Clifford Chance

This is part two of our series of articles on the UK's Data (Use and Access) Act 2025 (DUA Act) - Click on the links to read the other parts.

• Overview
• Digital Verification Services Framework
• Changes to UK data protection laws
• Enforcement and regulatory engagement
• Cookies, trackers and security patches
• Other provisions

We have also published a comprehensive PDF bringing all these together in one document for you to read and share.

Framework for smart data schemes

The DUA Act lays out a framework for the establishment of 'smart data' schemes in the UK, which are intended to promote competition between providers of goods, services and digital content by requiring data holders to take certain steps in connection with customer data and/or business data. These provisions only establish the framework for smart data schemes: the details of these requirements, their scope,  and enforcement regime, will be set out in secondary legislation which the Secretary of State is now empowered to make.

The smart data regimes will apply to "customer data" and/or "business data" – both of which are very broadly defined:

• "Customer data" is information relating to a customer of a trader (with a "trader" defined as a person who supplies or provides goods, services or digital content in the course of a business).
• "Business data" includes information about goods, services and digital content supplied or provided by the trader, and information relating to their supply (e.g., prices or other terms, how they are used, their performance or quality) and related feedback.

Data holders (i.e. traders or persons who process customer data or business data in the course of a business) may, for example, be required to:

• provide customer and/or business data either directly to the relevant customer, or to a person authorised by such customer to receive the data, at the request of the customer or the third party;
• produce, collect or retain customer and/or business data;
• make changes to customer data, including rectifying inaccurate data;
• use specified facilities or services (including, potentially, dashboard services, other electronic communication services or application programming interfaces), to facilitate data access and use; and
• create complaint-handling and dispute resolution procedures.

Such regulations may require a public authority that is a recipient of business data to take certain steps (e.g., to publish the business data.) They may also set out circumstances in which a data holder "may or must" refuse a data sharing request.

Sector Specific

Unlike the EU's Data Act, which focuses on data access and re-use in relation to a particular type of technology (i.e. access to and re-use of data concerning the performance, use and environment of connected products and related services), the legislation to be passed under the DUA Act is expected to be technology-neutral but tailored to specific sectors. It remains to be seen whether sectors prioritised for smart data schemes will align with the Smart Data Roadmap for 2024-2025, published by the UK's Department of Business and Trade in April 2024, which identified 'priority sectors' including finance, banking, energy, telecoms and transport as well as 'sectors of interest' including retail.

Banking Sector

Given that the UK banking sector has operated a smart data scheme since 2018, and the central role played by the Financial Conduct Authority (FCA) in open banking since then, the DUA Act reserves an important role for the FCA in the administration of smart data regimes in the financial services sector. The DUA Act provides for the Treasury to make regulations enabling or requiring the FCA to make specific rules governing how customer and business data is shared by financial services providers. The DUA Act empowers the Treasury to require the FCA to consult with the Payment Systems Regulator, the Bank of England and the Prudential Regulation Authority, with a view to ensuring a co-ordinated approach in the exercise of their respective functions with respect to the regulation of payment systems.