The Data (Use and Access) Bill: latest amendments and legal implications

The Data (Use and Access) Bill (DUAB) continues to evolve as it progresses through Parliament, with key amendments introduced during the House of Lords debates in January and February 2025.

This article examines the most recent amendments made to the DUAB since January 2025, focusing on three key areas:

1. Information regarding high-risk AI decisions
2. Automated decision-making (ADM) and scientific research
3. Children’s data protections and direct marketing rules

Recent developments

The DUAB has reached the Public Bill Committee Stage in the House of Commons, which commenced on 4 March 2025, and is expected to complete its scrutiny and report by 18 March 2025.

On 10 February 2025, the Information Commissioner's Office (ICO) issued an updated response to the Bill, broadly supporting the Bill while raising concerns about children's data protection rights and the clarity needed on Automated Decision-Making (ADM). 

Additionally, the DUAB introduces new ICO responsibilities, including ensuring specific protections for children’s personal data, overseeing web crawler use, and developing new codes of practice.  

The most recent amendments and the explanatory notes reflect the ongoing tension between promoting innovation and preserving individuals’ rights, positioning the UK’s data protection framework for significant reform.

Key amendments

1. Information regarding high-risk AI decisions

The DUAB is proposing a notable expansion of data subjects’ rights regarding AI-driven decisions.  Under the current UK GDPR, the right to an explanation applies only to  decisions made solely through automated processing.  The Bill proposes extending this right to cover decisions made “wholly or partly” by automated processing,  provided that they have legal or similarly significant effects on a data subject.

This change broadens the scope of data subjects’ rights, allowing them to request both an explanation of the decision and details of the appeal process even when human involvement plays a role.  The amendment also aligns more closely with the EU AI Act, particularly its focus on high risk AI systems.  It cites decisions impacting health, safety and fundamental rights, including access to credit, employment, healthcare or other key public or private sector services.  The DUAB strengthens transparency and accountability in AI-driven decision-making, ensuring that individuals affected by significant AI-assisted decisions have clearer rights to challenge and understand the outcomes.

Significantly the ICO has also confirmed that the government has committed to using its secondary legislation powers to require the regulator to produce two new codes of practice on solely automated decision-making and AI and on edtech.

2. Automated Decision-Making and Scientific Research

The DUAB brings significant changes to the legal framework surrounding automated decision-making (ADM) and scientific research, impacting how organisations develop AI systems, conduct research, and process personal data.

Automated Decision-Making (ADM) – Shift in Legal Framework

The removal of the general prohibition on solely automated decision-making with legal or similarly significant effects is a major proposed change. Instead, the Bill now allows ADM on any lawful basis, provided that specific safeguards are met.

• Meaningful human involvement: the Bill clarifies that ADM is permitted as long as meaningful human oversight exists, aligning with fairness and transparency principles.
• Stronger protections for special category data: ADM involving sensitive data must now demonstrate explicit safeguards, including data minimisation and impact assessments.
• ICO’s concerns: while the ICO supports the new approach, it has cautioned that removing the general prohibition on ADM could weaken individual protections. Fairness and transparency must remain enforceable under the UK GDPR principles.

Definition of Scientific Research - Introduction of a "Public Interest" Requirement

The definition of scientific research is amended, introducing a public interest requirement that limits how organisations can process personal data for research purposes.

• The definition of scientific research now explicitly includes "any research that can reasonably be described as scientific and that is conducted in the public interest".
• The ICO acknowledged that while the debate focused on AI research, Parliament opted to impose a public interest test rather than a blanket restriction.
• The ICO has confirmed it will issue guidance on interpreting "public interest" for research purposes.

3. Children's Data Protection Rights and Direct Marketing Rules

The DUAB introduces enhanced safeguards for children’s personal data, ensuring organisations take greater responsibility for protecting minors in digital environments. It also expands direct marketing permissions for charities, allowing them to use the soft opt-in mechanism.

Enhanced Protections for Children's Data

The amendments to the DUAB require organisations to consider children's "higher protection matters", particularly when processing personal data for online services likely to be accessed by children.

• New duties for data controllers: organisations must now assess and implement measures based on:
  • Ensuring appropriate technical and organisational safeguards.
  • Taking account of children’s evolving needs and awareness of data risks.
• Clarification of data protection by design: the "higher protection matters" requirement only applies to Article 25(1) (design requirements), not Article 25(2) (default settings).
• The ICO has welcomed these changes but requested further clarity from the government on how organisations should interpret "higher protection matters" in practice.

Direct Marketing – Extension of the "Soft Opt-In" to Charities

The DUAB also revises the Privacy and Electronic Communications Regulations (PECR) to allow charities to use the soft opt-in for direct marketing via email.

• Charities can now rely on the soft opt-in for email marketing where individuals:
  • Have previously donated or expressed an interest in the organisation’s work.
  • Are given a clear and easy way to opt out at any time.
• ICO’s Position: The ICO has supported this amendment but emphasised that charities must still comply with GDPR, particularly when using legitimate interests as a basis for processing.

Collective Management of Data Rights

The DUAB introduces a new provision for the collective management of data rights, allowing individuals to assign their data rights to be asserted collectively. This seeks to address the imbalance between data subjects and controllers regarding the understanding and direction of data usage within datasets.

• It aims to empower individuals by enabling collective management of their data rights
• It introduces structures or entities that can act on behalf of data subjects to manage and assert their data rights collectively.​
• It offers enhanced negotiation power for individuals, leading to more equitable data usage practices and better protection of personal data.

Comment

The DUAB is expected to become law later in 2025, assuming no major legislative delays. While certain provisions may require secondary legislation for implementation, the core reforms are likely to take effect within months of the Bill’s passage.

Businesses should now prepare for compliance with key updates in legitimate interest processing, children’s data protection, AI governance, and marketing rules. The latest amendments signal the UK’s ambition to refine its data protection landscape while maintaining regulatory flexibility in an evolving digital economy.

Related items: Looking ahead: A new year and a new UK Data Protection Law?