UK Trends and Developments Contributed by: Alison Beal, Joel Harrison and Michelle Kirschner, Gibson, Dunn & Crutcher LLP
priorities, including privacy, data localisation, govern - ment oversight and data-driven growth. In the UK, the Data (Use and Access) Act 2025 (DUAA), which modernises the UK’s data protection and e-pri - vacy regimes, received Royal Assent on 19 June 2025. The DUAA amends the UK General Data Protection Regulation, the Data Protection Act 2018 and the Pri - vacy and Electronic Communications (EC Directive) Regulations 2003, including reforms to international data transfers. These changes to the international data transfer requirements are expected to take effect approximately six months after Royal Assent. The changes under the DUAA relating to international data transfers are intended to ease cross-border data flows and may therefore simplify this aspect of tech - nology and outsourcing transactions. Among other things, the DUAA replaces the UK’s reliance on ade - quacy decisions with a more flexible framework under which transfers to third countries may occur through “transfers approved by regulations” (with ongoing monitoring obligations for the Secretary of State). Under the DUAA, the Secretary of State may take into account any factor considered relevant, including the desirability of facilitating international transfers of per - sonal data, when approving a transfer. The Act also introduces a new – and arguably lower – data protec - tion test, requiring the Secretary of State to assess whether the level of protection in a third country is “not materially lower” than that provided under UK law. However, it remains to be seen whether these changes will, in practice, facilitate easier cross-border transfers.
While the DUAA aims to preserve the UK’s EU ade - quacy status, the EU’s adequacy decision on the UK regime is due for renewal on 27 December 2025. Any loss of adequacy would have material consequences for the transfer of personal data between the UK and EU, potentially necessitating the use of Standard Con - tractual Clauses or other transfer safeguards. Further, any UK organisation that is subject to EU GDPR will need to continue to comply with EU GDPR as well as the UK data protection laws. Elsewhere, data localisation remains a higher regula - tory priority. China’s Personal Information Protection Law and Saudi Arabia’s Personal Data Protection Law each impose varying degrees of restrictions or condi - tions on cross-border data transfers with the effect that certain data may need to remain within national borders. This complex landscape is driving organisations to adopt integrated data governance models. Contracts are evolving accordingly in cross-border technology and outsourcing relationships.
88 CHAMBERS.COM
Powered by FlippingBook