The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR - International data transfers

Relevant DUA Act Provisions: Schedules 7, 8 and 9; amends Chapter V UK GDPR, including Articles 44–49.

The DUA Act introduces a recalibration of the UK’s approach to international data transfers by replacing the threshold for adequacy of the EU GDPR from the  “essential equivalence” standard with a “not materially lower” threshold. This means that a third country’s legal framework for personal data protection no longer needs to match the GDPR in form or substance. It merely must not fall materially below UK standards. This reform affects both adequacy decisions and transfer mechanisms, signalling a more flexible, risk-based approach to cross-border data flows.

Adequacy decisions – Articles 45A and 45B: The Act amends Article 45 UK GDPR with a revised adequacy test under new Articles 45A and 45B. Under Article 45A, the Secretary of State may unilaterally issue adequacy regulations if a third country’s data protection regime is not materially lower than that of the UK. Article 45B sets out the assessment criteria, including the rule of law, enforceable data subject rights, and oversight mechanisms, but does not require a systemic or holistic assessment. Adequacy can now be granted to entire jurisdictions, specific sectors within a country, or based on specific international commitments, diverging from the EU’s centralised, holistic approach (as adopted in CJEU C -311/18 Schrems II Judgement, 16 July 2020).

Transfer mechanisms and risk assessments – Article 46 and 47B: The DUA Act amends Article 46 to lower the standard for transfer risk assessments (TRAs) under UK GDPR, replacing the EU’s “essential equivalence” test with a “not materially lower” threshold. Under the revised Article 46(3), data exporters must assess whether the level of protection is not materially lower than that under UK GDPR, with a particular focus on whether the transfer is likely to result in material harm to data subjects.

In parallel, the DUA Act introduces a new Article 47B UK GDPR, which empowers the Secretary of State to formally approve alternative transfer mechanisms beyond standard contractual clauses (SCCs) or binding corporate rules (BCRs) as providing appropriate safeguards. These mechanisms may include sector-specific codes of conduct, certification schemes, or other instruments, and may bypass existing EU templates entirely. This raises the possibility of divergence in contract drafting, legal interpretations, and enforcement standards for data exporters operating across both UK and EU jurisdictions.

Expanded use of derogations under Article 49: The DUA Act also amends Article 49 to ease reliance on derogations for specific situations, including the “compelling legitimate interests” ground. The Act relaxes prescriptive safeguards provided that such reliance is properly documented and justified.

Divergence

The UK has shifted from the systemic adequacy model used in the EU (and confirmed in  Schrems II) to a risk-based, contextual model grounded in material harm to data subjects. This divergence lowers the adequacy bar for lawful transfers from the UK and could create operational divergence for organisations managing dual EU–UK compliance regimes.

ICO commentary 

The ICO cautiously welcomed the new framework, stating that the DUA Act “enables the UK to make adequacy decisions and recognise appropriate safeguards in a more risk-based and proportionate way.” However, it emphasised that data exporters must still demonstrate accountability and implement appropriate safeguards tailored to specific transfer risks. The ICO has not provided formal guidance on what breaches the “not material harm” threshold but is expected to issue revised guidance for TRAs under the DUA Act standard.

Recommendations

• Identify all international transfers relying on SCCs, BCRs, or adequacy decisions.
• Assess which mechanisms may benefit from DUA Act's more flexible standards. Consider whether it may be more beneficial to maintain the standards of the GDPR, depending on the nature of the data being transferred and whether this may include data of EU citizens.
• Maintain GDPR-based TIAs for EU personal data to ensure cross-jurisdictional compliance.
• Prepare UK-specific TRA templates and  addenda that reflect the new test for “not material harm”, and include enhanced accountability documentation.
• Monitor the Secretary of State’s adequacy decisions for divergence risk, particularly in relation to  onward transfers.

 

This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: Recognised legitimate interests (RLIs) Purpose limitation Automated decision-making (ADM) Data subject access requests (DSARs) Complaints handling Law enforcement and national security Age appropriate design code (AADC or Children’s Code) Scientific, historical and statistical purposes International data transfers Cookies and PECR Reform Information Commissioner’s Office (ICO) Reform Codified convergences with EU Law