Share
Relevant DUA Act Provisions: Schedules 7, 8 and 9; amends Chapter V UK GDPR, including Articles 44–49.
The DUA Act introduces a recalibration of the UK’s approach to international data transfers by replacing the threshold for adequacy of the EU GDPR from the “essential equivalence” standard with a “not materially lower” threshold. This means that a third country’s legal framework for personal data protection no longer needs to match the GDPR in form or substance. It merely must not fall materially below UK standards. This reform affects both adequacy decisions and transfer mechanisms, signalling a more flexible, risk-based approach to cross-border data flows.
Adequacy decisions – Articles 45A and 45B: The Act amends Article 45 UK GDPR with a revised adequacy test under new Articles 45A and 45B. Under Article 45A, the Secretary of State may unilaterally issue adequacy regulations if a third country’s data protection regime is not materially lower than that of the UK. Article 45B sets out the assessment criteria, including the rule of law, enforceable data subject rights, and oversight mechanisms, but does not require a systemic or holistic assessment. Adequacy can now be granted to entire jurisdictions, specific sectors within a country, or based on specific international commitments, diverging from the EU’s centralised, holistic approach (as adopted in CJEU C -311/18 Schrems II Judgement, 16 July 2020).
Transfer mechanisms and risk assessments – Article 46 and 47B: The DUA Act amends Article 46 to lower the standard for transfer risk assessments (TRAs) under UK GDPR, replacing the EU’s “essential equivalence” test with a “not materially lower” threshold. Under the revised Article 46(3), data exporters must assess whether the level of protection is not materially lower than that under UK GDPR, with a particular focus on whether the transfer is likely to result in material harm to data subjects.
In parallel, the DUA Act introduces a new Article 47B UK GDPR, which empowers the Secretary of State to formally approve alternative transfer mechanisms beyond standard contractual clauses (SCCs) or binding corporate rules (BCRs) as providing appropriate safeguards. These mechanisms may include sector-specific codes of conduct, certification schemes, or other instruments, and may bypass existing EU templates entirely. This raises the possibility of divergence in contract drafting, legal interpretations, and enforcement standards for data exporters operating across both UK and EU jurisdictions.
Expanded use of derogations under Article 49: The DUA Act also amends Article 49 to ease reliance on derogations for specific situations, including the “compelling legitimate interests” ground. The Act relaxes prescriptive safeguards provided that such reliance is properly documented and justified.
Divergence
The UK has shifted from the systemic adequacy model used in the EU (and confirmed in Schrems II) to a risk-based, contextual model grounded in material harm to data subjects. This divergence lowers the adequacy bar for lawful transfers from the UK and could create operational divergence for organisations managing dual EU–UK compliance regimes.
ICO commentary
The ICO cautiously welcomed the new framework, stating that the DUA Act “enables the UK to make adequacy decisions and recognise appropriate safeguards in a more risk-based and proportionate way.” However, it emphasised that data exporters must still demonstrate accountability and implement appropriate safeguards tailored to specific transfer risks. The ICO has not provided formal guidance on what breaches the “not material harm” threshold but is expected to issue revised guidance for TRAs under the DUA Act standard. However, the ICO plans to publish updated guidance to reflect changes in the rules around Codes of Conduct in Autumn 2025.
Recommendations
- Identify all international transfers relying on SCCs, BCRs, or UK adequacy decisions.
- Assess which transfers may benefit from DUA Act's more flexible standards.
- Review and update UK-specific Transfer Risk Assessments (TRAs) to reflect the amended “not materially lower” threshold.
- Consider whether maintaining GDPR standards remains preferable for particular transfers, especially where the data relates to EU residents or cross-border processing involves EU establishments.
- Maintain GDPR-based TIAs for EU personal data to ensure cross-jurisdictional compliance.
- Prepare UK-specific TRA templates and contractual addenda that reflect the new test for “not materially lower”, and include enhanced accountability documentation.
- Monitor the Secretary of State’s adequacy decisions for divergence risk, particularly in relation to onward transfers.
|
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) |
United Kingdom