Under the EU’s data protection regime, the European Commission is authorised to determine whether a country outside the EU, such as the UK, offers an adequate level of protection for personal data to allow the personal data of EU data subjects to be exported to that country without the use of additional measures between the organisations responsible for the transfer.
Since Brexit, the Commission has adopted two adequacy decisions for the UK, which have allowed for the free flow of personal data from the EU to the UK.
These decisions were due to expire earlier this year, but the Commission has provided a six-month extension of the two decisions to allow the free flow of data with the UK to continue until 27 December 2025.
This extension was proposed to give time for the UK to finalise its new Data Bill. With this new bill now passed into law as the Data (Use and Access) Act 2025 (the DUA Act), the Commission is currently deciding whether to renew the UK adequacy decisions beyond 27 December 2025.
The news will be welcome to UK organisations which receive transfers of personal data from the EU. For UK organisations who make transfers of personal outside the UK, it is the UK’s data protection regime that determines what measures need to be implemented to make such transfers, and this article from our Technology Lawyers summarises key issues to consider before making an international transfer, as well as describing some of the changes brought into effect through the DUA Act.
International transfers – how can personal data be transferred outside of the UK?
Mirroring the EU regime, the UK GDPR contains rules about the transfer of personal data from the UK to receivers located outside the UK.
These rules apply where the receiver and the sender of the data are controlling or processing the data separately, which will cover most data processing arrangements, including intra-group transfers.
A transfer of personal data to a receiver located outside the UK is known as a 'restricted transfer'. If you are looking to make a restricted transfer, you should ask yourself the following questions to determine if and how you are able to make this transfer.
Is the restricted transfer covered by ‘adequacy regulations’?
The restricted transfer will be automatically allowed if the receiver is in a country or territory covered by UK 'adequacy regulations'. An adequacy decision is made by the UK Government and confirms that the legal framework in the relevant territory has been assessed as providing ‘adequate’ protection for people’s rights and freedoms about their personal data.
The list of approved countries for the UK currently includes, among others, the EU Member States, Iceland, Norway, Liechtenstein, Gibraltar, the Republic of Korea, Argentina, New Zealand, Switzerland and Uruguay.
Transfers to the USA are covered, but only if the data is transferred to an organisation which is certified under the UK Extension to the EU-US Data Privacy Framework. Partial findings of adequacy have also been made in respect of transfers to Canada and Japan, although, again, additional checks and assessments will need to be made in respect of transfers to such territories.
Is the restricted transfer covered by appropriate safeguards?
If there is no UK adequacy decision in place in the intended recipient territory, or if the organisation receiving the personal data does not participate in any required certification scheme, then the transfer may still be allowed subject to the use of 'appropriate safeguards'. The list of appropriate safeguards is set out in Article 46 of the UK GDPR.
These ensure that both the sender and receiver are legally required to protect people’s rights and freedoms in respect of their personal data. Before relying on any of these safeguards, a Transfer Risk Assessment must be undertaken to make sure the required level of protection will be provided for the people whose data is being transferred.
The safeguard mechanisms are that a restricted transfer can be made if:
- It is covered by a legal instrument between public authorities or bodies containing ‘appropriate safeguards’ (these must include enforceable rights and effective remedies for people whose personal data is transferred).
- UK Binding Corporate Rules are used to provide appropriate safeguards.
- The sender and receiver have entered into a contract incorporating standard data protection clauses recognised or issued in accordance with UK data protection law (being the International Data Transfer Agreement or the UK Addendum to the European Standard Contractual Clauses). This is the most common mechanism for making an international transfer between two businesses.
- The receiver has signed up to a code of conduct, which has been approved by the ICO and has appropriate safeguards to protect the rights of people whose personal data is transferred.
- The receiver has a certification under a certification scheme approved by the ICO and has appropriate safeguards.
- The sender and the receiver have entered into a bespoke contract governing a specific restricted transfer, and that contract has been individually authorised by the ICO for that restricted transfer.
- It is covered by an administrative arrangement between public authorities or bodies approved by the ICO and has appropriate safeguards.
Is the restricted transfer covered by an exception?
If a restricted transfer is not covered by UK adequacy regulations, it may be covered by one of the eight exceptions set out in Article 49 of the UK GDPR, which are as follows:
- Explicit consent has been given by the person the transferring data is about.
- There is a contract in place with the person the transferring data is about, and the restricted transfer is necessary so the obligations of the contract can be fulfilled.
- The restricted transfer is necessary in order to enter into a contract that benefits the person the transferring data is about.
- The restricted transfer is necessary for important reasons of public interest.
- The restricted transfer is necessary to establish whether someone has a legal claim or defence.
- The restricted transfer is necessary to protect someone’s vital interests – this may or may not be the person the transferring data is about. The person the transferring data is about must be incapable of giving their consent to the restricted transfer.
- The restricted transfer is from a public register and meets the relevant legal requirements relating to access to that public register.
- The restricted transfer is a one-off transfer which is necessary to meet compelling legitimate interests.
For the exception to be deemed ‘necessary’ and proportionate, you must take into account the reason why the transfer is needed, any alternatives which are available, the protections which are in place and the potential harm to people. It is not enough to argue that the transfer is necessary because that is the way that your business operates.
Update: The Data (Use and Access) Act 2025
The DUA Act updates data protection laws in the UK and reforms how the UK manages non-personal and personal data. These changes will be phased in between June 2025 to June 2026.
International transfers of personal data will be affected as follows:
- The standard of protection that is required for transfers to third countries and international organisations has been updated via a new data protection test which requires that the standard of protection in the recipient country to be “not materially lower” than the standard of the protection provided under the UK GDPR and the DPA 2018.
- Organisations are now formally required to satisfy the data protection test “reasonably and proportionately” by carrying out a risk assessment.
- The schedule also outlines the factors that the Secretary of State must consider when deciding whether the data protection test is satisfied.
- The Secretary of State also has new power to recognise new transfer mechanisms (in addition to those set out above).
- The review period for transfers approved by regulations has changed from four years to “ongoing monitoring”.
Conclusion
The EU and the UK are among the most digitally connected markets in the world, and maintaining the free flow of data in both directions is vital to many businesses.
The extension of the Commission’s adequacy decisions in relation to the UK (and their potential further extension beyond 27 December 2025), and the reforms coming into place via the DUA Act will assist with allowing data to continue to flow freely, while protecting data subjects’ rights in an increasingly connected world.
Need guidance on international data transfers?
With the EU’s adequacy decisions for the UK now extended and the Data (Use and Access) Act 2025 introducing new compliance requirements, it’s essential to ensure your organisation’s processes remain lawful and risk-free.
Our specialist data protection lawyers can help you review your transfer mechanisms, conduct transfer risk assessments, and navigate the evolving legal landscape with confidence.
0161 941 4000
Latest Myerson IT / Technology News
1
Five Key Legal Themes for Online Platforms in 2026
A practical webinar on the legal risks and key considerations for online platforms, marketplaces and digital services . The opportunities for businesses to operate as online platforms have never been greater whether acting as a marketplace for goods, facilitating peer-to-peer services, or offering outsourced platform-based functionality such as...
View Event
Commercial Contracts in 2026: 5 Key Trends in AI, Data Protection & Technology Risk
At our recent webinar, Commercial Contracts in 2026 | AI, Data Protection & Technology Risk , Richard Meehan , Partner in the Myerson Commercial Team and Head of the Technology Sector Group, explored five key themes shaping commercial contracts in 2026. The session focused on the practical issues arising from the complex, rapidly changing nature...
Read Blog
Deepfakes & Data: The UK Privacy Reckoning for AI-Generated Imagery
With the continued development of AI and the lack of overarching regulation in England and Wales, questions arise about whether more stringent measures are needed, particularly given the recent rise in non-consensual image and video generation featuring the likeness of individuals. Our Commercial Solicitors outline the current regulation of AI in...
Read Blog
Structuring and Protecting your Tech Business
How do you build a tech business that is investment-ready, legally robust, and protected against risk? In this expert-led webinar, specialists from Myerson’s Tech Sector team provide a practical and comprehensive guide to structuring, scaling, and safeguarding your technology business. Drawing on real-world experience and recent case law, this...
Watch Webinar
Compliance for Online Businesses Under the DMCCA
The Digital Markets, Competition and Consumers Act 2024 ( DMCCA ) came into force earlier this year on 6 April 2025 as a significant update to the UK’s consumer rights regime. Businesses that sell to consumers must ensure that they comply with the statutory requirements for consumer contracts, including the prohibition of fake reviews and other...
Read Blog
AI Patent Law Shift on the Horizon? Latest Update on the Emotional Perception AI Case
Last month saw the Supreme Court hear the appeal of Emotional Perception AI Limited (‘EPAI’) concerning its attempt to patent its neural network-based system for recommending music files. In this blog, our Technology Lawyers explore the case.
Read Blog
Richard Meehan
Partner
Richard is a Partner in our Commercial Team and Head of the Life Sciences sector with over 13 years of experience acting as a Commercial solicitor. Richard has specialist expertise in the negotiation of commercial contracts relating to the supply and distribution of goods and services, the licensing of software, and intellectual property.
About Richard Meehan