Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
05 Feb 2026
5 minutes read

What are the new rules on international data transfers?

After a few years where data protection laws in the United Kingdom were settled, the Data (Use and Access) Act 2025 (DUAA) is ushering in a period of change.

For those of you who have only just recovered from the GDPR, the news that data protection laws are changing again may not be entirely welcome.  

The good news is that many of the changes DUAA is bringing in are intended to make your life easier, rather than introducing complex new obligations and – while some things are changing – much remains the same.

This series of blogs from the IT & data team at Mills & Reeve aims to help you understand the impact that DUAA will have on established ways of doing things.

If you need a reminder about the meaning of some of the key data protection terminology used (eg personal data, data subject, data controller, processing), please refer to our glossary here.

In this article, we look at how DUAA changes the rules on international data transfers.

New rules on international data transfers

DUAA introduces targeted amendments to the current international transfer provisions with the key objective of simplifying outbound data transfers, reducing business compliance burdens, and giving the UK greater flexibility to recognise foreign data protection regimes.

The broad structure of existing international data transfer rules is retained but the reforms signal a more flexible, risk-based approach to international data flows.

Introduction of a data protection test for assessing international transfers

Under the pre‑DUAA regime, data exporters had two main routes to transfer personal data outside the UK:

  1. The third country is covered by a UK adequacy decision, which are countries approved by the UK government
  2. Appropriate safeguards (for example, an International Data Transfer Agreement or UK Addendum) with a transfer risk assessment

Transfers can also be made in limited circumstances when a derogation applies.

When relying on appropriate safeguards, UK data exporters must first conduct a transfer risk assessment. A key element of those risk assessments is ensuring that, post-transfer, the personal data would be protected in a way that is “essentially equivalent” to UK GDPR protections, which is a standard stemming from the Schrems II decision.

The DUAA retains the broad structure of the GDPR on cross-border transfers, which is that you first assess whether there is an applicable adequacy decision, then look to safeguards, and finally to derogations. However, the DUAA updates terminology within this structure to introduce a more flexible and risk-based approach of a “data protection test”. This test moves away from the strict “essential equivalence” requirement and is expected to make outbound transfers easier once implemented. The data protection test must be applied:

  1. When the Secretary of State is considering making an adequacy decision in respect of a third country or international organisation
  2. When an organisation is using a safeguard such as the IDTA or UK Addendum

The test will be met when the standard of protection provided for data subjects in the third country is “not materially lower” than the equivalent data protection standard in the UK. Accordingly, a third country’s data protection regime no longer needs to replicate the UK GDPR in structure or substance; it simply must not fall materially below the level of protection required under UK law.

The factors to be considered by the Secretary of State when making an adequacy decision are more flexible than those in the EU GDPR. They cover respect for the rule of law and human rights; existence and powers of an enforcement authority; redress for data subjects; onward transfer rules; relevant international obligations; and the constitution, traditions and culture of the country. In addition, the new legislation expressly includes the desirability of transfers of data to and from the UK as one of the factors that the Secretary of State may have regard to.

In relation to the data protection test that data exporters must apply when using a safeguard, the DUAA says that transfers can take place so long as the data exporter, “acting reasonably and proportionately”, considers the data protection test is met. When considering what is reasonable and proportionate, the legislation notes that a data exporter may consider the nature and volume of data transferred, suggesting that a lighter touch approach is permitted for lower volumes or lower risk types of data.

What this means in practice

The changes will allow the Secretary of State to apply less rigid threshold when determining whether a third country provides adequate protection.

Organisations may also be able to streamline their transfer risk processes for low-risk data transfers, reducing the administrative burden for routine cross‑border transfers.

Commencement

These provisions come into force on 5 February 2026.

How you can prepare

Where you already have international data transfer mechanisms in place - such as the IDTA or the UK Addendum - no updates are required because of the DUAA, provided those mechanisms are already compliant with the UK GDPR.

  • Where you are conducting transfer risk assessments to comply with UK GDPR, you should consider whether your processes will need to be updated to reflect the new data protection test in preparation for the commencement of these provisions.
  • Monitor any decisions made by the Secretary of State post-commencement in relation to adequacy decisions.
  • Monitor any guidance issued by the Information Commission and consider any changes that may be needed to your internal policies and procedures for international data transfers as a result.

Final thoughts

It is not yet clear the extent to which the “not materially lower” standard will be applied differently in practice from “essentially equivalent” standard under the current regime. The DUAA does not provide a definition of “material”, so interpretation of this will depend on guidance from the newly formed Information Commission and the UK courts, as well as the approach adopted by the Secretary of State in respect of adequacy decisions.

In practice, the standard of making international transfers is likely to be slightly lower and more pragmatic for organisations than was the case in the pre-DUAA regime, which will be a welcome change for organisations wanting personal data to flow more easily from the UK to other countries.

 

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.