Breakdown of the Data (Use and Access) Act 2025: Implications for Northern Ireland and EU Adequacy.

Cassie Connolly

The Data (Use and Access Act) 2025 (DUAA) represents the most far-reaching reform of the

United Kingdom’s post-Brexit data-governance framework. Enacted on the 19^th  of June and gradually rolling out over the next few months, the act introduces the new lawful bases for processing, recalibrates the rules governing public-sector access for data and restructures elements of the UK’s international transfer regime.

Although framed by the UK government as pro-innovation and a pro-growth measure, the DUAA has also triggered renewed scrutiny from the European Union, particularly as the UK’s existing adequacy decision under article 45 GDPR is due for review in December 2025. For Northern Ireland (NI), this outcome will have pronounced legal significance due to the economic and data-sharing relationships on the island.

Post-Brexit landscape and Adequacy framework

Under article 45 GDPR the European Commission may determine that a third country maintains an ‘adequate level of protection’ for personal data as an EU member state. This permits data to freely flow between the EU and UK without additional safeguards. The Commission’s 2021 adequacy decision for the UK was time-limited and subject to ongoing monitoring. It expired in June 2025 but was granted an extension until December 2025. Post-Brexit divergence was always anticipated; however the DUAA is the first large-scale structural divergence since adequacy was granted.

The Commission’s adequacy assessment focuses on several elements:

1.     A substantive level of data protection;

2.     Safeguards surrounding access by public authorities;

3.     Effective oversight and redress; and

4.     The stability and foreseeability of the legal framework

The DUAA reforms touch directly on (1) and (2) and indirectly on (3) and (4), making its enactment particularly salient for the 2025 review.

Key Reforms introduced by the DUAA

1.     Reform of lawful bases and Purpose Limitation

The DUAA expands processing through the creation of “recognised legitimate interests”, a category of activities, including safeguarding, national security and public interest functions, that no longer require the traditional GDPR balancing test. This shifts the UK model away from the fundamental-rights driven logic of the GDPR and toward an outcome-based, administratively-efficient framework.

Likewise, modifications to purpose limitation and the reuse of personal data for research and public services loosen the strict compartmentalisation found in EU law. While these reforms may accelerate innovation, they introduce uncertainty regarding the ongoing equivalence of safeguards that underpin EU adequacy.

2.     Automated Decision-Making

The DUAA relaxed restrictions on automated decision-making by allowing certain high impact decisions to be made without a guarantee of human review, highlighted in article 22 GDPR. This is a meaningful divergence from EU norms and may factor into the decision of whether UK law continues to respect data subjects’ fundamental rights, particularly concerning transparency.  

3.     Oversight and Regulatory Structure

Changes to the Information Commissioner’s Office (ICO), including revised duties, governance reforms, may be interpreted by the EU as a shift away from the institutional independence required under article 45 GDPR. The CJEU has repeatedly stressed independence as a core component of essential equivalence.

4.     International transfers

Perhaps the most consequential reform concerns international transfers. The DUAA replaces the EU’s ‘essentially equivalent’ test with a UK-specific ‘data protection test’, requiring that foreign protections not be ‘materially lower’ than those of the UK.

In practice it grants the secretary of state significant discretion, enabling the UK to expand the network of recognised countries more rapidly than the EU. However, this increased discretion is precisely what risks undermining EU confidence in UK adequacy, especially if the UK begins recognising countries the EU regards as insufficiently protective.

Growing EU scrutiny

Commentary from academics  and EU institutions indicates heightened scrutiny of UK reforms in light of  CJEU judgements (Schrems I and II) and the politics of post-Brexit divergence. The EU adequacy framework is conservative by design: adequacy decisions have been suspended or invalidated when domestic surveillance practice falls below required standards. The UK’s move towards a more permissive transfer regime therefore introduces genuine political and legal uncertainty, especially with the upcoming renewal in December.

Comparing the DUAA and the EU AI Act

The DUAA and the EU AI act embody opposite regulatory philosophies. The DUAA aims to ease data use, reduce compliance burdens, and widen public-sector access to personal data. In contrast, the EU AI Act adopts a precautionary, risk-based model, imposing stringent ex ante obligations on high-risk AI, restricting biometric surveillance and embedding transparency duties across all areas of AI.

This divergence is relevant for adequacy. As the EU tightens rights-based regulation around data-intensive technologies, the UK is moving in a direction of increased regulation and scrutiny, placing further pressure on the Commission’s equivalence assessment.

Northern Ireland’s Distinct Position

Northern Ireland’s unique constitutional and economic position heightens the consequences of any loss of adequacy.Cooperation between NI and the Republic of Ireland (ROI) is deeply integrated across health, policing, environmental regulation, education, social services and emergency planning. Many of these interactions involve continuous, routine data sharing.

A particularly concerning example arises in cross-border healthcare. Patients in the republic frequently travel to private specialists in the North. Similarly NI residents access hospital care in ROI under the Waiting List Reimbursement Schemein NI and the Northern Ireland Planned Healthcare Scheme in ROI. These pathways require constant movement of medical records, imaging data and referrals.

If adequacy status were not renewed, all such flows would become international transfers requiring International Data Transfer Agreements and Transfer Risk Assessments (TRA). As these exchanges involve special category data, the bar for TRAs is significantly higher. Guidance from Schrems II highlights that controllers must analyse surveillance powers and redress mechanisms in the receiving state.

If the DUAA is perceived to expand public sector access or dilute safeguards, TRAs for health data may become extremely difficult, impossible even, in some cases due to supplementary measures such as encryption, which is often incompatible with clinical needs. This would impose major administrative burdens on hospitals and public authorities on both sides of the border, diluting patient care and increasing waiting times.

This example therefore illustrates why adequacy is not optional for NI. It is the legal structure enabling essential public service delivery with an all-island approach. The challenges extend beyond healthcare. Police cooperation, cross-border companies and transport management all rely on data that flows between the two. Replacing adequacy with contractual mechanisms would impose disproportionate burdens on small businesses and local authorities, already operating under resource constraints. This also risks undermining elements of the Good Friday Agreement that depends on practical cross-border partnership.

Conclusion

The DUAA marks a decisive shift in UK data protection policy towards regulatory flexibility. For most of the UK the implications of this shift are primarily economic. For NI, they are structural. Any weakening of EU confidence threatens not only commercial certainty but also the functionality of essential cross-border public services. As the EU reassesses the UK’s adequacy decision, the cumulative effect of the DUAA’s divergence will be pivotal. The DUAA’S legacy will therefore depend on whether the UK can balance innovation with sufficient safeguards to sustain EU trust. For NI, maintaining this trust is indispensable.