Act 2018.
The bill was introduced last October. It was included in the King’s speech in July (under its old name the ‘Digital Information and Smart Data Bill’), with the king announcing that there would be ‘targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies’. However, this statement of intent does not match the reality; many of the core provisions are a ‘cut and paste’ of the Data Protection and Digital Information (No. 2) Bill (DP Bill) dropped by the Conservative government in the parliamentary wash-up before last year’s general election.
Key provisions
Smart data: The act retains the provisions from the DP Bill that will enable the creation of a legal framework for smart data. This involves companies securely sharing customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs will provide the customer with innovative services to improve decision-making and engagement in a market. Open banking is the only current example of a regime that is comparable to a ‘smart data scheme’. The act will give such schemes a statutory footing from which they can expand.
Digital identity products: Just like its predecessor, the new bill contains provisions aimed at establishing digital verification services. These include digital identity products to help people quickly and securely identify themselves when they use online services – for example, to help with moving house, pre-employment checks and buying age-restricted goods and services. It is important to note that this is not the same as compulsory digital ID cards as some media outlets have reported.
Research provisions: The act keeps the DP Bill’s provisions that clarify that companies can use personal data for research and development projects as long as they follow data protection safeguards.
Legitimate interests: The act retains the concept of ‘recognised legitimate interests’ under article 6 of the UK GDPR. Data controllers will be exempt from conducting a full ‘legitimate interests assessment’ when processing personal data processing for specific purposes such as national security, emergency response and safeguarding.
Automated decision-making: Like the DP Bill, the act seeks to limit the right, under article 22 of the UK GDPR, for a data subject not to be subject to solely automated decisions, including profiling, which have a legal or similarly significant effect on them. Under the new article 22A, a decision would qualify as being ‘based solely on automated processing’ if there was ‘no meaningful human involvement in the taking of the decision’. This could give the green light to companies to use AI techniques on personal data scraped from the internet for the purposes of pre-employment background checks.
International transfers: The act maintains most of the DP Bill’s international transfer provisions. There will be a new approach to the test for adequacy applied by the government to countries (and international organisations) and when data controllers are carrying out a transfer impact assessment. The threshold for this new ‘data protection test’ will be whether a jurisdiction offers protection that is ‘not materially lower’ than under the UK GDPR.
Health and social care information: The act maintains, without any changes, the provisions that establish consistent information standards for health and adult social care IT systems in England, enabling the creation of unified medical records accessible across all related services.
PECR changes: One of the most significant changes, copied from the DP Bill, is the increase in fines for breaches of PECR, from £500,000 to UK GDPR levels. Organisations could face fines of up to £17.5m or 4% of global annual turnover (whichever is higher) for the most serious infringements. Other changes include allowing cookies to be used without consent for web analytics, installing automatic software updates and extending the ‘soft opt-in’ for electronic marketing to charities.
Not in the new act
Most of the controversial parts of the DP Bill have not made it into the act. These include:
- Replacing the terms ‘manifestly unfounded’ or ‘excessive’ requests, in article 12 of the UK GDPR, with ‘vexatious’ or ‘excessive’ requests. Explanations and examples of such requests would also have been included.
- Removing the obligation for some controllers and processors to appoint a data protection officer.
- Replacing data protection impact assessments with leaner and less prescriptive ‘assessments of high-risk processing’.
- Exempting all controllers and processors from the duty to maintain a record of processing activities, under article 30, unless they are carrying out high-risk processing activities.
- The ‘strategic priorities’ mechanism. This would have allowed the secretary of state to set binding priorities for the information commissioner.
- The requirements for the information commissioner to submit codes of practice to the secretary of state for review and recommendations.
I expect the substantive provisions of the new act to come into force in stages starting a few months after commencement. The UK’s adequacy status under the EU GDPR expires on 27 December following the recent announcement of a six-month extension. While the EU will commence a formal review of adequacy now the bill has received royal assent, nothing in the bill will jeopardise the free flow of personal information between the EU and the UK. The situation would perhaps have been different had the DP Bill made it on to the statute books.
AI and copyright
Much of the delay to the bill was caused by an issue not originally intended to be addressed in the bill – the use of copyright works to train AI.
AI has an insatiable appetite for data. AI applications need a constant supply to train (and improve) output algorithms. This concerns copyright holders such as musicians and writers whose work may be used to train AI models to produce similar output, without the former receiving financial compensation. Several copyright infringement lawsuits are set to hit the courts soon. Among them, Getty Images is suing Stability AI. It is accused it of using Getty Images to train its Stable Diffusion system, which can generate images from text inputs. Stability AI denies infringing any of Getty’s rights. Similar lawsuits have been launched in the US by novelists and news outlets.
During the bill’s passage through parliament, there was strong disagreement between the Lords and the Commons over an amendment introduced by the crossbench peer and former film director Beeban Kidron. The amendment would have required AI developers to be transparent with copyright owners about using their material to train AI models. Some 400 British musicians, writers and artists, including Sir Paul McCartney, signed a letter urging the government to adopt the amendment. They argued that failing to do so would mean them ‘giving away’ their work to tech firms.
In the end, Baroness Kidron dropped her amendment following repeated rejection in the Commons. I expect this issue to raise its head again soon. The government’s consultation on AI and copyright ended in February. Among other options, it proposes to give copyright holders the right to opt out of their work being used for training AI. However, the music industry believes that such a measure would offer insufficient protection for copyright holders. In an interview with the BBC, Sir Elton John described the government as ‘absolute losers’ and said he feels ‘incredibly betrayed’ over the government’s plans.
Once the government publishes its response to the copyright consultation, it will have to consider how to proceed. Whether this comes in the form of a new copyright bill or AI regulation bill, expect more parliamentary wrangling, as well as celebrity interviews.
Ibrahim Hasan is a lawyer and director of Act Now Training
No comments yet