The DUAA disproportionate effort exemption: the ICO’s draft RAS guidance
The Information Commissioner’s Office (ICO) opened consultation on 27 February 2026 on draft updated guidance for the research, archiving and statistics (RAS) provisions of UK data protection law. Responses close on 27 April 2026. The commercial novelty for controllers running long-lived datasets, AI training sets or public-interest archives is the new disproportionate effort exemption in section 77 of the Data (Use and Access) Act 2025 (DUAA), in force since 5 February 2026. The exemption can unlock secondary research use of personal data already collected, but only on terms the ICO’s final guidance will shape.
Section 77 DUAA and the transparency obligations in Articles 13 and 14 UK GDPR
Section 77 of the DUAA was brought into force on 5 February 2026 by SI 2026/82 and amends the transparency obligations in Articles 13 and 14 of the UK GDPR. Article 13 (personal data collected directly from the data subject) previously contained no disproportionate effort exemption. Article 14 (personal data not obtained from the data subject) already carried one at paragraph 5(b), which the ICO had treated restrictively in the context of long-lived datasets.
Section 77 rewrites the framework in three steps. For Article 13 it inserts new paragraphs 5 to 7, providing an exemption where the controller intends further processing for scientific or historical research, archiving in the public interest or statistical purposes, the processing complies with new Article 84B UK GDPR, and providing the information is impossible or would involve a disproportionate effort. For Article 14 it relocates the existing exemption to a new paragraph 5(e) and adds a separate exemption at paragraph 5(f) where notification would seriously impair the achievement of the processing objectives. Paragraph 6 (in both Articles) codifies the factors relevant to the disproportionate effort test.
How the disproportionate effort exemption applies
The exemption applies only where three conditions are met together. First, the onward processing must be for RAS purposes. Section 67 DUAA clarifies that “scientific research” includes any research that can reasonably be described as scientific, whether publicly or privately funded and whether commercial or non-commercial. This is an express statutory hook for commercial research and development. Second, the processing must comply with new Article 84B UK GDPR, which requires appropriate safeguards including pseudonymisation where it would meet the research purpose, data minimisation, and no use of the data for decisions affecting the individual save for approved medical research. Third, providing the information must be impossible or require a disproportionate effort on the facts.
New paragraph 6 of both Articles 13 and 14 codifies the factors: the number of data subjects, the age of the personal data, and any appropriate safeguards applied to the processing. The statute is silent on how those factors trade off. A pseudonymised dataset of five million subjects collected 15 years ago is plainly within the intended scope. A fresh dataset of 2,000 subjects is plainly outside it. The grey zone in between is where the ICO’s draft guidance matters.
The draft guidance also revises the criteria for “scientific research”, responding to what the ICO describes as stakeholder requests for clarity. Controllers should expect the final guidance to police the border between genuine research and product development rebadged as research. Paragraph 7 of each Article imposes a floor: a controller relying on the exemption must take appropriate measures to protect the data subject’s rights, including by making the information available publicly, for example via the privacy notice on its website.
| UK GDPR provision | Position before 5 February 2026 | Position after section 77 DUAA |
|---|---|---|
| Article 13 (direct collection) | No disproportionate effort exemption. Controller must notify data subjects of any further processing purpose. | New paragraphs 5 to 7: exemption available where further processing is for RAS purposes, complies with Article 84B, and notification is impossible or disproportionate effort. |
| Article 14 (indirect collection) | Exemption at paragraph 5(b); applied narrowly by the ICO. | Exemption moved to paragraph 5(e). New paragraph 5(f) added for cases where notification would seriously impair the processing objectives. |
| “Disproportionate effort” factors | Not codified. | Codified in new paragraph 6: number of data subjects, age of personal data, appropriate safeguards applied. |
| Safeguard floor | General Article 14(5)(b) proviso. | New paragraph 7: appropriate measures including making information publicly available. |
Commercial implications for AI training, long-lived archives and regulated datasets
The exemption is commercially material for three groups of controllers. AI developers using personal data from legacy datasets to train or fine-tune foundation models now have a route that does not require mass re-notification of individuals whose data was collected for a narrower original purpose. Before DUAA, Article 13 was a closed door to this kind of reuse.
Archives, universities and research institutions gain a clearer statutory basis for secondary use of long-lived datasets. Section 67 DUAA’s express recognition of commercial research means that commercial research and development operations, not only public-interest bodies, can rely on the exemption if the other conditions are met.
Controllers running regulated datasets, for example fintechs holding transaction records or telecoms operators holding traffic data, can reconsider whether historical records can be repurposed for analytics research in a way that would previously have required individual notification. The data protection analysis needs to run across the full stack of UK GDPR obligations, not just transparency.
The exemption does not remove any other UK GDPR obligation. A lawful basis under Article 6 still applies. A data protection impact assessment under Article 35 will usually be required given the scale and sensitivity of the processing. Records of processing under Article 30 must reflect the activity. International transfer rules are unchanged. The exemption relieves one obligation, transparency by direct notice, and leaves every other obligation intact. If you are weighing whether a proposed reuse of legacy personal data for AI training or analytics research qualifies for the exemption, see our guidance on AI and data governance advice.
Viewpoint
The exemption is a liberalisation of the UK regime, but narrower in practice than some of the initial commentary suggests. In our experience advising controllers on legacy data reuse, the bottleneck is rarely transparency alone. It is the combination of transparency, lawful basis, purpose limitation and DPIA that stops a proposed AI training use in its tracks. Section 77 addresses one element of that stack. The others remain.
The practical test for controllers is whether internal governance documentation can stand up to the paragraph 6 factors analysis. A controller that can evidence the number of subjects, the age of the data and the safeguards applied in a structured record will find the new exemption usable. One that cannot will find the ICO sceptical, whatever the final guidance says. The 27 April 2026 consultation deadline leaves a short window for substantive responses: the highest-value representations will target the grey zone on “scientific research” and the weighting of the paragraph 6 factors.
Key sources
- Section 77, Data (Use and Access) Act 2025
- The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82)
- ICO consultation page
- ICO Citizen Space response form
- ICO research, archiving and statistics provisions guidance
If you are considering whether the disproportionate effort exemption supports a proposed secondary use of personal data for AI training, research or analytics, contact Rob Bratby at Bratby Law.
