The UK’s Data (Use and Access) Bill (DUA Bill) completed its passage through Parliament on 11 June 2025 and is now awaiting Royal Assent. Once enacted, it will introduce a series of targeted updates to the UK’s data protection framework, with a focus on enabling innovation in areas like artificial intelligence (AI) and research, while preserving alignment with core UK General Data Protection Regulation (GDPR) principles.
The DUA Bill is wide-ranging – covering everything from smart data sharing initiatives to digital identity services – but deliberately avoids many of the more controversial proposals found in its predecessor (the Data Protection and Digital Information Bill), such as redefining ‘personal data’ or changing the requirement to maintain records of processing activities.
This post explores the most impactful privacy-related reforms for companies handling UK personal data.
Key changes
1. Automated decision-making (ADM)
Under the UK GDPR, individuals had a right not to be subject to decisions based solely on automated processing that produced legal/similarly significant effects. This meant ADM was generally prohibited unless a specific exception applied (such as consent, contractual necessity or legal obligation) – and even then, safeguards had to be implemented.
For ADM involving nonsensitive personal data, the DUA Bill removes the default prohibition where the processing meets certain conditions and specified safeguards are in place. This allows such processing to proceed without the need for a specific exception – including, potentially, on the basis of legitimate interests.
However, the existing safeguards still apply, including the rights of individuals to obtain human review, express their view and contest the decision. In addition, the DUA Bill introduces a new requirement to provide affected individuals with information about automated decisions, building on a similar obligation under Article 13 UK GDPR to inform individuals about the existence of ADM.
2. Scientific research provisions
The definition of scientific research has been clarified so that it explicitly includes:
- Any research that can reasonably be described as scientific, including for the purposes of technological development.
- Commercial and privately funded projects.
The DUA Bill also introduces more flexible rules on further processing for scientific purposes, allowing companies to rely on an individual’s initial consent for future, unspecified research uses provided certain conditions apply. This is likely to benefit research activities where precise future uses may not be known at the outset, such as longitudinal studies or AI model training.
3. Recognised legitimate interests
The DUA Bill introduces a new list of ‘recognised legitimate interests’ which do not require a balancing test to be carried out. However, these mainly relate to activities which are unlikely to be relevant to many commercial businesses, such as safeguarding national security or detecting crime – although the list may later be expanded by the UK government. The DUA Bill also clarifies that processing for direct marketing, intra-group transfers and network security can be based on ordinary legitimate interests, subject to the usual balancing test.
4. The UK’s Privacy and Electronic Communications Regulations (PECR)
Previously capped at 500,000 pounds, fines under the PECR – a complementary regime governing direct marketing, cookies and electronic communications – will now be aligned with the UK GDPR, rising to a maximum of 17.5 million pounds or 4% of global turnover. This is significant, as Information Commissioner’s Office (ICO) enforcement has historically focused heavily on PECR breaches.
Additionally, minor changes have been made to cookie consent rules, clarifying that certain low-risk cookies (e.g., those used to detect fraud or authenticate users’ identities) will not require user consent.
Business implications
1. Data strategy and research
For companies in research-intensive sectors, the broadened definition of scientific research and expanded allowances for further processing should help reduce compliance friction across commercial research and development and AI.
- Commercial research: Clearer recognition that private research qualifies as ‘scientific’. This had previously been assumed in practice, but the specific recognition provides greater certainty.
- Further processing: Individuals can give consent even if the purpose of data use evolves over time, thereby supporting multiphase research studies.
2. Compliance updates
Several operational policies and notices may need updating in light of the DUA Bill:
- Marketing: Businesses should review their marketing practices to ensure compliance with requirements under PECR. The significantly increased fine cap, coupled with the ICO’s historical enforcement in this area, substantially increases the stakes for PECR violations.
- ADM: Businesses using ADM tools should ensure that appropriate safeguards are in place and review their privacy notices to ensure that transparency requirements are covered.
- Cookies: Businesses should reassess cookie classifications and consider removing consent prompts for cookies that fall under the exemption.
- Governance documents: Where businesses define ‘UK GDPR’ or reference applicable laws in contracts, data protection agreements or policies, these may need slight adjustments to incorporate the DUA Bill.
3. Cross-border data transfers
The UK’s European Union adequacy status under EU GDPR has been extended until 27 December 2025 but remains under scrutiny. While signals from Brussels are positive, businesses that rely heavily on EU-UK personal data flows should review their transfer mechanisms and ensure contingency measures (such as standard contractual clauses) are in place in case of any future adequacy lapse.
Next steps
- Royal Assent is expected by the end of June 2025.
- Implementation is expected to roll out in phases, giving businesses some time to adapt, although some changes may require advance planning.
Please reach out to the Cooley team for more information and assistance in respect of the implementation of the DUA Bill.
Authors
Guadalupe Sampedro, Partner, London
Morgan McCormack, Associate, London
Daniel Millard, Associate, London
Emerald Hockley, Trainee, London
