United Kingdom: Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 including data transfers regulation enter into force

On 20 August 2025, the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 (S.I. 2025 No. 904 (C. 40)) enter into force, bringing into effect selected provisions of the Act, including section 72 on processing in reliance on relevant international law, with limited exceptions. Section 72 introduces a framework to regulate international transfers of personal data, enabling the Secretary of State to approve transfers through regulations assessed against the data protection standards of the recipient country, with such regulations subject to the negative resolution procedure. The provision establishes that transfers may only occur if justified by approved mechanisms, appropriate safeguards, or specified derogations, and requires that transferred data be protected to a level equivalent to UK data protection standards. The Secretary of State is also empowered to prescribe standard contractual clauses as safeguards and to determine when international transfers may be justified on grounds of substantial public interest. The regulations permit the amendment or revocation of approved transfer mechanisms in cases where the recipient jurisdiction no longer meets the required level of protection.