The Data (Use and Access) Act 2025 (Commencement No. 3 and Transitional and Saving Provisions) Regulations 2025
These regulations set commencement dates for parts of the Data (Use and Access) Act 2025, amending the Data Protection Act 2018.
Sections 79 and 88 (legal professional privilege and national security exemptions) come into force immediately, while sections 89 and 90 (joint processing by intelligence and authorities) commence on November 17, 2025.
Transitional provisions protect data subjects' rights previously established under the 2018 Act until the 2025 Act changes come into effect.
Arguments For
Facilitating the timely implementation of the Data (Use and Access) Act 2025: The regulations establish clear commencement dates for key provisions, enabling a smoother transition and ensuring the Act's objectives are met promptly.
Providing clarity and certainty for data controllers and subjects: The specified commencement dates, coupled with transitional provisions, minimize confusion and legal uncertainty during the implementation phase. The transitional provisions safeguard existing rights and obligations under the Data Protection Act 2018.
Protecting national security and legal professional privilege: Sections 79 and 88, concerning legal professional privilege and national security exemptions, are prioritized for immediate commencement, highlighting their importance to public interest.
Ensuring a coordinated approach to data protection and security: The regulations coordinate the commencement of various related sections of the 2025 Act and manage the interplay with the existing 2018 Act, minimizing disruption.
Arguments Against
Potential for unforeseen consequences from the phased commencement: The separate commencement dates for different sections of the Act might create inconsistencies or complexities in how data protection operates during the transition period.
Insufficient transitional provisions for specific cases: The transitional measures laid out in the regulations may not be comprehensive enough to address every conceivable situation that may arise after commencement. Further legislation could be needed later to address issues that were not foreseen.
Burden on data controllers and compliance officers: The need to adapt to the changes brought about by new sections and navigate the transitional provisions places additional burdens on data controllers who must ensure compliance with the regulations.
Lack of wide public consultation before implementation: The scope of public engagement and consultation in the lead up to the implementation of these specific regulations is unknown and could have been greater to ensure a more widely palatable and inclusive outcome.
- Citation and interpretation (1) These Regulations may be cited as the Data (Use and Access) Act 2025 (Commencement No. 3 and Transitional and Saving Provisions) Regulations 2025. (2) In these Regulations— “the 2018 Act” means the Data Protection Act 2018; “the 2025 Act” means the Data (Use and Access) Act 2025; “the Commissioner” has the same meaning as in section 3(8) of the 2018 Act; “controller” has the same meaning as in section 3(6) of the 2018 Act; “data subject” has the same meaning as in section 3(5) of the 2018 Act; “the relevant time” means the time when sections 79 and 88 of the 2025 Act come into force.
This section provides the title of the regulations and defines key terms used throughout the document.
The definitions are cross-referenced to establish consistency and clarity by using terms already defined in previous legislation - the Data Protection Act 2018 and the Data (Use and Access) Act 2025.
- Commencement (1) The following provisions of the 2025 Act come into force on the day after the day on which these Regulations are made— (a) section 79 (legal professional privilege exemption); (b) section 88 (national security exemption). (2) The following provisions of the 2025 Act, so far as not already in force, come into force on 17th November 2025— (a) section 89 (joint processing by intelligence services and competent authorities); (b) section 90 (joint processing: consequential amendments).
This section specifies the commencement dates for sections 79, 88, 89, and 90 of the 2025 Act.
Sections 79 and 88, related to legal professional privilege and national security, take effect immediately following the regulations' making.
Sections 89 and 90, concerning joint data processing by intelligence services, commence later, on November 17, 2025.
- Transitional and saving provision relating to data subjects’ rights to information: legal professional privilege exemption Section 79 of the 2025 Act does not affect the application of Chapter 3 (rights of the data subject) of Part 3 (law enforcement processing) of the 2018 Act in a case in which a controller received a request under a section of that Chapter before the relevant time.
This section ensures the legal professional privilege exemption (section 79 of the 2025 Act) does not retroactively affect data subject rights under the 2018 Act.
Data subject requests received before section 79's effective date remain governed by the previous legislation, providing continuity for ongoing processes.
- Transitional and saving provisions relating to the national security exemption (1) Section 88 of the 2025 Act does not affect the application of— (a) Chapter 3 of Part 3 of the 2018 Act, in a case in which a controller received a request under a section of that Chapter before the relevant time; (b) section 51 (exercise of rights through the Commissioner) of the 2018 Act, in a case in which the Commissioner received a request under that section before the relevant time; (c) sections 67 and 68 (obligations relating to personal data breaches) of the 2018 Act, in a case in which a personal data breach (within the meaning given by section 33(2) of the 2018 Act) occurred before the relevant time; (d) section 119 (inspection of personal data) of the 2018 Act, in a case in which a controller received written notice under that section before the relevant time; (e) Schedule 13 (other general functions of the Commissioner) to the 2018 Act, in a case in which the Commissioner— (i) commenced enforcement action pursuant to paragraph 1(1)(a) of that Schedule, before the relevant time; or (ii) received information under paragraph 1(1)(g) of that Schedule, before the relevant time; (f) sections 142 to 154 (enforcement) of, and Schedule 15 (powers of entry and inspection) to, the 2018 Act, in relation to any of the following which is received by a controller before the relevant time— (i) an information notice; (ii) an assessment notice; (iii) an enforcement notice; (g) section 173 (alteration of personal data to prevent disclosure) of the 2018 Act, in a case in which a controller received a request pursuant to that section before the relevant time; (h) section 187 (representation of data subjects) of the 2018 Act, in a case in which, before the relevant time, a body or other organisation authorised to act on behalf of a data subject in accordance with that section— (i) made a complaint to the Commissioner under section 165 (complaints by data subjects); (ii) made an application to the Tribunal under section 166 (orders to progress complaints); (iii) made an application to the court under section 167 (compliance orders); or (iv) brought judicial review proceedings. (2) Section 88 of the 2025 Act does not affect the application of section 79(2) to (13) of the 2018 Act to a certificate issued under section 79(1) before the relevant time.
Similar to Regulation 3, this section provides transitional provisions for the national security exemption (section 88 of the 2025 Act).
It specifies that various provisions of the 2018 Act continue to apply to actions, requests, or events that occurred before section 88's effective date, preventing retroactive impacts on existing legal processes and obligations.