.jpg)
Bytesize Legal Updates | Fieldfisher
Fieldfisher are experts in European digital regulation and guide businesses through the complexities of the EU’s rapidly evolving regulatory environment. Europe is one of the world’s largest internal markets - with our focus on digital regulation for online platforms, social media and emerging technologies (AI, automation, AR/VR etc.) we keep you up-to-date with the EU’s digital agenda, and latest impacting European legislation for the industry.
Bytesize Legal Updates | Fieldfisher
Bytesize Legal Update – Top 5 things you need to know about the UK DUA Act 2025
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In our latest Bytesize Legal Update, Fieldfisher's James Russell and Richard Lawne unpick what the key headlines are, what are the top 5 changes that will impact businesses, and in practical terms what that means businesses operating in the UK need to do.
James: [00:00:00] Hello, I'm James.
Richard: And I'm Richard.
James: And we're both tech and data specialists from Fieldfishers Silicon Valley. So the UK has finally wrestled back sovereignty over its data protection laws from the eu originally introduced all the way back in 2022. The UK's data Use and Access Act, or the DUA Act finally became law just at the end of last month.
But as Brexit gets further into the rear view mirror, how radical are these changes really? And what do they mean for UK adequacy and international data transfers going forward? So Richard, we've heard about these UK performance for some time now. First it was the data protection and digital information bill. Then it was the Data [00:01:00] Reform Act, and now we've got the DUA act, and if we use its long name, it gets even crazier. We've got an act to make provision about access to customer data and digital business ID registers relating to apparatus in street registers and birth and deaths.
It goes on and on and on.
Richard: Yeah, it's quite a mouthful.
James: And so we've got provisions covering things like digital verification services, the National Underground Asset Register, the digitalization of registered births and deaths. Lots and lots of stuff to cover here, but I think the headline is that this probably isn't relevant to most business customers.
So today what we're gonna be focusing on is just the top five changes that actually make a difference in practice from the perspective of UK data protection law. So Richard. From your perspective, looking at those sort of top five key points, what do you think are the big changes here?
What are the headlines that people need to know?
Richard: Well, firstly, let's be clear, this isn't a radical change to UK data protection law. The DUA ACT doesn't make whole scale changes to existing law. It doesn't replace the [00:02:00] UK GDPR or the Data Protection Act. Instead, what it does, it fine tunes existing laws aiming to reduce some regulatory burden and bring more clarity to certain aspects of the law.
In fact, in many cases. The DAU act simply codifies what was already in the recitals of the UK GDPR or in ICO guidance. So what we'll see is nothing completely radical, but some tweaks here and there, and perhaps a little bit more, breathing room and flexibility for organizations operating in the uk.
James: Makes sense. Okay. So then starting at the top, what do you think is number one, what's the sort of big change, number one that people need to think about?
Richard: Well, the first change to mention is some changes around the edges of the purpose limitation principle and lawful basis for processing.
So the DUA ACT refines the purpose limitation principle, which governs how personal data can be reused beyond its original purpose. Essentially, this update clarifies when further processing is going [00:03:00] to be considered compatible with the original purpose,
and it introduces a new annex that lists specific types of processing that are automatically considered compatible. For example, reusing data for crime prevention purposes or for public interest tasks at the same time. The DUA ACT also introduces a new lawful basis for processing called recognized legitimate interests.
This allows controllers to carry out certain processing activities in reliance on legitimate interests, but without the need to conduct a full LIA. So long as the processing is necessary and falls within a list of predefined purposes, what are those purposes I hear you ask? They include responding to requests from public bodies, national security, public security, and defense purposes, emergency situations, crime prevention and prosecution, and safeguarding vulnerable individuals.
Really, it's quite a narrow list of purposes. So although these changes are acting [00:04:00] at the fringes and providing a little bit more certainty around when you can reuse data and when you can rely on legitimate interests, I don't think these kind of changes are really representing a massive change for most organizations and how they operate.
James: Okay. So it's good to know because it helps to reduce that regulatory burden a bit, but in practice, hopefully you're not doing a massive overhaul of your data processing
Richard: Right.
James: And am I right in thinking that that's a similar trend when we move on to our second top change here when it comes to data subject access requests? 'cause in previous versions of this bill there were some quite traumatic changes.
Richard: Yeah, that's fair to say. There are some changes as to how controllers should handle subject access requests. So the DUA ACT introduces a stop the clock mechanism. As our listeners are probably aware, under the UK GDPR controllers have a one month deadline to respond to rights requests.
Now under the law, if the controller needs further clarification from the data subject in order to provide a response, like they need more information about the time period. [00:05:00] That the request covers or the nature of the information that's being sought, then the clock effectively pauses until the controller has received that information from the data subject.
So really giving a little bit more flexibility in breathing room, in responding to requests. At the same time, the DEAU act also co codifies that searches should be reasonable and proportionate. Again, this is a principle that was already established in case Law and ICO guidance, but now has been made explicit under uk.
Data protection law.
Nice. So we've got sort of a formal codification of what hopefully businesses have been doing by following the guidance anyway.
Richard: Exactly.
James: Makes sense.
Okay. But are there some areas then, if those are some of the examples of where these are important to be aware of, but in many ways they're continuity. Are there more areas of divergence where we're seeing more significant changes from previous UK data protection law?
Richard: Yeah. One area is there's a bigger change around automated decision making, which might have an impact on, , automated tasks and also the use of ai. So the DUA [00:06:00] ACT relaxes the restrictions on decisions made solely through automated processing, such as credit approvals and fraud detection.
Under the new rules, these kinds of decisions are generally permitted so long as certain safeguards are in place. Those include ensuring you're providing transparency to data subjects about how automated decisions are made. Giving people the ability to contest those decisions and also obtain the right to human intervention.
Now, this is a bigger change because the law today says that effectively there's a default prohibition on a DM and you need to , satisfy certain conditions to make automated decisions. However, moving forward in the uk, instead there's a more permissive framework that just ensures that certain safeguards are in place.
James: Hmm. So he flipped the script a bit. Makes sense. So number three on our list is a DM. And then number four , is a question that lots of people will be asking, which is transfers. How do the changes here affect, first of all, I guess, UK data [00:07:00] exports?
Richard: Well, the changes here are also a little bit more substantive, so the DUA ACT introduces a new standard for assessing whether personal data can be transferred outside the UK to a third country.
Instead of the standard today, which is based on that receiving third country, providing an essentially equivalent level of protection, now you're looking at a standard saying that the level of protection must not be materially lower. Than that provided under UK law. So there's a little bit more daylight there between the standards and the expectations.
Importantly, this applies not just to government adequacy decisions from the uk, but it also applies when organizations data exporters are using transfer mechanisms like the SCCs and evaluating the risks of making those transfers. According to UK data protection law. Hmm.
James: Okay. So we've got a bit more flexibility then when it comes to UK data exports. Looking at this from the other angle, though, I know that. One of [00:08:00] the reasons that this ping ponged back and forth in the UK Parliament so much was this concern about EU adequacy that now that the UK has left the eu, they've got this flexibility to change their own data protection laws, but they don't wanna change it too much and therefore lose EU adequacy and not be able to make transfers to and from the eu.
So how does, how does this affect EU adequacy? Do we have any update on that yet?
Richard: It's a great question, and the short answer is we don't know yet. So there has been some concern that these changes to the UK's data protection regime would potentially impact its adequacy status in the eyes of the EU when you're transferring EU data to the uk.
All we know is that the European Commission recently confirmed they're gonna actually delay the review of the UK's adequacy status until the end of the year. Which gives them a bit more time to analyze these changes. So for now, we'll wait and see. My expectation is that, , a lot of these changes don't necessarily indicate a radical departure or a material [00:09:00] change in the UK data protection law.
So they still hope that actually the UK manages to preserve its adequacy status.
James: So we're keeping our fingers crossed that hopefully we'll be able to retain EU adequacy status.
Richard: right..
James: Okay. And so far then, so we've been at, on our top four so far, we've been looking mainly at the UK GDPR, but when we're talking about UK data protection law, there's also obviously regulations that go beyond the GDPR.
Are there any significant changes there that people should be looking at?
Richard: yeah. There are some changes also to peca, which is effectively the law, including all of the e privacy, um, requirements, including notably cookie rules. So the DUA ACT introduces some changes to cookie consent requirements in the uk in particular, the DUA ACT introduces some changes to the cookie consent requirements under, the UK rules. Going forward. Opt-in consent will no longer be required for certain purposes under the act. That now includes security and fraud prevention, [00:10:00] statistical analytics, use interface preferences, and emergency location services.
So again, that actually gives website operators and, um, others using cookies, a little bit more flexibility in breathing room, to deploy those technologies without needing to get consent, and also gives a bit more clarity in areas that were already known. I. At the same time, the DUA ACT also increases the maximum fines for breaches of Peca.
That cap is going to rise from 500,000 pounds today to basically align with the GDPR 17.5 million pounds or 4% of global turnover, whichever is higher. So that means that firstly, both of these laws will be aligned in terms of the potential level of fines. It also means potentially higher consequences for breaches of the cookie and marketing rules.
James: Wow. I mean, yeah, that's a significant change really, isn't it? There's a lot more bite here, therefore potentially to cookie rules. Is that fair to say?
Richard: [00:11:00] Yeah, I think so. Yeah.
Oh, so cookie banners are here to stay. I'm sure many in our audience will bemoan.
Richard: Right.
James: Alright, well I think that sounds like it's our top five then.
So our top five is purpose, limitations, changes to data, subject access requests, change to automated decision making. UK data transfers. And finally, those cookies and marketing rules. of course. There's a lot more in the act that we haven't had time to cover. Some of the key ones, maybe to just be aware of are, for instance, changes to the definitions of scientific research and changes on how we'll be using children's data.
More information on all of that, of course can be found in our blog. So do make sure to check that out. And a couple of things, of course, to also look for down the line. Um, in terms of implementation of the act, we're still waiting to hear exactly what the timeframe is gonna be and exactly how this is gonna change the guidance that was currently published by the ICO, the Information Commissioner's Office, but which under this law is now gonna be changed to the Information Commission.
Richard: Yeah. Let's not forget there's a rebrand in there too
James: a change in terminology that I'm sure we're all going to get our heads around immediately. But [00:12:00] given that there's so much to cover here, Richard, maybe you can boil it all down. What are the key takeaways that businesses need to know on what this means to them in practice?
Richard: Right. So firstly, again, the DAU Act doesn't completely overhaul the UK data protection regime, and generally it doesn't introduce new obligations for organizations.
Instead, this new law makes targeted amendments that introduce more flexibility and certainty in summer areas as the ICO has itself put it, or rather, the information commission has. Itself, put it, this act offers an opportunity to do things differently rather than needing to make specific changes to comply.
Secondly, the UK is trying to be seen as carving out slightly more innovation friendly approach in areas like automated decision making and scientific research, but without straying too far from. EU GDPR standards, and as we discussed earlier, that's likely intentional as the UK wants to signal regulatory independence, but it [00:13:00] also wants to preserve its adequacy status itself.
The practical reality is that if you're a company operating across both the UK and eu, you'll likely continue to apply broad EU standards in the UK as well. We don't have, uh, huge changes to look at here, but you might have a little bit more breathing room in some areas. And lastly, the point I'd make is that the DAU Act covers many things, but it doesn't cover ai.
It doesn't directly legislate AI in the same way as the eus AI Act. And actually the UK government has made it clear that AI specific regulation is gonna come separately, and that's further down the road. So we'll have to wait a little bit longer for that.
James: So as I continue to wait and see a couple things to watch in this space, the regulation of ai, what this means for EU adequacy, and of course what implementation's gonna look like down the line.
Well, we will of course, continue to keep you updated on all of these things, both in our blogs and on our podcasts and webinars going [00:14:00] forward. So make sure to check out field fisher.com for further updates. I guess all that's left to say is thank you very much, Richard, for joining us today and giving us that rundown.
Richard: Absolutely. Thanks James.
James: And thank you, of course. To our listeners. Thank you for joining us on this latest episode of Field Fisher's bite-size legal podcast, your source for concise legal updates on the key legal developments in technology and data protection law. If you have any questions about today's update, don't hesitate to reach out to us, and if you found it useful, do make sure to give us a like or review on your podcaster of choice.
Thanks for listening, and we'll see you next time.