United Kingdom: Data (Use and Access) Act including data transfers regulation enters into force

On 5 February 2026, the data transfer provisions in the Data (Use and Access) Act enter fully into force, as provided for in the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026. The newly effective provisions amend the data transfer framework of the UK GDPR, establishing that transfers can only occur if they meet specific conditions, such as approval by regulations, appropriate safeguards, or derogations for specific situations. The amendment fully replaces the system of adequacy decisions with regulations issued by the Secretary of State, who is responsible for approving transfers based on the data protection standards of the receiving entity, with regulations subject to the negative resolution procedure. Transfers must ensure the protection of data to a level equivalent to UK laws, and if these standards decline, regulations may be amended or revoked. The Secretary of State can also specify standard clauses for safeguards and determine when transfers are necessary for the public interest.