Data (Use and Access) Act 2025: changes now in force
In short: The Data Use and Access Act 2025 commencement regulations (SI 2026/82) brought the principal data protection provisions into force on 5 February 2026. New Article 12A UK GDPR changes how the one-month DSAR period is calculated; Schedule 4 introduces five categories of recognised legitimate interest requiring no balancing test; Articles 22A to 22D replace the Article 22 prohibition on automated decision-making with a permission-plus-safeguards model; and section 112 exempts certain analytics and functionality cookies from the PECR consent requirement. The final tranche is new section 164A DPA 2018, which requires controllers to acknowledge data protection complaints within 30 days and takes effect on 19 June 2026.
The commencement picture
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and has been brought into force in stages. The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82) brought the principal data protection provisions into force on 5 February 2026, amending the UK GDPR, the DPA 2018, and PECR. Regulation 3 of SI 2026/82 brings the data subject complaints procedure under new section 164A DPA 2018 into force on 19 June 2026. That date is eleven days from the date of this post.
| Date | Instrument | Provisions in force |
|---|---|---|
| 5 February 2026 | SI 2026/82, reg 2 | ss. 70, 76, 80, 112; Schedules 4, 6, 11, 12. New Article 12A UK GDPR (DSAR “applicable time period” and stop-the-clock); Article 6(1)(ea) and Annex 1 UK GDPR (five recognised legitimate interests, no balancing test); Articles 22A to 22D UK GDPR (recast automated decision-making); PECR reg 6 amended (analytics and functionality cookie exemptions). |
| 19 June 2026 | SI 2026/82, reg 3 | s. 103; Schedule 10. New s. 164A DPA 2018 (electronic complaints form; 30-day acknowledgment; without-undue-delay response). Article 77 UK GDPR omitted. |
Article 12A: the new subject access timeline
Section 76 of the Act introduced Article 12A UK GDPR with effect from 5 February 2026. Article 12A replaces the previous “within one month of receipt of the request” formulation in Article 12(3) with an “applicable time period” (still one month, but measured from the “relevant time”, which is the latest of: receipt of the request, receipt of any identity confirmation requested under Article 12(6), or payment of any fee). The stop-the-clock provision in Article 12A(5) is new: where a controller asks a data subject for further information to identify the scope of an Article 15 subject access request (DSAR), the period from that request to receipt of the information does not count towards the applicable time period. This provision applies only where the controller reasonably requires the information; a high volume of data held about the data subject is given by the Act as an example of a case where that requirement is satisfied. The two-month extension remains available for complex or numerous requests, but the notice must be given before the first month expires. Controllers who have not yet updated their DSAR workflows to reflect Article 12A are operating on the old formulation: the saving provision in SI 2026/82 means the new rules apply only to requests received on or after 5 February 2026.
Recognised legitimate interests: five categories without a balancing test
Section 70 of the Act inserted new Article 6(1)(ea) and a new Annex 1 into the UK GDPR. A controller processing personal data for a recognised legitimate interest (one of the five categories in Annex 1) does not need to carry out the three-step balancing test that Article 6(1)(f) otherwise requires. Parliament has determined that the legitimate interest outweighs the data subject’s rights for these categories. The five categories are: prevention or detection of crime; safeguarding vulnerable individuals, including children and adults at risk; responding to emergencies that threaten life, health, or safety; safeguarding national security or supporting defence activities; and disclosing personal data to a person who requires it to perform a task in the public interest or in the exercise of official authority. Controllers using a recognised legitimate interest are still bound by all other UK GDPR principles, including purpose limitation and data minimisation, and must still carry out a legitimate interests assessment under Article 6(1)(f) for any processing that does not fall squarely within one of the five Annex 1 categories. For a full analysis of the scope of these categories and the UK/EU divergence they represent, see our post on recognised legitimate interests under the DUAA.
Articles 22A to 22D: the recast automated decision-making regime
Section 80 and Schedule 6 of the Act replaced Article 22 UK GDPR with Articles 22A to 22D with effect from 5 February 2026. The old Article 22 default was prohibition: solely automated decisions with legal or similarly significant effects were banned unless an exception (consent, contract, or statutory authorisation) applied. The new default, under Article 22C, is permission subject to safeguards: for non-special-category data, a controller may make significant automated decisions without relying on an exception, provided the Article 22C safeguards are implemented and documented. Those safeguards include transparency to the data subject before the decision is made, a right to obtain human review of the decision, and a right to contest it. Article 22A defines a “significant decision” as one with legal effects or similarly significant consequences, and treats a decision as based solely on automated processing if there is no genuine or meaningful human involvement. Article 22B retains a prohibition on significant automated decisions based on special category data unless explicit consent or another justification applies. The practical change for most controllers is not whether automated decisions are now permitted (many were already relying on the exceptions under old Article 22) but whether the Article 22C safeguard framework is documented and operational, not merely referenced in a privacy notice. For the ICO’s approach to Articles 22A to 22D in the context of agentic AI, see our post on agentic AI data protection under the UK GDPR.
PECR and cookie consent: what section 112 changes
Section 112 of the Act amended regulation 6 of the Privacy and Electronic Communications Regulations 2003 to introduce consent-exempt categories of PECR cookies. The principal new exemptions cover two categories: cookies used for statistical purposes where the collection does not significantly affect users, and cookies used to improve website functionality. The practical effect is that standard web analytics tracking visits, page views, and navigation paths may now be placed without a consent banner, provided the analytics data is not processed in a way that significantly affects the individuals concerned. Advertising cookies, cross-site tracking, and any cookie use that goes beyond the new statutory categories still require prior consent. The ICO’s detailed guidance on the new exemptions had not been published as of the date of this post; controllers should review their cookie banners against the text of amended regulation 6 in the interim. The exemption operates as a carve-out from the consent requirement, not from the transparency obligations that run alongside it.
19 June 2026: the data protection complaints procedure
New section 164A of the Data Protection Act 2018, inserted by section 103 of the DUAA 2025, takes effect on 19 June 2026. Three obligations arise. First, a controller must facilitate the making of data protection complaints by providing an electronic complaints form, among other means (section 164A(2)). Second, if a complaint is received, the controller must acknowledge it within 30 days of receipt (section 164A(3)). Third, the controller must, without undue delay, take appropriate steps to respond and inform the complainant of the outcome, including progress updates during the handling period (sections 164A(4) and (5)). Section 103 also omits Article 77 UK GDPR (the formal right of data subjects to complain directly to the ICO), placing section 164A as the required first step in the complaints sequence. Controllers who do not have a written data protection complaints procedure, a compliant electronic complaints form, and a 30-day acknowledgment workflow need to put all three in place within eleven days. For an analysis of how section 164A interacts with the complaints procedures that telecoms operators and payment firms already operate under Ofcom and FCA rules, see our post on data protection complaints under the DUAA.
Viewpoint
The 5 February 2026 commencement was the most significant amendment to UK data protection law since the post-Brexit regime took effect. It has not produced the volume of operational change one might expect. The ICO’s guidance, written at Royal Assent in June 2025, characterised most of the changes as an opportunity to innovate rather than an immediate compliance requirement, and that framing has led a significant number of data controllers to defer updating their DSAR processes, lawful basis records, ADM documentation, and cookie banners. The data protection complaints obligation on 19 June 2026 is different: it is a hard deadline with a defined procedure, a specific timeframe, and a route that will generate an ICO complaint if controllers fail to meet it. A controller that has not updated its DSAR process since February and then fails to respond to a complaint within 30 days will face a compounded compliance failure. The 19 June 2026 deadline is the prompt to audit all four areas at once.
Bratby Law advises data controllers on DUAA 2025 implementation, including subject access request workflow reviews, lawful basis audits, Article 22C safeguard documentation, and data protection complaints infrastructure. Contact rob@bratby.law or visit our data protection practice for further information.
