Home / News & insights / Insights / How do we manage copyright law and AI? The Data (Use and Access) Act 2025 offers some answers

How do we manage copyright law and AI? The Data (Use and Access) Act 2025 offers some answers

Posted on in Commercial and Tech

How do we manage copyright law and AI? The Data (Use and Access) Act 2025 offers some answers

The UK’s digital and data landscape continues to evolve at pace and an important step taken on 19 June 2025, was the Data (Use and Access) Act 2025 (the DUAA) receiving Royal Assent.

The DUAA is designed to modernise the UK’s data regime and prepare the ground for Artificial Intelligence (AI) regulation. It updates existing data protection rules, creates new frameworks for digital identity and smart data schemes, restructures the Information Commissioner’s Office (ICO), and, crucially, sets out the process for deciding how copyright law should apply to AI training.

While the Act spans a wide range of areas, there are a number of provisions which are particularly relevant for businesses:

  1. AI and copyright - a framework in progress

The Act does not immediately alter copyright rules for AI training. Instead, it establishes a staged process:

  • The Secretary of State must publish an economic impact assessment of options raised in the AI and Copyright Consultation, including licensing, opt-out rights and transparency measures.
  • A progress statement is required by 19 December 2025 if the assessment/report is not yet published, with the full assessment and report due by 19 March 2026.

These reviews will inform whether future reforms impose obligations such as disclosure of training data, new opt-out mechanisms for rights holders, or even a statutory licensing scheme. Each would mark a significant change for both AI developers and creators.

  1. Adjustments to data protection law

The DUAA introduces targeted reforms to existing data protection rules:

  • Subject Access Requests (SARs): The Act clarifies timing and scope, introducing a stop-the-clock where organisations need more information from the requester and emphasising reasonable and proportionate searches. The existing “manifestly unfounded or excessive” refusal standard continues to apply.
  • Legitimate Interests: A new statutory list of “Recognised Legitimate Interests” (including crime prevention, safeguarding, and emergency response) provides a lawful basis without a case-by-case balancing test, though necessity still applies.
  • Automated Decision-Making: Broader use of algorithmic systems is permitted, subject to safeguards such as transparency, the ability to make representations, and human oversight.
  • Research: Clarifies that “scientific research” includes commercial and historical projects, with more flexible consent where specific future uses cannot be identified in advance.
  • Children’s data: Strengthens requirements for services likely to be accessed by children to embed privacy protections by design, building on the ICO’s Children’s Code.
  • Complaints handling: Individuals must first raise complaints directly with organisations before contacting the ICO. Businesses must acknowledge complaints within 30 days and respond without undue delay.
  • Cookies and tracking: The Act amends the Privacy and Electronic Communications Regulations (PECR) to allow certain low-risk analytics (e.g., statistical cookies to improve a service) to be set without consent via new exceptions. Consent remains required for higher-risk activities such as targeted advertising.
  • Sanctions: Maximum fines under Privacy and Electronic Communications Regulations are aligned with UK GDPR levels (up to £17.5m or 4% of global turnover).

  1. International data transfers

A new, more flexible “data protection test” replaces sole reliance on adequacy decisions. The Secretary of State may authorise transfers where protections are not “materially lower” than UK standards. This could streamline cross-border data flows, though it differs from the EU’s stricter adequacy-based model.

  1. Digital Verification Services (DVS)

The Act creates a statutory framework for digital identity systems, including:

  • A government-backed register of approved providers (with a trust mark).
  • Standards for secure identity verification and e-signatures.
  • A pathway for businesses to adopt digital ID solutions in place of paper-based processes.

  1. Smart data schemes

Building on the Open Banking model, the DUAA supports “smart data” initiatives to enable secure data sharing across sectors such as energy, telecoms and transport. These schemes are designed to promote competition, enhance innovation, and potentially strengthen fraud detection through real-time data access.

  1. Information Commissioner’s Office restructuring

The Information Commissioner’s Office is reconstituted as the Information Commission, overseen by a Chair and Board. The Commission gains expanded enforcement powers, including the ability to compel interviews, issue inspection notices, and conduct audits. These reforms aim to reinforce accountability and international credibility.

Why The Data (Use and Access) Act 2025 matters?

The Act signals a deliberate shift: the government intends to manage AI and copyright through staged, evidence-driven policymaking. For businesses, the implications are clear:

  • AI developers should prepare for possible disclosure or licensing obligations.
  • Rights holders and creators should assess how their works may be used in training models and consider engaging with new licensing frameworks.
  • Data-driven organisations may find opportunities in smart data and digital ID schemes that support both innovation and fraud prevention.
  • Any business deploying generative AI must track developments closely, as future reforms could directly impact model availability and legality in the UK.

What comes next for The Data (Use and Access) Act 2025?

The DUAA is being implemented in stages through commencement regulations:

  • 20 August 2025: The first commencement regulations brought parts of the Act into force, including technical provisions, new ICO objectives, and government duties on AI and copyright reporting.
  • By 19 December 2025: If the final report is not ready, the government must publish a progress statement on AI and copyright.
  • By 19 March 2026: The government must publish both the economic impact assessment and the full report on the use of copyright works in AI training.
  • Further regulations in late 2025 and 2026: Provisions on smart data, digital verification services, data protection reforms, PECR changes, and the transition to the new Information Commission will be commenced in phases, with timing dependent on government regulations and appointments.

The most consequential changes will hinge on government reports due by December 2025 and March 2026. These may pave the way for new obligations such as transparency around training data, opt-out rights for creators, or even statutory licensing.

Each would represent a significant shift from the UK’s current light-touch approach. For organisations across the AI value chain, the next year will be critical to assess risks, adapt strategies, and engage with policymakers.

How Hamlins can help

Hamlins Commercial and Tech team support clients across multiple industries, sharing commercial and regulatory expertise and advising on the protection of intellectual property rights and AI use. If you would like a conversation about how we can help you navigate changes impacting your business, please get in touch