UK DUA Act: Key Reforms and Divergence from EU GDPR Governance

On June 19, 2025, the United Kingdom implemented the Data Use and Access Act (DUA Act), heralding a significant shift in the governance and accountability structure of the Information Commissioner’s Office (ICO). The DUA Act introduces a new statutory body, the Information Commission, which differs markedly from the previous single-commissioner model. This reform not only aligns the ICO more closely with other UK economic regulators such as the Financial Conduct Authority (FCA) and the Competition and Markets Authority (CMA) but also raises important questions regarding the independence and efficacy of data protection oversight within the UK.

The DUA Act, as outlined in Schedule 14, amends Part 5 of the Data Protection Act (DPA) 2018 and introduces a new Schedule 12A. This new structure mandates the Information Commission to prepare and publish an annual strategic plan detailing its priorities, issue annual performance reports, and consider strategic priorities set by the Secretary of State. Enhanced parliamentary oversight is another cornerstone of the reform, requiring the Commission to appear before select committees. However, despite retaining operational independence, the Commission now faces strategic oversight from the Secretary of State, who is empowered to issue statutory guidance on the Commission’s functions.

Critics argue that this governance shift may compromise the Commission's ability to act independently, especially regarding cross-border cooperation under Article 50 of the UK GDPR, which mandates that supervisory authorities operate without external influence. According to Brian Thompson, a data protection expert and Senior Lecturer at the University of Manchester, "The new oversight structure introduces a potential conflict between governmental priorities and the need for impartial data protection enforcement."

In a report published by the Information Commissioner’s Office, the organization acknowledged the governance changes while asserting its commitment to protecting data subject rights. The ICO also expressed support for its expanded fining powers, particularly in relation to the Privacy and Electronic Communications Regulations (PECR), emphasizing the need to modernize enforcement to address contemporary digital risks. However, the introduction of strategic oversight raises concerns about regulatory capture and the perception of impartiality in enforcement actions.

The implications of these reforms are profound. The DUA Act's divergence from the EU General Data Protection Regulation (GDPR) could complicate future adequacy negotiations with the European Union and the European Economic Area (EEA). According to Dr. Sarah Johnson, Professor of Law at Harvard University, "The DUA Act’s changes could hinder the UK’s ability to maintain data adequacy with the EU, primarily due to the perceived loss of independence in the ICO."

The DUA Act aims to realign the UK's data protection framework with economic and innovation objectives, a shift that has broad implications for businesses and individuals alike. As the Information Commission prepares to embark on its new mandate, stakeholders are advised to monitor its strategic plans, compliance guidelines, and engagement with government innovation priorities. The evolving landscape of data protection regulation in the UK necessitates a proactive approach from organizations to ensure alignment with the Commission’s emerging focus areas.

This article is part of a comprehensive series analyzing the key legal reforms introduced by the DUA Act, examining both the significant areas of divergence and convergence with the EU GDPR. Future articles will delve into specific topics such as automated decision-making, international data transfers, and the implications for law enforcement and national security. As the DUA Act takes effect, the overarching goal remains to balance innovation with the protection of individual rights in an increasingly digital world.