Citation, interpretation and extent

1.—(1) These Regulations may be cited as the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025.

(2) In these Regulations “the Act” means the Data (Use and Access) Act 2025.

(3) These Regulations extend to England and Wales, Scotland and Northern Ireland, except paragraph 23 of Schedule 12A to the Data Protection Act 2018(2) (inserted by Schedule 14 of the Act, commenced by regulation 2(z)), which extends to England and Wales and Northern Ireland only.

Commencement

2.  The following provisions of the Act, so far as not already in force (see section 142(2)(h) of the Act), come into force on 20th August 2025—

(a)Part 1 (access to customer data and business data);

(b)section 72 (processing in reliance on relevant international law), except—

(i)subsection (3), and

(ii)subsection (7), to the extent that it refers to Article 8A(3)(e) in the insertion of section 9A (processing in reliance on relevant international law) in the Data Protection Act 2018;

(c)section 74 (processing of special categories of personal data);

(d)section 84 (law enforcement processing and codes of conduct);

(e)section 91 (duties of the Commissioner in carrying out functions);

(f)section 92 (codes of practice for the processing of personal data);

(g)section 93 (codes of practice: panels and impact assessments);

(h)section 95 (analysis of performance);

(i)section 102 (annual report on regulatory action);

(j)section 104 (court procedure in connection with subject access requests);

(k)section 106 (protection of prohibitions, restrictions and data subject’s rights);

(l)section 107 (regulations under the UK GDPR);

(m)section 108 (further minor provision about data protection);

(n)section 109 (the PEC Regulations);

(o)section 110 (interpretation of the PEC Regulations), except subsection (2)(a) and (b) and subsection (3);

(p)section 111 (duty to notify the Commissioner of personal data breach: time periods);

(q)section 113 (emergency alerts: interpretation of time periods);

(r)section 117 (the Information Commission), except subsection (4)(a);

(s)section 125 (information for research about online safety matters);

(t)section 129 (the eIDAS Regulation);

(u)section 134 (time periods: the eIDAS Regulation and the EITSET Regulations);

(v)section 135 (economic impact assessment);

(w)section 136 (report on the use of copyright works in the development of AI systems);

(x)section 137 (progress statement);

(y)Schedule 11 (further minor provision about data protection), except paragraphs 22, 23, 25, 28, 29, 30, 31 and 32;

(z)Schedule 14 (the Information Commission).

Explanatory Note

(This note is not part of the Regulations)

These Regulations bring into force specified provisions of the Data (Use and Access) Act 2025 (c. 18) (“the Act”) on 20th August 2025. They are the first Commencement Regulations made under the Act. Certain provisions were brought into force automatically on Royal Assent by virtue of section 142(2) of the Act, and two months after Royal Assent by virtue of section 142(3) of the Act.

Regulation 2(a) commences Part 1 of the Act which relates to access to customer and business data in connection with the development of Smart Data schemes.

Regulation 2(b) to (q) and (y) commence specified provisions in Part 5 of the Act which makes amendments to certain provisions in the UK GDPR, the Data Protection Act 2018 (c. 12) and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Regulation 2(r) and 2(z) commence specified provisions in Part 6 of the Act relating to the establishment of the Information Commission.

Regulation 2(s) commences specified provisions in Part 7 of the Act which make amendments to certain provisions in the Online Safety Act 2023 (c. 50).

Regulations 2(t) and (u) commence specified provisions in Part 7 of the Act which make amendments to Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016.

Regulation 2(v) to (x) commence provisions in Part 7 of the Act relating to copyright works and artificial intelligence systems.

An impact assessment has not been prepared for this instrument as a full impact assessment was published in relation to the provisions in the Data (Use and Access) Bill.