Clifford Chance

This is part five of our series of articles on the UK's Data (Use and Access) Act 2025 (DUA Act) - Click on the links to read the other parts.

• Overview
• Framework for smart data schemes
• Digital Verification Services Framework
• Changes to UK data protection laws
• Cookies, trackers and security patches
• Other provisions

We have also published a comprehensive PDF bringing all these together in one document for you to read and share.

Enforcement and regulatory engagement

The "Information Commission": role and powers

The ICO will be replaced with an "Information Commission", which will be a body more closely resembling other statutory regulators such as Ofcom and the Competition and Markets Authority. In carrying out its duties, the Information Commission must have regard to:

• promoting innovation;
• promoting competition;
• the importance of preventing, investigating, detecting and prosecuting crime;
• the need to safeguard public security and national security; and
• the fact that children may be less aware of the risks and consequences associated with the processing of personal data and of their rights in relation to such processing.

These considerations appear to be intended to promote a pragmatic, 'growth-friendly' approach to regulation and oversight. While these provisions are not yet in force, the ICO's strategic plans suggest that, to a large extent, it is already having regard to these matters.

The DUA Act adds to the Information Commission's regulatory toolkit by giving it powers which include: (a) requiring that a controller or processor not only provide it with information, but specific documents (this provision comes into force on 19 August 2025) and/or require the preparation of a report, at the expense of the controller or processor being investigated; and (b) issuing an interview notice, compelling a witness to attend interview, where giving a false statement in response to an interview question would be an offence (this provision also comes into force on 19 August 2025).

Privacy complaints can go straight to controllers

The DUA Act creates a right for data subjects to complain directly to controllers in relation to infringements of data protection law. Once brought into force by secondary legislation, this will exist alongside the existing ability to lodge complaints with the ICO.

The DUA Act will require controllers to facilitate the making of such complaints, e.g., by providing a complaint form "which can be completed electronically and by other means"; and to acknowledge complaints within 30 days, to take appropriate steps to resolve the complaint without undue delay and inform the data subject of both progress and the outcome. The DUA Act also allows for regulations to be made mandating controllers to report to the new Information Commissioner the number of complaints received within specific periods.

PECR enforcement to be aligned with UK GDPR enforcement

The DUA Act updates the UK's ePrivacy enforcement regime, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), bringing it in line with the UK GDPR and Data Protection Act 2018. Notably, this means the potential PECR fines will increase to UK GPDR levels once these provisions are brought into force by secondary legislation.