Dispelling the Myths Around the Data (Use and Access) Act 2025 

False (with an asterisk):  

• DUAA amends but does not replace UK GDPR, DPA 2018, or PECR  

• It makes clarifications and provides some, and does not a rollback of rights, mostly embedding ICO guidelines into statute. 

• However, there are some areas where the language has been softened such as in relation to international transfers. When this is combined with the changes to government access to data, this provides the grain of truth at the heart of the myth. 

False:  

• DUAA embeds existing ICO guidelines around the application of data subject rights into statute. 

• The language now includes the words “proportionate” and “reasonable” in relation to searches but these are intended for objective and consistent application and are not at the discretion of the business. Having complicated data structures (or poor structuring), data going back too far, or simply having a large amount of data are not considered reasons for failing to provide the data requested by the individual. Likewise, if you’ve sent boxes of data to records depository where you have to pay a retrieval fee, this is a cost of business. 

• There has been a strengthening of protections relating to data subject rights as the specific exemptions relied on along with the justification for their application must be provided to the individual concerned when these are being used. This is particularly notable for the use of the ‘legal privilege’ exemption. 

False:  

• UK still maintains EU adequacy status  

• DUAA introduces a new UK-based data protection test for transfers which changes the language from ‘essentially equivalent’ to ‘not materially lower’ standards. This is the test used by the government going forward when considering the adequacy of other countries. 

• The EU’s adequacy decision with respect to the UK for both GDPR and the Law Enforcement Directive remains in place but is under review.  

False:  

• Strict restrictions around the use of automated decision making remain in place where the risk is high, or the data is special category (sensitive data). 

•  However, there has been softening for less risky activities. 

• Appropriate lawful bases remain required and the new Recognised Legitimate Interests (RLIs) cannot be used as the basis. 

• The GDPR principles remain in full effect meaning that the means of achieving the objective with the least data and least risk is the path to take.  

False:  

• DUAA recognises that AI developers have a legitimate interest in training models on publicly available data; however, it doesn’t grant blanket permissions for data scraping. 

• If the data includes anything that can identify a living individual, this will still require a GDPR lawful basis and be subject to all normal data protection guardrails.  

• Copyright and intellectual property law is unaffected by the changes, however, developers are not obliged to inform IP holders in every instance of the activities which may enforcement of IP rights more challenging. 

• The government will be producing a report into IP and AI by the end of the year. 

False:  

• DUAA clarifies the circumstances where ‘legitimate interests’ can be used as opposed to requiring consent in relation to cookies and other tracking technologies. These are broadly in line with existing requirements such as the delivery of key functionality, storing user preferences, and now statistical and performance tracking. 

• If the cookies or other trackers on web content are used to see how people use different sites or are used to learn more about the person, opt-in consent will still be required. 

• If your site uses cookies, you still need to tell people and give people easy control over these. This should not involve nudge tactics, giving “accept all” higher prominence, or requiring that people select or deselect dozens of options to disable them. 

• Tracking in email remains the same as before (notification required in all cases, consent required if there’s marketing or promotional content). 

False:  

• There are no material changes here; however, this myth appears to originate from some AI summaries of reported changes across Europe. In the EU, there is a proposal to increase the employee headcount threshold for requiring a complete RoPA.  

False:  

• The requirement to appoint a DPO remains as before and relates to the scale, nature, and risk of the data being processed.  

• Misunderstandings such as these could lead business to breach the rights of individuals or intellectual property holders.  

• Likewise, they could lead business to take steps they don’t need to or to fail to address important points such as updating privacy notices and documentation to match the amendments to law.  

• There is the potential for missed opportunity by focussing on changes that are not material rather than harnessing changes such as commercial research uses and legitimate interests/ soft opt-in for charities. 

• The risk of spreading misinformation to clients, stakeholders, or the public is that it could lead to wasted effort, breached rights, fines, and compensation claims.