The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025
The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 bring into force various sections of the Data (Use and Access) Act 2025, effective August 20, 2025.
These sections cover aspects such as access to customer and business data, amendments to the UK GDPR and Data Protection Act 2018, the establishment of the Information Commission, and provisions related to online safety, eIDAS regulations, copyright, and AI. The regulations specify which subsections of each section come into force, and their geographical extent across the UK.
Arguments For
Improved Data Access and Use: The regulations facilitate the commencement of provisions designed to improve access to and use of data, potentially stimulating innovation and economic growth.
Enhanced Data Protection: The regulations bring into force amendments to existing data protection legislation, strengthening individual rights and promoting better data handling practices.
Strengthened Regulatory Framework: The establishment of the Information Commission, as facilitated by these regulations, provides a more robust regulatory framework for data protection and use.
Alignment with International Standards: The regulations help align UK data legislation with international standards, promoting cross-border data flows and cooperation.
Arguments Against
Implementation Challenges: Implementing the new regulations may present challenges, including updating existing systems and processes, and ensuring compliance across various sectors.
Unintended Consequences: The introduction of new regulations may result in unintended consequences that were not fully anticipated during the legislative process.
Resource Constraints: Implementing the new provisions could place a strain on resources for businesses, organizations, and regulatory bodies.
Potential for Regulatory Overreach: Some stakeholders may argue that certain provisions in the Act constitute regulatory overreach and may stifle innovation or impose undue burdens on businesses.
- Citation, interpretation and extent (1) These Regulations may be cited as the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025. (2) In these Regulations “the Act” means the Data (Use and Access) Act 2025. (3) These Regulations extend to England and Wales, Scotland and Northern Ireland, except paragraph 23 of Schedule 12A to the Data Protection Act 2018 (inserted by Schedule 14 of the Act, commenced by regulation 2(z)), which extends to England and Wales and Northern Ireland only.
This section provides the official title and citation for these regulations.
They're officially called the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025.
It also clarifies that 'the Act' refers to the Data (Use and Access) Act 2025 and specifies their application across all four nations of the UK, with a single exception noted regarding the Data Protection Act 2018.
- Commencement The following provisions of the Act, so far as not already in force (see section 142(2)(h) of the Act), come into force on 20th August 2025— (a) Part 1 (access to customer data and business data); (b) section 72 (processing in reliance on relevant international law), except— (i) subsection (3), and (ii) subsection (7), to the extent that it refers to Article 8A(3)(e) in the insertion of section 9A (processing in reliance on relevant international law) in the Data Protection Act 2018; (c) section 74 (processing of special categories of personal data); (d) section 84 (law enforcement processing and codes of conduct); (e) section 91 (duties of the Commissioner in carrying out functions); (f) section 92 (codes of practice for the processing of personal data); (g) section 93 (codes of practice: panels and impact assessments); (h) section 95 (analysis of performance); (i) section 102 (annual report on regulatory action); (j) section 104 (court procedure in connection with subject access requests); (k) section 106 (protection of prohibitions, restrictions and data subject’s rights); (l) section 107 (regulations under the UK GDPR); (m) section 108 (further minor provision about data protection); (n) section 109 (the PEC Regulations); (o) section 110 (interpretation of the PEC Regulations), except subsection (2)(a) and (b) and subsection (3); (p) section 111 (duty to notify the Commissioner of personal data breach: time periods); (q) section 113 (emergency alerts: interpretation of time periods); (r) section 117 (the Information Commission), except subsection (4)(a); (s) section 125 (information for research about online safety matters); (t) section 129 (the eIDAS Regulation); (u) section 134 (time periods: the eIDAS Regulation and the EITSET Regulations); (v) section 135 (economic impact assessment); (w) section 136 (report on the use of copyright works in the development of AI systems); (x) section 137 (progress statement); (y) Schedule 11 (further minor provision about data protection), except paragraphs 22, 23, 25, 28, 29, 30, 31 and 32; (z) Schedule 14 (the Information Commission).
This section details the specific parts and sections of the Data (Use and Access) Act 2025 that come into effect on August 20th, 2025.
This includes provisions on data access, processing, law enforcement, the Information Commissioner's duties, codes of practice, data breach notification, online safety, and the eIDAS Regulation.
Note that some subsections within these sections are excluded from immediate commencement.
Explanatory Note (This note is not part of the Regulations) These Regulations bring into force specified provisions of the Data (Use and Access) Act 2025 (c. 18) (“the Act”) on 20th August 2025. They are the first Commencement Regulations made under the Act. Certain provisions were brought into force automatically on Royal Assent by virtue of section 142(2) of the Act, and two months after Royal Assent by virtue of section 142(3) of the Act. Regulation 2(a) commences Part 1 of the Act which relates to access to customer and business data in connection with the development of Smart Data schemes. Regulation 2(b) to (q) and (y) commence specified provisions in Part 5 of the Act which makes amendments to certain provisions in the UK GDPR, the Data Protection Act 2018 (c. 12) and the Privacy and Electronic Communications (EC Directive) Regulations 2003. Regulation 2(r) and 2(z) commence specified provisions in Part 6 of the Act relating to the establishment of the Information Commission. Regulation 2(s) commences specified provisions in Part 7 of the Act which make amendments to certain provisions in the Online Safety Act 2023 (c. 50). Regulations 2(t) and (u) commence specified provisions in Part 7 of the Act which make amendments to Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016. Regulation 2(v) to (x) commence provisions in Part 7 of the Act relating to copyright works and artificial intelligence systems. An impact assessment has not been prepared for this instrument as a full impact assessment was published in relation to the provisions in the Data (Use and Access) Bill.
This explanatory note provides context and background information on the regulations.
It explains that these are the first commencement regulations under the Data (Use and Access) Act 2025, outlining which parts of the Act are brought into force by these regulations and when.
The note also clarifies that some provisions had previously come into force after royal assent.
Finally, it notes that a separate impact assessment was conducted during the bill's progress.