Sheilah MackieThe Data (Use and Access) Bill (DUA Bill) has been agreed upon and is now awaiting Royal Assent. This significant milestone follows a lengthy and complex journey through Parliament, marked by debates and amendments, particularly in the latter stages around the issue of whether the DUA Bill should cover transparency on AI models using copyrighted works to train the models (a topical but somewhat tangential issue to the core subjects covered in the Bill).� This led to a “ping pong” between the Lords and Commons where we saw a number of passionate debates on the topic of transparency. Baroness Kidron, speaking on behalf of creatives in the Lords, talked about the UK Government cosying up to tech companies. She said she has spoken to AI academics and tech companies and one such said to her “of course we prefer it for free, but if you don’t protect your IP, we will take it just like we did your high street”. Baroness Jones of Whitchurch, the Under Secretary of State for DSIT, stated that the Government will soon work on more comprehensive AI legislation. She emphasized the need to await the outcome of the economic impact assessment and the report on AI and copyright to determine what further actions, including legislation, might be necessary. After a few weeks of intense debates, where the tension between the rights of creators and the interests of the UK tech industry was evident, the Lords eventually conceded on the issue of transparency on 11 June 2025 (at least in terms of the DUA Bill).
The DUA Bill aims to harness the power of data to drive economic growth, and make it easier for businesses to use technology while maintaining high standards of data protection.� The DUA Bill will introduce new smart data schemes, establish digital verification services, create a national underground asset register, and simplify the data protection regime in the UK (though less extensively than previously proposed under the last Government). The provisions in the DUA Bill on Smart Data will support open banking in the UK and extend its benefits to an open finance scheme.�Additionally, the DUA Bill proposes changes to the UK GDPR and PECR (the latter governing direct marketing and the use of cookies and similar technology), including the introduction of a new lawful ground of “recognised legitimate interests,” the removal of consent requirements for non-intrusive cookies, the widening of grounds for solely automated decisions, the simplification of scientific research provisions, clarifications on dealing with subject access requests, changes to rules on data exports, and changes to the structure of the Information Commissioner’s Office (ICO).
So what’s next for the DUA Bill? While the commencement is typically 2 months after Royal Assent for Bills, the DUA Bill will take longer. Detailed discussions on secondary legislation will be necessary. Within the first two months, only minor clarifications will be made; however, substantive changes to data protection provisions and ICO governance are expected to take 6 to 12 months. Meanwhile, the European Commission is in the process of evaluating the adequacy of the new data protection regime in the UK to decide if it will continue to provide adequate protection for data flowing from the EU to the UK without additional regulatory protections being required. Businesses and stakeholders should prepare for the upcoming changes and stay informed about the progress of the DUA Bill as it moves towards implementation.
Please get in touch with me (Sheilah) or Victoria Ferguson if you’d like any more information.