On 19 June 2025, the Data (Use and Access) Act 2025 (the DUAA) was granted Royal Assent and entered UK Law. The provisions of the DUAA will be made applicable in stages across 2025, 2026 and, in theory, beyond, and will implement a raft of reforms across the UK data law landscape. See our blog for a summary of DUAA.
One key area of change is the international transfer regime, where the DUAA may make it easier for businesses to transfer personal data outside of the UK once the relevant provisions have been brought into effect. While expected guidance from the newly structured Information Commission, and case law, will determine the full extent of these changes, this blog summarises what businesses need to know now about the new approach.
This blog post is part of an ongoing series unpacking the DUAA. Click here to read about other aspects of the DUAA.
Current approach to international transfers
Currently, controllers can only transfer personal data outside of the UK if: (1) the third country was covered by a UK adequacy decision; or (2) the transfer is covered by appropriate safeguards, such as the entry into an International Data Transfer Agreement. Transfers can also be made in limited circumstances when an exception applies.
If the UK government decides that a third country’s data protection regime has adequate protections, also known as an adequacy decision, data can be transferred there without appropriate safeguards. When deciding if a third country is adequate for the purposes of an international transfer, the UK government has to consider among other factors, the impact on human rights and fundamental freedoms and the existence of supervisory institutions in that country.
When relying on appropriate safeguards, UK controllers have to conduct transfer risk assessments. One element of those risk assessments is ensuring that, post-transfer, the personal data would be protected in a way that is ‘essentially equivalent’ to the level of protection under the UK GDPR. This standard arose from the Schrems II decision, which we covered in a previous article.
A new threshold for assessing international transfers
The DUAA will introduce a new ‘data protection test’ into the UK’s international transfers regime. This will replace the current test and (once applicable) must be applied in the following two primary circumstances:
- when the UK government is making an adequacy decision about the data protection regime of a third country; and
- when a business is undertaking a transfer risk assessment and must assess the risks of the data protection regime of the third country it is transferring data to.
In both circumstances, the DUAA requires the replacement data protection test to be applied. This test will be met when the standard of protection provided for data subjects in the third country is ‘not materially lower’ than the standard of the protection provided under the UK GDPR.
It is not yet clear how ‘not materially lower’ differs from ‘essentially equivalent’ under the current regime. It will be up to the Information Commission and the UK courts to provide guidance on this point. The intention of the DUAA, however, appears to be to introduce a different, likely slightly lower, standard for making international transfers under the UK GDPR than currently exists under the EU GDPR.
The Explanatory Notes to the DUAA when originally introduced as a Bill stated that, in making an assessment of the data protection test, the Secretary of State should recognise that ’other countries' data protection regimes will not be identical to the UK's in form and differences may exist given the cultural context of privacy’ and that the Secretary of State must, ’in a holistic and contextual manner, decide whether or not the overall standard of protection is lower than the UK’s standard in a way which is material.’ The effect of this new test is likely to make it easier for both the UK government to designate certain third countries as adequate, and for businesses to carry out risk assessments when relying on appropriate safeguards. These changes may, in the aggregate, make it easier for businesses to transfer personal data outside of the UK.
A business’ existing transfer mechanism can still be compliant and provide appropriate protection if:
- it was entered into before the commencement of the new international transfers regime under the DUAA (a date to be determined by the government); and
- it otherwise satisfies the requirements of the UK GDPR international transfer regime prior to the commence of the DUAA.
A business will need to apply the new data protection test when it enters into a new transfer mechanism to comply with the DUAA after the new transfer regime is applicable.
Introduction of transfer blacklists
The DUAA also allows the UK government to place certain countries on a transfer ‘blacklist’, banning businesses and other organisations from transferring personal data there, where the restriction is in the public interest. This approach differs from many other jurisdictions (including the EU), and allows the UK government to wholesale restrict transfers of personal data to certain countries.
Implications and next steps
The government has yet to confirm the timetable for most of the provisions to be made applicable and some commencement dates may extend into 2026 or beyond. Businesses and other organisations should consider undertaking the following steps now, to ensure readiness when the relevant provisions become applicable:
- If you have international transfer mechanisms in place already, you do not need to update this as a result of the DUAA (assuming they are already compliant with UK GDPR). When you enter into new transfer mechanisms post-commencement of the relevant DUAA provisions, you will need to apply the new transfer mechanism at that stage.
- It is possible that the UK government could use the DUAA to designate as adequate a greater number of third countries, making it easier for businesses to transfer personal data without the need for additional safeguards.
- Where you are conducting transfer risk assessments, you should consider whether your processes will need to be updated to reflect the new ‘data protection test’ so you are prepared for when it becomes applicable.
- You should proactively monitor additions to the ‘blacklist’. When jurisdictions are added to the ‘blacklist’, consider what impact that will have on your business if you are transferring personal data to those jurisdictions and what mitigations may need to be implemented.