After weeks of parliamentary “ping-pong,” the UK’s Data (Use and Access) Bill has cleared its final hurdles and now awaits Royal Assent, at which point it becomes the Data (Use and Access) Act 2025. As we’ve said before, the Bill presents a real opportunity to build a data ecosystem that works for everyone. Not uncontroversially, it changes the UK’s data protection framework, reforming the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR), while establishing frameworks for sharing business and consumer data through smart data schemes and for digital identity verification. Yet much of its impact will depend on further measures, including secondary legislation.
Smart data schemes and ODI priorities
Part 1 of the Bill enables new smart data schemes, designed to allow individuals and businesses to share data safely with authorised third parties, to spur innovation. The ODI has long advocated for these schemes and for doing them right. We’ve recommended creating a dedicated authority to coordinate development of common data standards across sectors, ensuring that data from different industries can interoperate seamlessly. This cross-sector coordination is vital so that, for example, a person’s financial records can be readily made available to estate agents to hold a property. We were pleased to see this priority reflected in Parliament. At the Bill’s second reading in the House of Lords, Peers echoed calls for unified standards and even discussed whether an authority is needed to “drive that” alignment.
The ODI has also urged that smart data initiatives empower individuals, not just businesses. Consumers should be able to access and reuse their own data easily. We’ve previously called for extending smart data to include business-to-consumer (B2C) data portability, letting people download their personal data or move it to personal data stores they manage. The Bill aligns with this, aiming to make data sharing work for everyone. We will continue to push for regulations that embed consumer access rights alongside business data sharing. The success of Open Banking (which allowed bank customers to securely share their financial data) shows the way forward - independent implementation bodies, proper funding, and open standards will be needed to make these new schemes work across sectors. The Bill grants the government the power to establish “interface” bodies for each smart data scheme. Using those powers to develop strong, interoperable governance (with input from international standards bodies) will be key.
Digital verification services
The Bill cements the UK’s Digital Verification Services (DVS) Trust Framework into law, moving it from a voluntary beta scheme onto a statutory footing. Digital identity providers will be legally required to gain independent certification against government rules (covering privacy, security, and inclusion) and be listed on a new public DVS register. Only registered, certified providers may display an official trust mark to signal compliance. The Act also establishes governance of the DVS framework. The Office for Digital Identities and Attributes (OfDIA) is charged with oversight - managing certifications, maintaining the register, and enforcing standards – under the Secretary of State’s authority. Public bodies are empowered to share information with registered providers (at an individual’s request) to facilitate verification.
Lawmakers and stakeholders (including the ODI) stressed the importance of aligning with international standards and frameworks. The final Bill gives the Department for Science, Innovation and Technology (DSIT) and the new OfDIA the flexibility to update the trust framework rules over time, presumably allowing them to incorporate international standards administratively or via guidance, rather than by statutory mandate.
The trust framework’s success will hinge on robust privacy, transparency and interoperability. The ODI has urged the government to enable privacy-preserving, user-centric designs, including protocols such as Solid, and to ensure the framework keeps pace with international best practices. While many of ODI’s technical recommendations are only partially reflected in the legislation, the Bill’s emphasis on standards, user consent, and independent oversight aligns broadly with ODI’s calls for a trustworthy and inclusive digital identity ecosystem. We’ll continue to advocate for the careful implementation of these measures, balancing innovation with public trust and alignment with open standards.
AI and copyright - a compromise in the Lords
Ironically, the final stages of the Data Bill became dominated by a heated debate not about data or privacy, but about artificial intelligence (AI) and copyright. A cross-party group in the House of Lords, backed by high-profile creators (including Sir Elton John and Sir Paul McCartney), championed an amendment to require AI developers to disclose their use of copyrighted works when training generative AI models. Without such transparency, they argued, AI companies could scrape artists’ content at scale with no oversight or compensation: “thievery on a high scale,” as Sir Elton John described it.
The government resisted these proposals, maintaining that the AI copyright issue was too complex to resolve via last-minute amendments to this Bill (especially with an ongoing consultation and an AI-specific bill in the works). After multiple rounds of legislative back-and-forth, a compromise was reached. The government agreed to publish a detailed report on its AI and copyright policy within 6 to 9 months of the Act’s passage, including how it will enforce rules and handle AI models trained on UK content outside the UK. Some peers voiced disappointment at this outcome, but ultimately the Lords accepted the compromise and allowed the Bill to proceed. This averted a potential collapse of the entire legislation, though it leaves the question of AI and intellectual property to be settled in the months ahead. The episode underscored the balancing act between protecting creative rights and avoiding hasty regulation of AI, a debate that is sure to continue as the UK develops its AI governance regime.
Data transfers - a “not materially lower” bar and adequacy concerns
Another important change in the Bill is its approach to international data transfers. Previously, UK (and EU) law required countries receiving personal data to offer protections “essentially equivalent” to those of the UK and EU. The new Act will allow the UK Secretary of State to approve data transfers overseas if the destination’s privacy regime is “not materially lower” than the UK’s standard. This subtle lowering of the bar has raised eyebrows among privacy advocates. In early June, a coalition of civil society groups (including Open Rights Group and European Digital Rights) sent an open letter to the EU Justice Commissioner, warning that the UK is poised to diverge from GDPR norms, calling the Bill “a systematic weakening of privacy and data protection standards.”
The stakes are high because the UK’s data adequacy agreement with the EU, which allows free flow of data between the UK and Europe, is under scrutiny. The European Commission has already extended the UK’s adequacy decision to the end of 2025, buying time to assess the new reforms. The UK government insists that nothing in the Bill will jeopardise adequacy, and indeed, thus far, EU authorities have not sounded any alarms. However, the “not materially lower” test and other UK policy moves will be carefully reviewed by Brussels. The ODI shares the view that maintaining high data protection standards is essential for public trust and international business continuity. As the new rules take effect, all eyes will be on whether the UK can modernise its data laws without undermining its European adequacy status.
What happens next?
With Royal Assent imminent, attention turns to implementation. Many of the Bill’s provisions will be enabled through secondary legislation and incremental updates rather than an overnight change. Some changes, particularly those amending the UK GDPR and PECR, are expected to come into force quickly and the Information Commissioner’s Office (ICO) will see changes to its role and governance, which may influence how regulations are enforced.
In contrast, the non-personal data initiatives in the Act, like smart data schemes, will take longer to roll out. A Smart Data Council (of which ODI is a member) already exists to advise on these schemes, and we expect to see pilot programmes that expand open banking-style data portability into sectors such as energy, telecommunications, retail, property, finance and more. Getting these right will require continued collaboration between government, industry, and civil society to ensure services are interoperable, secure, and centred on citizen benefit.
Meanwhile, the government’s digital identity plans should advance under the Act’s digital verification provisions. The forthcoming GOV.UK Wallet, for instance, will seek to provide individuals with reusable digital credentials for proof of identity and eligibility (such as the planned digital driving licence), developed in partnership with private providers. If successful, this could reduce friction in online transactions and public service access. However, its success will depend on building public trust, protecting privacy, and ensuring that no one is left behind by digital-only solutions.
In summary, the Data (Use and Access) Bill/Act represents a significant and positive step forward for UK data policy, establishing a platform for innovation in data sharing and digital identity but the true measure of its success will lie in implementation. As secondary legislation unfolds, the ODI remains hopeful that, with the right standards, safeguards and user-centric design, these reforms can deliver genuine public benefit, empowering citizens with greater control over their data, stimulating responsible innovation, and ultimately building a more open and trustworthy data ecosystem in the UK.
