Share
Relevant DUA Act Provisions:
- Schedule 2, amends Article 5(1)(b) UK GDPR (compatibility presumption.
- Section 67, inserts new Chapter 8A (Articles 84B–84D) into UK GDPR (RAS purposes).
- Section 67, preserves Article 89(1) (research safeguards).
Despite its wider goal of UK regulatory divergence, the DUA Act strategically codifies several concepts previously grounded in EU GDPR Recitals or soft-law interpretations. These statutory codifications offer operational continuity for UK–EU parallel compliance while strengthening legal certainty for UK-based controllers.
- Compatibility presumption for research (Article 5(1)(b)): Schedule 2 of the Act amends Article 5(1)(b) UK GDPR to introduce a statutory presumption that further processing for scientific, historical, or statistical (RAS) purposes is compatible with the original purpose of collection, provided specific conditions are met. This elevates the principle in Recital 50 GDPR to binding UK law. The presumption only applies where the controller satisfies the requirements in new Article 84B, including:
- converting the personal data into non-identifiable information.
- showing that the RAS purpose cannot reasonably be fulfilled without such processing.
- applying appropriate safeguards under Article 84C (e.g. pseudonymisation, access controls).
- Preserved research safeguards (Article 89(1) and Chapter 8A): The Act reaffirms the core structure of Article 89(1) UK GDPR and codifies it in a new Chapter 8A, which governs lawful research processing. Under Articles 84C and 84D, controllers must implement technical and organisational safeguards, such as data minimisation, ethical oversight, and robust pseudonymisation, when relying on the compatibility presumption for research.
These provisions provide statutory clarity for UK universities, public bodies, and private research sponsors who previously operated under uncertain recital-based interpretations.
Divergence vs convergence
Unlike the EU GDPR, where compatibility for research remains a contextual and interpretive assessment, the UK has adopted a rules-based, statutory presumption model. While this provides greater clarity under UK law, it may reduce interoperability with EU rules in collaborative research settings.
ICO commentary
The ICO has recognised these areas of convergence as strategically important for reducing compliance burdens on organisations operating across both the UK and EU. In its summary of the DUA Act, the ICO noted that maintaining alignment on core structural provisions, such as purpose limitation for research and exemptions based on disproportionate effort, can support unified governance approaches, avoid duplication of effort, and provide a degree of legal continuity amid broader divergence. The ICO has also signalled that it will work to ensure interpretation consistency where possible, particularly in guidance concerning cross-border research activities and rights management.
Recommendations
- Map and harmonise policies and compliance documentation across UK and EU operations, particularly ROPAs and DPIAs to reflect the preserved convergences in law.
- Maintain a common policy baseline across data protection governance documents to ease internal audits and regulatory engagement in dual-jurisdiction operations.
- Continue to apply the most stringent standard (e.g. contextual compatibility test or detailed LIA) where UK and EU rules diverge to ensure continuity and defensibility.
- Monitor forthcoming ICO guidance and CJEU/UK tribunal jurisprudence on further processing and public interest reuse, especially for research and law enforcement contexts.
|
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) |
United Kingdom