United Kingdom: Data (Use and Access) Bill including data transfers regulation was passed by House of Lords (Bill 40 of 2024–25)

On 5 February 2025, the Data (Use and Access) Bill was passed by the House of Lords. The Bill introduces a framework to regulate the access, sharing, and protection of customer and business data across various sectors. The Bill amends the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) regarding international transfers of personal data to third countries and international organisations. The Bill specifies that transfers can only occur if they meet specific conditions, such as approval by regulations, appropriate safeguards, or derogations for specific situations. The Secretary of State is responsible for approving transfers based on the data protection standards of the receiving entity, with regulations subject to the negative resolution procedure. Transfers must ensure the protection of data to a level equivalent to UK laws, and if this standard declines, regulations may be amended or revoked. The Secretary of State can also specify standard clauses for safeguards and determine when transfers are necessary for the public interest. The Bill also outlines measures for transfers in the context of law enforcement and joint investigations.