Published on May 05, 2026
International data transfers have become one of the most technically demanding areas of UK and EU data protection law. For lawyers and compliance professionals, the post-Brexit landscape is no longer a matter of minor divergence.
With the UK's Data (Use and Access) Act 2025 (DUAA 2025), which received Royal Assent on 19 June 2025 and came into force on 5 February 2026, the compliance architecture has materially shifted.
The DUAA introduces a new data protection test for international transfers alongside the pre-existing International Data Transfer Agreement (IDTA) and ICO Addendum (both in force since 21 March 2022), while the EU continues to apply its Standard Contractual Clauses (SCCs) and Transfer Impact Assessment (TIA) framework shaped by Schrems II.
The consequences of getting it wrong are significant: regulatory investigations, administrative fines, contractual disputes, and operational disruption. Cross-border data flows now require precise legal mapping.
Since Brexit, organisations operating across the UK and EU must navigate two parallel regimes under the UK GDPR and the EU GDPR. While conceptually aligned, the mechanisms for international data transfers have increasingly diverged.
The EU relies on its 2021 Standard Contractual Clauses and the Transfer Impact Assessment (TIA), shaped by Schrems II jurisprudence. TIAs focus specifically on whether the laws of the importing country would permit government agencies access to personal data, requiring case-by-case assessment of third-country surveillance and redress mechanisms.
The UK has operated since March 2022 under the International Data Transfer Agreement and the ICO Addendum. The DUAA has now codified and reformed the underlying assessment framework through a new data protection test.
Under this test, organisations must assess whether the standard of protection in a third country is "not materially lower" than UK GDPR standards - replacing the previous "essentially equivalent" threshold. Critically, it remains unclear whether this represents a meaningfully lower (and therefore more permissive) standard than the EU's requirements.
The distinction is not cosmetic. Legal teams must determine, transaction by transaction, which regime applies - or whether both do. The DUAA also codifies the requirement to conduct a Transfer Risk Assessment (TRA) for transfers subject to appropriate safeguards, requiring organisations to meet the data protection test "reasonably and proportionately."
Schrems II fundamentally altered international transfer compliance by requiring case-by-case risk assessments. The EU TIA process demands granular evaluation of local laws, government access risks, and supplementary measures.
Under the DUAA, the UK has formalised its own Transfer Risk Assessment methodology through the data protection test. While similar in objective to the EU TIA, the analytical thresholds, legal standards ("not materially lower" vs "essentially equivalent"), and documentation expectations are not identical.
The UK TRA must be conducted "reasonably and proportionately" to demonstrate compliance with the data protection test. Also in the area of international transfer of business data the ICO has also reformulated its guidance including the creation of a new 3-step test. Knowing how to navigate this is now essential in this area of regulatory law.
Treating the UK and EU frameworks as interchangeable is a compliance error that could expose your organisation to regulatory action in both jurisdictions.
Territorial scope is frequently misunderstood. Controllers and processors must assess whether they are subject to the EU GDPR, the UK GDPR, or both, based on establishment and targeting criteria. This analysis determines whether EU SCCs, the IDTA, or the ICO Addendum governs the transfer.
Adequacy decisions further complicate the matrix. The EU and UK maintain separate adequacy frameworks, and divergence is likely to increase. The European Commission has confirmed the UK’s adequacy decision is renewed until 2031 – but there are differences in third party countries deemed adequate by the EU and the UK. A transfer permissible under one regime may require additional safeguards under the other.
While international transfers represent a critical element of the DUAA, the Act introduced significant reforms across multiple areas of UK data protection law that affect compliance strategies, including:
Data protection professionals must consider these changes holistically when assessing compliance obligations, particularly where international transfers interact with other processing activities. (We also offer training in these areas, see * below)
International data transfers underpin cloud services, HR systems, SaaS platforms, and global operations. Every transfer must be defensible under the applicable regime.
Organisations that master both frameworks - EU SCCs and TIAs alongside UK IDTA and TRAs - can structure resilient, scalable compliance programs that withstand regulatory scrutiny.
Those that rely on legacy documentation or assume EU-UK equivalence risk enforcement action, contractual disputes and operational friction when transfers are challenged.
For lawyers and data protection professionals, technical precision in international data transfer strategy is no longer optional. It is central to maintaining lawful, uninterrupted global business in an environment where UK and EU requirements continue to diverge.
Join expert trainer Mark Weston on his course Implementing International Data Transfers: Adequacy, Safeguards (BCRs, IDTA, SCCs) and Derogations – Updated for DUAA 2025 to get fully up to speed with the latest developments.
* We also offer training courses on these areas:
· The New UK Data (Use and Access) Act
· GDPR Compliance, Hot Topics (Including the New Data (Use and Access) Act) and Focus on DSARs
· GDPR Masterclass: Data Processing, Data Sharing and Managing Data Breaches
Published on May 05, 2026 by Angela Spall