On 5 February 2026, the international-transfers provisions of the UK Data (Use and Access) Act 2025 (the DUA Act) came into force, replacing the EU GDPR's 'essentially equivalent' yardstick for restricted transfers with a lower threshold: that a destination country's protection must not be 'materially lower' than the UK's. Three weeks earlier — on 15 January 2026 — the Information Commissioner's Office restructured its international-transfer guidance around a cleaner three-step test, explicitly authorising risk-proportionate impact assessments calibrated to data volume and sensitivity. Together, the two moves complete a quiet but important pivot in Britain's cross-border data regime: away from formal GDPR mirroring and toward a substance-over-form, risk-based standard. Brussels has, for now, blessed it. On 19 December 2025 the European Commission renewed the UK's GDPR adequacy decision through 27 December 2031, accepting that the DUA Act does not, in operation, materially weaken protection for EU data subjects.
What actually changed
The DUA Act, which received Royal Assent on 19 June 2025, did not abolish UK GDPR. It rewrote Chapter V. The Secretary of State and exporters performing transfer risk assessments now apply a single 'data protection test': that the destination's framework is 'not materially lower' than UK GDPR standards. The change is more than semantic. Under 'essentially equivalent' — the language imposed by the Court of Justice of the EU in Schrems II (2020) and inherited in retained EU law — comparator regimes had to be measured clause-by-clause against the GDPR's text. 'Not materially lower' instead asks whether the substantive level of protection meets the floor in practice. The ICO's restructured guidance now expressly permits a lighter-touch approach for lower volumes or lower-risk data types.
For UK exporters — and for receiving countries in Africa, Latin America and the Indo-Pacific that operate functional data-protection regimes without replicating every GDPR formality — the practical effect is to make the adequacy and safeguards routes navigable without GDPR maximalism. The DUA Act also empowers the Secretary of State to make case-by-case adequacy regulations that explicitly weigh the benefits of the transfer — an evidence-based mandate the EU framework lacks.
The steelman for going slower
Civil-society critics are not wrong that the reforms carry real risks. The European Data Protection Board's Opinion 26/2025, adopted on 20 October 2025, welcomed continuing alignment but flagged specific concerns: that the new test lacks express safeguards around government access, individual redress and supervisory-authority independence; that new Secretary-of-State powers to modify transfer rules and ICO structure invite political capture; and that UK Technical Capability Notices — which can compel providers to compromise encryption — create systemic risk for data flowing back to the EU. EFF and 18 partner organisations made a related, broader argument in a 5 May 2026 letter to UK policymakers, warning that fragmented online-harms statutes and digital-ID schemes risk eroding the open internet the data-protection framework is meant to serve.
These are serious arguments. A 'not materially lower' test is harder to litigate than 'essentially equivalent': the former requires courts to weigh substance; the latter offered text comparison. The DUA Act's monitoring of adequate countries is also continuous rather than fixed — more responsive in principle, but more politically negotiable in practice. If British ministers used the new powers to green-light transfers to regimes with sweeping state-access laws, the EDPB's warnings could be vindicated.
Why proportionate divergence is the right bet
The strongest case for the UK approach is not ideological — it is empirical. The European Commission's own 2024 modelling pegged the UK's share of European cloud-based data flows at roughly €22 billion in annual value, a figure that depends on uninterrupted transfers in both directions. Disruption to those flows — the scenario presented by a failed adequacy review — would impose costs wildly disproportionate to any marginal gain in formal alignment. Adequacy renewal through 2031 averts that cliff while granting UK regulators flexibility to update guidance as the digital economy evolves.
Substantively, the reforms do not weaken core protections. The DUA Act retains UK GDPR's lawful-basis architecture, rights of access and rectification, supervisory independence (with structural changes to the ICO the government argues improve, not diminish, its capacity), and remedies. What changed is the standard by which third-country regimes are tested — and that standard now better matches how regulators from Tokyo to Brasília actually deliver protection: through enforcement, oversight and redress, not textual symmetry with Brussels.
The Commission's December renewal vindicates this approach. So does the ICO's January guidance, which converts the new test into a workable three-step framework for businesses without softening enforcement against substantively inadequate transfers. The pragmatic test will be whether ministerial adequacy decisions over the next six years follow the evidence base the DUA Act invites, or are used to shortcut diligence on countries with genuine government-access concerns. If the former, 'not materially lower' will mature into a genuinely modern transfer standard that other middle-power democracies can adopt. If the latter, the next adequacy review in 2031 will be a harder one to win.
For now, the right verdict is this: Britain bet that proportionate, risk-based divergence would preserve adequacy and unlock evidence-led extensions to new partners. Brussels' renewal — and the ICO's discipline in operationalising the new test — suggests the bet has paid off.