Clifford Chance

This is part four of our series of articles on the UK's Data (Use and Access) Act 2025 (DUA Act) - Click on the links to read the other parts.

• Overview
• Framework for smart data schemes
• Digital Verification Services Framework
• Enforcement and regulatory engagement
• Cookies, trackers and security patches
• Other provisions

We have also published a comprehensive PDF bringing all these together in one document for you to read and share.

Changes to UK data protection laws

Set out below are some of the key changes made by the DUA Act to the UK GDPR and the Data Protection Act 2018.

New opportunities to use automated decision-making techniques

The DUA Act relaxes the existing general prohibition on the use of solely automated decision-making (ADM) for significant (e.g., legal) decisions affecting data subjects so that it applies only to significant ADM based entirely or partly on the processing of "special category" data (rather than restricting such decision-making based on personal data generally).

Significant ADM that is based on special category data will need to continue to rely on specific, limited legal bases for processing under UK GDPR (e.g., explicit consent). However, once these provisions come into force (on such day as the Secretary of State may appoint by regulation), the legal bases available for significant ADM that is not based on special category data will be wider (and will include 'legitimate interest').

Safeguards (such as transparency and contestability requirements) will apply to all significant ADM, not only those based on processing special category data.

The Secretary of State may, by regulation, specify certain decisions as having the required "significant effect" for the data subject (thereby triggering the safeguards for automated processing) and add to, or vary, the requirements in relation to the safeguards.

Provision for regulating novel types of special category data

The DUA Act inserts a new Article 11A into the UK GDPR which allows the Secretary of State to, by regulation, add (and, potentially, subsequently remove) additional categories of special category data. This provision adds some flexibility into the law so that, as technology emerges and novel types of personal data come into existence, it can be clarified whether or not such personal data is special category data.

Skip the ‘balancing test’ when relying on 'recognised legitimate interests'

The DUA Act introduces a new legal basis for personal data processing: 'recognised legitimate interests'. Those set out in the DUA Act include processing necessary for: (i) responding to certain requests made by bodies acting in the public interest; (ii) national security, public security and defence purposes; (iii) the detection, investigation or prevention of crime; or (iv) the safeguarding of vulnerable individuals. Once these provisions enter into force (on such day as the Secretary of State may appoint by regulation) processing based on 'recognised legitimate interests' will satisfy the UK GDPR requirement to process personal data under a legal basis without the need to conduct a ‘balancing test'. The Secretary of State may make regulations adding to, or varying, these 'recognised legitimate interests'. ICO guidance on the new legal basis of 'recognised legitimate interests' is expected to be published in Winter 2025/2026.

The DUA Act also clarifies that processing: (a) necessary for the purposes of direct marketing; (b) involving intragroup transmission of personal data where this is necessary for internal administrative purposes; or (c) necessary for ensuring the security of networks and IT systems, can be based on the (pre-existing) legitimate interests legal basis, subject to the usual balancing test. This essentially imports clarificatory provisions already included in the recitals to the UK GDPR into its main text.

Additional clarity on purpose limitation and further processing

The DUA Act clarifies the circumstances under which an organisation is allowed to reuse personal data for purposes that are different to those for which the data was originally processed.

The DUA Act adds provisions and an annex to the UK GDPR which together specify certain circumstances in which further processing of personal data for a new purpose satisfies 'purpose compatibility' requirements. Depending on the legal basis relied on for the original processing, these can include, for example, further processing for research, archiving or statistical purposes, public security, detecting, investigating or preventing crime, safeguarding vulnerable individuals, the assessment or collection of tax, and complying with a legal obligation or court / tribunal order. The Secretary of State may add to or modify this list of compatible processing.

The DUA Act also sets out factors that controllers are to consider when determining "purpose compatibility" for data reuse in other circumstances. These include, for example, any link between the original purpose and the new purpose, the possible consequences for data subjects of the proposed processing, and the existence of appropriate safeguards (for example, encryption or pseudonymisation). This provision primarily provides additional clarity as to how the purpose limitation principle is to be applied in practice.

Additional clarity on processing for research and statistical purposes

The DUA Act defines "research and statistical purposes" to include "any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity". Once brought into effect by secondary legislation, this aligns the substantive provisions of the UK GDPR with existing recitals and regulatory guidance to encourage a broad interpretation of the concept of scientific research, such that the UK GDPR's purpose limitation principle, and its restrictions on the processing of special category data, are less likely to restrict processing for such purposes provided certain safeguards are met.

The DUA Act also clarifies that data subjects can give "broad consent" for processing of their data for an area of scientific research in certain circumstances.

The "data protection test" for international transfers

The DUA Act reformulates the existing regime restricting the international transfer of personal data in the UK GDPR, for the most part by restating the existing provisions in a clearer manner. Most importantly, the DUA Act introduces a "data protection test" to be applied by the Secretary of State when deciding whether to approve by regulations international data transfers to a third country, including by way of recognising a third country's data protection regime as adequate. Once these provisions enter into force (on such day as the Secretary of State may appoint by regulation), the Secretary of State will be required to assess whether the standard of protection in a third country or otherwise in place in respect of a transfer is "not materially lower" than the standard in the UK. The data protection test is also to be applied by controllers and processors before they may transfer personal data to a third country in reliance on "appropriate safeguards" (such as standard contractual clauses).

This may amount to a slightly lower standard than the "essential equivalence" test referred to in the EDPB's guidance – and in judgments of European Union courts – on risk assessments for international transfers of personal data, but it remains to be seen whether this will prove a meaningful distinction. The UK will be mindful that differing standards for the export of personal data from EEA jurisdictions versus that from the UK may complicate data governance and be subject to scrutiny. 

 The DUA Act also provides that, when approving transfers by regulations, the Secretary of State may also consider other 'matters' it deems relevant, including the "desirability of facilitating transfers of personal data" to or from the UK, and empowers the Secretary of State to recognise new transfer mechanisms for international data transfers.

Additional clarity on obligations when responding to subject access requests

The DUA Act codifies rules that currently exist only in regulatory guidance as to: (a) when a controller can 'stop the clock' in calculating the applicable time frame for responding to the exercise of a data subject's right; and (b) the obligation on the controller to perform (only) a "reasonable and proportionate search" for personal data in response to a subject access request. For organisations already following ICO guidance on subject access requests, this will likely not be a material change.

Permitting processing performed in reliance on international treaties

The DUA Act broadens the circumstances in which processing may be based on a legal obligation to include not only domestic law but also relevant international law. For the time being, "relevant international law" refers only to the Agreement between the UK-USA Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime, but the Secretary of State is empowered to add other treaties ratified by the UK in future.

Children's privacy

The DUA Act obliges controllers providing information society services likely to be accessed by children to consider 'children's higher protection matters' when determining what measures are appropriate to ensure data protection by design and default. In line with the ICO's Children's Code, these measures include how children can best be protected when using the services and the fact that children merit specific protection, because they may be less aware of certain risks and consequences, and less aware of their rights, and have different needs at different ages.