UK and EU data protection law are diverging. Since Brexit, the UK has retained the EU GDPR as the UK GDPR, but legislative reform through the Data (Use and Access) Act 2025 (DUAA) is creating material differences between the two regimes. Bratby Law advises organisations that process personal data across both jurisdictions on compliance with both frameworks, the practical implications of data protection divergence, and strategies for maintaining dual compliance efficiently.

The starting point: shared origins, separate paths

The UK GDPR is a retained version of Regulation (EU) 2016/679, incorporated into domestic law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The Data Use and Access Act 2025 introduces further UK-specific amendments, including reforms to legitimate interests processing, changes to the research processing exemption, and modifications to the ICO’s enforcement and governance structure. These changes create a growing divergence between the UK and EU regimes that affects any organisation processing personal data across both jurisdictions.

However, legislative activity on both sides is now creating data protection divergence. The UK’s DUAA, which received Royal Assent in November 2025, amends the UK GDPR in several areas. The EU has introduced its own changes through the Data Act (Regulation (EU) 2023/2854) and the AI Act (Regulation (EU) 2024/1689), which interact with GDPR obligations in ways that have no UK equivalent. Understanding where the regimes now differ, and where they may further diverge, is essential for organisations operating across both jurisdictions.

Key areas of UK/EU data protection divergence

Lawful basis and legitimate interests

The DUAA introduces a new “recognised legitimate interest” basis under Article 6 of the UK GDPR, allowing the Secretary of State to specify processing activities that qualify as legitimate interests without requiring the controller to conduct a balancing test. The initial list is expected to include processing for national security, public safety, and certain business-to-business activities. The EU GDPR retains the existing legitimate interest framework under Article 6(1)(f), which requires a case-by-case balancing test for every reliance on legitimate interests. This divergence means that UK controllers may process certain data under a streamlined basis that would still require full balancing under EU law.

Automated decision-making and AI

The DUAA replaces Article 22 of the UK GDPR (which restricts solely automated decision-making with legal or similarly significant effects) with a new framework focused on “meaningful human involvement”. The test shifts from whether a decision is “solely” automated to whether there is meaningful human review at a relevant point. The EU retains Article 22 in its original form. Additionally, the EU AI Act imposes risk-based obligations on AI systems that interact with GDPR requirements, including mandatory fundamental rights impact assessments for high-risk systems. The UK has no equivalent AI-specific legislation, relying instead on existing regulators to apply sectoral frameworks. See our AI and Automated Decision-Making page for detailed guidance.

International data transfers

The UK and EU transfer mechanisms are diverging in structure and scope. The UK has adopted its own International Data Transfer Agreement (IDTA) and UK Addendum to the EU Standard Contractual Clauses, replacing the EU SCCs for transfers from the UK. The DUAA further reforms the UK transfer framework by replacing the “essentially equivalent” adequacy standard with a new “data protection test” that focuses on whether the receiving country provides adequate protection in practice, considering all relevant circumstances including supplementary measures. The EU retains the existing Article 45/46 framework, with the CJEU’s Schrems II requirements for transfer impact assessments remaining in force.

Accountability and DPIAs

The DUAA modifies the UK GDPR accountability framework. It gives the Secretary of State power to specify when a data protection impact assessment is or is not required, supplementing the existing Article 35 threshold. It also removes the requirement for organisations to maintain a specific record of processing activities (ROPA) under Article 30, replacing it with a broader obligation to maintain appropriate records as part of general accountability. The EU GDPR retains both the ROPA and DPIA requirements in their original form.

Research and statistical processing

The DUAA introduces a broader definition of scientific research for the purposes of the UK GDPR research exemptions, and creates new provisions for processing personal data for the purpose of developing and testing innovative products and services. These provisions have no direct equivalent under the EU GDPR, where the Article 89 research framework remains unchanged. Organisations conducting cross-border research must assess whether processing that qualifies for UK research exemptions also satisfies EU requirements.

ePrivacy and PECR

The UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) implement the 2002 EU ePrivacy Directive. The EU has been working on an ePrivacy Regulation to replace the Directive since 2017, though progress has been slow. If the ePrivacy Regulation is adopted, it will create a significant divergence: the EU will have a directly applicable regulation covering cookies, direct marketing, communications metadata and confidentiality of communications, while the UK will retain PECR in its current form.

The DUAA does not amend PECR, but the UK government has signalled interest in reforming cookie consent rules and direct marketing regulations separately. Any UK reform of PECR that creates further data protection divergence from the EU ePrivacy framework could affect the UK adequacy decision, since ePrivacy rules form part of the overall assessment of UK data protection standards. Organisations operating direct marketing or digital advertising across both jurisdictions should monitor both the EU ePrivacy Regulation and any UK PECR reform proposals. See our dedicated Privacy and Electronic Communications (PECR) page for detailed guidance on the current UK regime.

The UK adequacy decision

The European Commission adopted its original UK adequacy decision in June 2021 under Article 45(3) of the EU GDPR, with an initial sunset clause of four years. In December 2025, the Commission renewed the adequacy decision for a further six years, extending it to December 2031. The renewal confirmed that the UK continues to provide an essentially equivalent level of data protection despite legislative changes including the DUAA. However, the Commission noted that it will continue to monitor UK developments and may review or suspend the decision if material data protection divergence undermines the level of protection.

The adequacy decision is critical for data flows. While it remains in force, personal data can flow freely from the EU/EEA to the UK without additional safeguards. If the decision were suspended or revoked, organisations would need to implement alternative transfer mechanisms (SCCs, binding corporate rules, or derogations under Article 49) for every EU-to-UK data flow. The December 2025 renewal reduces this risk for the medium term, but organisations with significant EU-UK data flows should maintain contingency plans.

UK third country adequacy decisions

The UK now makes its own adequacy decisions independently of the EU. The Secretary of State may recognise a third country as providing adequate data protection under Article 45 of the UK GDPR. The UK has so far recognised all countries that held EU adequacy before Brexit, and has added new adequacy regulations for countries assessed under its own framework. The DUAA replaces the “essentially equivalent” standard with a new “data protection test” that considers the overall level of protection in the receiving country, including supplementary measures and practical enforcement.

The US: diverging UK and EU approaches

The treatment of US data transfers illustrates the divergence in approach. The EU adopted an adequacy decision for the US under the EU-US Data Privacy Framework (DPF) in July 2023, following the Schrems II invalidation of the Privacy Shield. The UK adopted the UK Extension to the EU-US DPF in October 2023, creating a parallel adequacy bridge for transfers from the UK to certified US organisations. Both frameworks rely on Executive Order 14086, which introduced redress mechanisms and proportionality requirements for US intelligence agencies accessing personal data.

The risk of divergence here is real. The EU DPF adequacy decision faces potential legal challenge in the CJEU, and any future US administration could modify or revoke Executive Order 14086. If the EU DPF were invalidated by the CJEU (a “Schrems III” scenario), the UK would face a separate decision on whether to maintain its own US adequacy finding. The UK’s new “data protection test” under the DUAA gives the Secretary of State broader discretion than the EU’s “essentially equivalent” standard, meaning the UK could choose to maintain US adequacy even if the EU revokes its decision. This would create a significant divergence for organisations routing data flows through the UK to the US. Conversely, both frameworks could be destabilised simultaneously by changes to US domestic law or executive orders.

How Bratby Law advises on UK/EU data protection divergence

Our data protection practice advises organisations operating across the UK and EU on the practical implications of data protection divergence. Services include:

• Dual compliance mapping: we identify where UK and EU requirements now differ and advise on whether a single compliance framework can satisfy both, or whether separate approaches are needed for specific processing activities
• Transfer mechanism review: we assess existing data transfer arrangements (IDTAs, SCCs, BCRs) against both UK and EU requirements, and advise on updates needed to reflect the DUAA reforms and evolving EU guidance
• Adequacy contingency planning: we help organisations prepare for the possibility of changes to the UK adequacy decision, including mapping data flows, identifying alternative transfer mechanisms, and building contractual safeguards
• Lawful basis alignment: where the UK recognised legitimate interest framework diverges from EU legitimate interest requirements, we advise on maintaining consistent processing justifications across jurisdictions
• AI and automated decision-making compliance: we advise on the different requirements for automated processing under the reformed UK Article 22, the unchanged EU Article 22, and the EU AI Act, particularly for organisations deploying AI systems across both jurisdictions
• Regulatory engagement: we advise on interactions with both the ICO and EU supervisory authorities, including managing divergent regulatory expectations and responding to cross-border enforcement activity

Divergence in telecoms, payments, and technology

UK/EU data protection divergence and data protection divergence has particular implications for the sectors where Bratby Law operates. Telecoms providers handling communications data across the UK and EU must comply with both the UK GDPR and EU GDPR, alongside the UK’s Privacy and Electronic Communications Regulations and the EU’s forthcoming ePrivacy Regulation. Payment service providers face overlapping requirements under data protection law and financial regulation, where the interaction between UK and EU rules is further complicated by the UK’s departure from the EU payments regulatory framework. Technology companies deploying AI products across both markets must reconcile the UK’s principles-based approach to AI governance with the EU AI Act’s prescriptive risk classification system.

Bratby Law’s cross-sector expertise in telecoms regulation, payments regulation, and data protection means we advise on the full regulatory picture, not just the data protection dimension of divergence. For organisations in these sectors, data protection divergence rarely exists in isolation from broader regulatory divergence.

Frequently asked questions about UK/EU data protection divergence

Is the UK GDPR still the same as the EU GDPR?

No. The UK GDPR started as a copy of the EU GDPR but has been amended by the Data (Use and Access) Act 2025. Key differences now include the recognised legitimate interest framework, the replacement of Article 22 on automated decision-making, changes to the international transfer adequacy standard, and the removal of the mandatory record of processing activities. Organisations operating in both jurisdictions need to understand and manage these differences.

Can we use a single privacy policy for UK and EU operations?

In many cases, yes, but the policy must accurately reflect both regimes. Where requirements differ, the policy should address both. For example, transparency information about automated decision-making must reflect the UK’s “meaningful human involvement” test and the EU’s Article 22 framework. Transfer disclosures must reference both UK and EU mechanisms. A single policy that defaults to the stricter standard often works, but must be reviewed as the regimes continue to diverge.

What happens if the UK adequacy decision is revoked?

If the European Commission revokes or suspends the UK adequacy decision, personal data transfers from the EU/EEA to the UK would require alternative safeguards under Article 46, such as Standard Contractual Clauses or binding corporate rules. The December 2025 renewal extends the decision to December 2031, but it remains subject to ongoing monitoring. Organisations with significant EU-to-UK data flows should maintain contingency transfer mechanisms and keep contractual frameworks current.

Does the EU AI Act apply to UK organisations?

The EU AI Act applies to providers who place AI systems on the EU market or whose AI systems produce outputs used in the EU, regardless of where the provider is established. UK-based organisations deploying AI products that are used by EU customers will need to comply with the AI Act’s requirements, including the risk classification system and conformity assessments for high-risk systems. The UK has no equivalent legislation, so UK-only deployments are governed by existing sectoral regulation and data protection law.

Do we need separate DPOs for UK and EU operations?

Not necessarily, but you need a representative in each jurisdiction if you do not have an establishment there. Under the UK GDPR, non-UK controllers processing UK residents’ data must appoint a UK representative. Under the EU GDPR, non-EU controllers must appoint an EU representative. A single DPO can cover both jurisdictions, but must be knowledgeable about both the UK and EU frameworks and accessible to both the ICO and the relevant EU supervisory authority.

Representative experience

Recent and representative matters include:

• Advised a global telecoms group on maintaining dual compliance with the UK GDPR and EU GDPR following the UK’s departure from the EU, including the restructuring of data processing agreements and transfer mechanisms.
• Prepared an impact assessment of the Data Use and Access Act 2025 reforms for a financial services client, identifying the practical divergences from the EU GDPR and the implications for the UK’s adequacy status.
• Advised on the risks to UK adequacy arising from proposed changes to the legitimate interests processing condition, including contingency planning for alternative transfer mechanisms.
• Reviewed a multinational’s privacy programme to ensure it addressed both UK and EU requirements, including the differences in regulatory guidance from the ICO and EU supervisory authorities.
• Advised a data-intensive business on the application of the UK’s reformed research processing provisions under the Data Use and Access Act 2025, assessing the scope of the new exemptions against the EU position.

Related data protection pages

See also our other data protection pages:

• Data Protection (pillar page)
• UK GDPR and Regulatory Compliance
• AI and Automated Decision-Making
• Sector-Specific Data Protection
• Data Governance, Transfers and Accountability
• Data Breach Response
• Privacy and Electronic Communications (PECR)
• Data Protection Impact Assessments