Hill Dickinson | Eleanor Tunnicliffe | Sophie Vella

European Union | United Kingdom

After an extended period of parliamentary ping-pong between the House of Lords and the House of Commons regarding the use of copyright works to train AI systems, the Data (Use and Access) (DUA) Act 2025 has received Royal Assent and become law in the UK.

On the much debated topic of AI, the government has agreed to give a progress statement in six months, including on the scale of copyright infringement of works used to train AI models and the economic impact of this.

Based on the most recent information new have, most of the changes to UK data protection law, including to the UK GDPR, will come into effect via further regulations, including:

  • Increased maximum fines under the Privacy and Electronic Communications Regulations from £500k to £17.5 million or 4% of annual global turnover;
  • More clarity around what constitutes processing for scientific research and consenting to such research;
  • Changes to the legitimate interests legal basis provisions, including new pre-approved legitimate interests such as use of personal data in an emergency and sharing personal data with government regulators;
  • Clarifying the purpose limitation principle in the UK GDPR;
  • A new requirement on controllers to deal with all data complaints raised by individuals about the handling of their personal data, not just those connected to data subject rights like subject access requests;
  • A shift in emphasis to mean that use of personal data for some automated decision-making is easier;
  • Establishing a framework that will allow a more risk-based approach to transfers of personal data outside the UK;
  • Provisions modernising ICO governance structures; and
  • Simplifying cookies notice/banners requirements – removing the requirement for user consent in some circumstances.

There are also changes to the rules about processing special categories of personal data, allowing the Secretary of State to specify what processing activities are or are not prohibited under UK GDPR via further regulations.

The following broader provisions will also come into force on a date to be specified by further regulations, including:

  • Enabling smart data schemes for different sectors;
  • New rules for digital verification services; and
  • Updating the rules on information standards for health and social care.

Impact on UK to EU data transfers

Personal data is able to flow freely from the EU to the UK post-Brexit due to a decision by the EU recognising that the UK’s data protection regime offers “adequate” protection.

The adequacy decision for the UK is due for renewal later this year, having been extended from 27 June 2025 by a further 6 months until 27 December 2025. Upon its approval of this extension the European Data Protection Board (EDPB) emphasised in its Opinion 06/2025 (available here) that this was a “technical and time-limited extension” to give time firstly for the DUA Act to conclude its journey through Parliament and secondly for the European Commission to then evaluate the changes to the UK data protection law.