After a troubled passage through parliament, the Data (Use and Access) Bill received Royal Assent on 19 June and is now the Data (Use and Access) Act 2025. It introduces amendments to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR).
The Act affects the areas of scientific research, legitimate interests, direct marketing, automated decision-making and data transfers. It also enables the transition of regulatory oversight for open banking to the FCA and the development of open finance.
Most of the provisions in the Act come into force as and when the Secretary of State makes specific regulations. However, a limited number of provisions came into force on 19 June. These include:
- Section 78, relating to reasonable and proportionate searches in response to of data subject access requests.
- Sections 126 to 128, relating to the retention of biometric data.
- Part 1 of Schedule 16, relating to the grant of energy smart meter communication licences, and section 122 so far as relating to that Part of that Schedule.
The Act restructures the ICO and provides it with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under PECR.
The ICO has issued various guidance notes on the Act:
- An outline what the Act means for organisations.
- An outline of what the Act means for law enforcement agencies.
- A detailed summary of the changes for data protection experts.
- The ICO’s new and planned guidance web page setting out what guidance to expect and when.
- An outline of how the ICO will continue its regulatory work as the Act is implemented.
- A guide for the public on how the Act will affect them.
Separately, the European Commission has now confirmed that it has adopted a six-month extension of the UK adequacy decisions under the GDPR and the Law Enforcement Directive until 17 December 2025.
