Search

How can we help?

Icon

Update on the Data (Use and Access) Bill

  • 29 April 2025
  • Privacy and Data Protection

In our article, Data Use and Access Bill – how will it impact business and their dealings with Data Protection, we set out the changes that the Data (Use and Access) Bill (DUAB) would make to the data protection regime in the UK. The DUAB has now reached the House of Commons Report stage before its third and final reading in the House of Commons, after which it will become legislation. We will highlight in this article what changes have been made to the DUAB since the early stages of the Bill.

Changes by the House of Lords

As the DUAB started as a Bill in the House of Lords, the first major amendments were made by that body and so the  amendments the House of Lords made were as follows:

  • The DUAB created “higher protection matters” for children within the UK General Data Protection Regulation (GDPR). This puts in place greater protections for children’s personal data.
  • It also allowed the charity sector to rely on the soft opt-in for direct market that commercial organisations can currently rely on.
  • The DUAB amended the Sexual Offences Act 2003 and introduced new offences relating to the creation of purported intimate images of an adult (otherwise known as sexually explicit deepfakes).
  • The DUAB also created a requirement on the Information Commissioner’s Office (ICO) to regulate web-crawlers and general-purpose AI models with links to the UK, and for them comply with UK copyright law.
  • The DUAB placed a requirement on the Secretary of State to make a statement on and lay plans before Parliament on web-crawlers and AI Models which may infringe copyright in creative works. It also set out plans for the creation of machine-readable digital watermark.

Changes by the House of Commons

Once the DUAB reached the House of Commons, several of the above amendments were rejected and in particular, the final two sub-bullet points were completely removed. These clauses were non-government amendments, and it appears the intention behind them was to allow creatives to assert and enforce copyright over their works against web-crawlers and AI.

 

It is difficult to estimate when the DUAB will become law.

Further key clauses

The House of Commons did not make any further substantial changes to the DUAB and so the Bill largely remains in the same form as passed by the House of Lords. Given the late stage the DUAB is at, it is likely that most of the major clauses will remain unchanged. Therefore, our view is that the key changes which organisations will need to anticipate are:

Data subject’s rights:

This changes the extent of the searches that organisations are required to make once they received a data subject access request. Organisations are also allowed further time to define the scope of the search before the relevant time periods are triggered under the GDPR.

Automated decision-making:

This gives greater scope for organisations to use AI when processing personal data. The clauses allow organisations to process data with no limitation on the lawful basis to use the data, subject to the required safeguards set out in the DUAB being in place. This indicates a transition to embracing AI as a technology which is more likely to process personal data in the future.

Children’s higher protection matters:

This increases the duties in relation to the protection of children’s data. It creates the concept of higher protection matters when an organisation is processing personal data while providing information society services likely to be accessed by children.

These key clauses are in addition to the ones set out in our previous article which briefly were:

  • Smart Data Schemes
  • Digital Verification Services
  • Privacy
  • Information Commissioner

Timeline for implementation

The DUAB is now in its report stage and you can track the progress of the DUAB here Data (Use and Access) Bill [HL] – Parliamentary Bills – UK Parliament.

It is difficult to estimate when the DUAB will become law. However, it is likely the DUAB will come into force in early 2026 and that there will be transitional provisions to give organisations time to implement the necessary changes.

Our data protection team will continue to monitor the DUAB and if you would like any advice on the potential changes proposed in the DUAB, please do not hesitate to contact our data privacy lawyers.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile
Melanie Pimenta

Associate

View profile

+44 118 960 4653

About this article

  • Subject
    Update on the Data (Use and Access) Bill
  • Author
    Melanie Pimenta
  • Expertise
    Privacy and Data Protection
  • Published
    29 April 2025

Read, listen and watch our latest insights

art
  • 12 August 2025
  • Privacy and Data Protection

From WeTransfer to WhatsApp: How Unapproved Tools and “Shadow IT” Could Threaten UK GDPR Compliance

Businesses and self-employed professionals are in a constant pursuit of efficiency and productivity.  There are, as a result, no end of tools and products available to smooth digital workflows. 
Pub
  • 14 July 2025
  • Privacy and Data Protection

From legislation to implementation: The Data (Use and Access) Act 2025

In this podcast, our data protection experts, Melanie Pimenta and Harry Berryman, will explain what the Act means for your organisation and how to ensure compliance with the new regulations.
art
  • 01 July 2025
  • Privacy and Data Protection

Data protection compliance: tricky issues for employers

This article highlights key issues organisations may face when processing personal data and stresses the importance of a proactive approach. It also outlines tailored training packages to support compliance and build internal expertise.
art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.

Pub
  • 16 June 2025
  • Privacy and Data Protection

WhatsApp in the workplace: Is it legally safe?

In this podcast, Lucy White and Monica Mastropasqua, members of the Data Protection team at Clarkslegal, will address frequently asked questions from clients regarding the use of WhatsApp at work.

art
  • 13 June 2025
  • Employment

Human Resources – A Shift Towards artificial intelligence?

On 6 May 2025, the SRA authorised the first law firm providing legal services through artificial intelligence. Garfield.Law will provide an AI-powered tool which can assist businesses with the small claims court process, to aid in recovering unpaid debts.
See More