The Data (Use and Access) Act 2025 (DUAA) received royal assent on 18 June 2025, introducing targeted reforms to the UK's data protection framework. Some provisions came into force earlier this year, whilst most will be implemented throughout 2026. For technology companies - from AI developers to SaaS providers - DUAA presents both opportunities and compliance challenges that require attention.
Automated Decision-Making: A Game-Changer for AI
One of DUAA's most significant changes is the relaxation of restrictions on automated decision-making (ADM). Previously, solely automated decisions with legal or similarly significant effects were generally prohibited unless necessary for a contract, authorised by law, or based on explicit consent. DUAA introduces a more flexible framework, allowing organisations to use any lawful basis (including legitimate interests, but excluding the new recognised legitimate interests basis for ADM) provided appropriate safeguards are in place.
These safeguards include providing clear information about the logic involved in the decision-making; allowing individuals to make representations; ensuring meaningful human intervention in the decision-making process; and enabling individuals to contest decisions. Critically, DUAA clarifies that "meaningful human intervention" must be substantive and informed—the human reviewer must be able to challenge or override the AI system. This is particularly relevant for tech companies deploying AI-driven systems in recruitment, credit scoring, or customer service.
The prohibition on using special category data (including health, racial or ethnic origin, and biometric data) in solely automated decisions with legal or similarly significant effects remains, unless based on explicit consent or authorised by law on the basis of substantial public interest with appropriate safeguards. Tech companies must audit their AI systems to identify ADM processes, ensure robust human review mechanisms are built in, and prepare for forthcoming ICO guidance on what constitutes "meaningful" intervention.
Legitimate Interests: New Flexibility for Tech Operations
DUAA introduces non-exhaustive statutory examples of processing activities that may qualify as legitimate interests under Article 6(1)(f) of the UK GDPR, including network and information security, intra-group data sharing for administrative purposes, and direct marketing (subject to individual rights to object). For technology companies, the network security example is particularly valuable, explicitly recognising that monitoring network traffic and user access logs to detect and prevent cyber-attacks may constitute legitimate interests.
This provides clearer legal footing for cybersecurity operations, though tech companies must still conduct legitimate interest assessments demonstrating necessity and balancing individual rights. Additionally, DUAA introduces a new "recognised legitimate interests" basis with specific categories set out in Schedule 1 to the UK GDPR (as amended), including processing for purposes of national security, defence, public security, the prevention, investigation, detection or prosecution of criminal offences, and protecting individuals at risk of harm. This basis may be relevant for tech companies working with law enforcement or in security-critical sectors, though it cannot be used for automated decision-making with legal or similarly significant effects.
Data Subject Access Requests: Practical Relief
DUAA codifies that organisations need only conduct reasonable and proportionate searches when responding to subject access requests (SARs), taking into account the nature and complexity of the request and the resources available - welcome news for technology companies managing vast datasets. The Act also introduces a "stop the clock" mechanism, allowing companies to pause the one-month response timeframe when they reasonably require further information from the data subject to locate the requested data or verify the requester's identity. Tech companies should update SAR procedures and train staff to recognise when extensions or pauses are appropriate.
Cookies and Analytics: Reduced Friction
DUAA will relax the Privacy and Electronic Communications Regulations (PECR) consent requirements for cookies and similar technologies used exclusively for certain purposes including audience measurement and web analytics, provided these do not track users across different websites or apps, users are clearly informed about the processing, and straightforward opt-out mechanisms are provided. This could significantly reduce friction for tech companies relying on analytics to improve user experience, though clear communication and opt-out options remain essential.
International Transfers: Divergence from EU Standards
DUAA creates a UK-specific framework for international data transfers allowing transfers to countries where data protection standards are "not materially lower" than those in the UK-a potentially lower threshold than the EU's "essentially equivalent" requirement under Article 45 of the GDPR, though the practical difference remains to be tested. Whilst this offers flexibility for UK-based transfers, tech companies with EU operations must monitor potential impacts on the UK's adequacy decisions from the European Commission and maintain contingency plans, including potentially implementing Standard Contractual Clauses or other appropriate safeguards for EU-UK transfers.
Next Steps for Tech Companies
Technology companies should audit AI and ADM systems, update legitimate interests assessments, prepare enhanced DSAR procedures, review cookie policies, and monitor commencement regulations and ICO guidance. Proactive preparation will enable tech companies to leverage DUAA's flexibilities whilst maintaining robust compliance in an evolving regulatory landscape.
