Data protection in the United Kingdom is taking a new direction: The Data (Use and Access) Act has been in force there since June 19, 2025—with far-reaching consequences for businesses, authorities, and data subjects. The objective: economic relief and greater clarity in the application of the law, without losing sight of individual rights. What specific changes now apply—and why they are also relevant for EU observation.
The Data (Use and Access) Act (DUAA) entered into force in the United Kingdom on June 19, 2025. The ICO (the UK data protection supervisory authority) lists the following points as relief measures for businesses:
- New legal basis “recognized legitimate interests”: The balancing of interests otherwise required is to be omitted in certain cases (e.g., in connection with public safety matters)
- Disclosure of data in the performance of public tasks: When data is transferred to public authorities such as the police, responsibility is to lie no longer with the disclosing organization, but with the requesting authority (similar to German state data protection laws).
- Change of purpose: In certain cases, the compatibility of a new purpose is presumed, so that a corresponding assessment no longer needs to be carried out (e.g., for public archiving purposes).
- “Soft opt-in” for charitable organizations: The sending of marketing emails by these organizations is to be permissible subject to objection if the recipients have shown interest in the organization’s work or already support it.
- Right of access: Controllers must only search for information when processing an asserted access request to the extent that this is “reasonable and proportionate” for them.
- Greater legal clarity: The changes are intended to make the laws clearer and more structured. For example, it is clarified that direct marketing qualifies as a legitimate interest.
It remains to be seen how the European Commission will assess these changes when re-evaluating the adequacy decision for the United Kingdom.
