After much procedural back and forth between the House of Commons and the House of Lords, the Data (Use and Access) Act 2025 (“DUAA”) was enacted by Parliament back in June. The vast majority of the DUAA requires to be commenced by way of Regulations made by the Government and so its implementation will happen in tranches. On 21 July 2025, The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 were made bringing into force, with effect from 20 August 2025, a number of important provisions of the Act pertaining to data protection. The provisions of the 2025 Act which are coming into force are set out in Regulation 2. There are provisions coming into force on 20 August 2025 which I think deserve particular mention.

Court’s Powers in subject access and data portability cases

The newly inserted section 180A of the Data Protection Act 2018, inserted by section 104 of the DUAA, will be in force from 20 August 2025. This provision relates to proceedings brought in the courts concerning subject access requests under Article 15 of the UK GDPR, section 45 of the Data Protection Act 2018 or section 94 of the Data Protection Act 2018 as well as data portability rights under Article 20 of the UK GDPR . This was a provision that I was surprised was not commenced right away, but it is in the first tranche of provisions to be commenced by way of Regulations.

Section 180A of the 2018 Act will, from 20 August 2025, give courts the power to require a controller to make available to the court, for inspection by it, information which is available to the controller where there is a dispute about whether the data subject is entitled to that information under those data subject rights. It also provides, expressly, that until the substantive question of whether the data subject is entitled to the information has been determined in favour of the data subject, the information made available to the court under this section is not to be disclosed to the data subject or their representatives (including by way of recovery of documents). The court cannot require the controller to carry out a search that is more extensive than the reasonable and proportionate search which the controller would ordinarily be required to carry out.

This provision is important because courts could very well be required to consider whether personal data has been properly withheld and, in the vast majority of situations, they cannot (certainly at first instance) really be expected to do so without seeing the withheld information. Supplying the withheld information to the data subject would defeat the object of the proceedings and so, it cannot really be lodged with the court (at least in Scotland) in the normal way.

Consideration will need to be given as to how these procedures will work in practice to avoid issues arising under Article 6 of the European Convention on Human Rights. If the court is going to be determining issues in relation to material that only it and one other party has seen an issue of fairness arises. There may well, in the future, be an Act of Sederunt setting out a procedure to be followed in the Scottish courts, but whether one will come and whether it will be in place in time for the 20 August 2025 remains to be seen. Controllers who find themselves on the receiving end of a section 167 application which challenges the application of exemptions in the context of a subject access request (and those representing them) will likely need to turn their minds early to whether an order under section 180A will be necessary and, especially in the early days if there is no Act of Sederunt, have suggestions as to how the process can be conducted in a manner that is Article 6 compliant and which does not restrict the principles of open justice any more than is strictly necessary.

Duties of the Information Commissioner in carrying out his functions

Sections 120A, 120B, 120C and 120D of the Data Protection Act 2018 will also be coming into force on 20 August 2025. Section 120A is worth particular mention because it provides that the Commissioner’s principal objective when carrying out his functions under the data protection legislation is to (a) secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and (b) to promote public trust and confidence in the processing of personal data. However, this is somewhat tempered by section 120B where the interests of data subjects, other than children, are completely absent.

Sections 120A, 120B, 120C and 120D, at the time of writing, do not appear on the version of the Data Protection Act 2018 published on legislation.gov.uk and so reference will, for the time being, need to be had to section 91 of the DUAA for the wording of the sections. Hopefully, the version of the Data Protection Act 2018 on legislation.gov.uk will be updated to include these provisions before 20 August. Whether these provisions will have any material impact upon the way in which the Information Commissioner regulates and enforces under the UK GDPR and Data Protection Act 2018 remains to be seen, but I suspect that they will not.

Establishment of the Information Commission

The Information Commission will also formally be established as a body corporate on 20 August 2025. It will not, however, replace the office of the Information Commissioner on that date. The provisions of the DUAA which are coming into force with respect to the Commission are those which establish it, not the assumption of the Commissioner’s powers.

With the Commission being formally established, it will allow the necessary preparatory work to be undertaken to enable the Commission to get into a position whereby it can assume the powers, duties and responsibilities of the Information Commissioner. It will allow, for example, the appointment of non-executive members of the Commission by the Secretary of State under Paragraph 3(2)(b) of Schedule 12A to the Data Protection Act 2018. John Edwards doesn’t need to be appointed separately as Chair of the Commission because he will automatically, by operation of law, be the first Chair of the Commission as the person holding office as Information Commissioner on 19 August 2025 (unless something dramatic happens in the next 3 weeks or so).

Amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003

Some, but not all, of the DUAA amendments in relation to Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR) are coming into force on 20 August 2025. Regulation 5A(2) will be amended to require notification to the Information Commissioner of personal data breaches under PECR to be made without undue delay “and, where feasible, not later than 72 hours after having become aware of it.” Currently only the “undue delay” requirement appears in Regulation 5A.

^{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}