Note: Where “GDPR” appears unqualified below, it refers to both regimes as a shared regulatory heritage; UK GDPR and EU GDPR are distinguished where the divergence is material.

UK/EU data protection divergence is reshaping how multinational organisations manage personal data compliance. Since the Data (Use and Access) Act 2025 came into force in February 2026, the UK GDPR has diverged materially from the EU regime on recognised legitimate interests, automated decision-making, data subject access requests and international transfers. This creates a dual compliance obligation for any organisation processing personal data in both jurisdictions. For many, the temptation is to apply the more relaxed UK standard across the board. That approach fails because the divergence does not deregulate the processing of EU personal data. Organisations must instead map processing activities by jurisdiction and build dual-compliant frameworks that satisfy both standards without unnecessary duplication. We advise organisations on the practical architecture of multi-jurisdiction compliance.

AI is one of the most material divergence points. The EU AI Act applies extraterritorially to UK providers and deployers, while the UK has taken a sector-led approach. For the wider UK position, see our hub post on UK AI Regulation: What the Law Actually Says.

When divergence becomes a compliance problem

Organisations processing personal data in both the UK and EU must now apply different legal tests to the same processing activities. This is especially acute for UK companies selling into the EU single market, EU-headquartered groups with UK operations or subsidiaries, and any entity undertaking corporate restructuring post-Brexit where processing has not yet been formally re-architected along jurisdictional lines. The divergence also bites during M&A where the target has dual-jurisdiction data flows, or where privacy programme teams have maintained a single global compliance framework in the hope that a single set of controls satisfies both regimes. It does not. An organisation might legitimately process employee data under the recognised legitimate interest basis in the UK but must fall back on a different Article 6 basis for equivalent EU processing. A fintech might operate ADM for creditworthiness assessment in the UK under permission-based rules but faces the EU GDPR’s sterner restrictions. These misalignments are not edge cases. They affect mainstream operations for any business with a material EU market or EU workforce.

---

Why divergence matters now

The DUAA 2025 creates material differences that organisations consistently misunderstand. Article 6(1)(ea) introduces recognised legitimate interests as a seventh lawful basis in the UK, with no requirement for a balancing test against data subject rights and freedoms. The EU has no equivalent. For organisations, this feels like a deregulation opportunity. It is not. Any processing of EU personal data must still meet EU GDPR Article 6, which permits legitimate interests only after conducting a Legitimate Interests Assessment and a careful balancing of organisational interests against individual rights. A UK organisation cannot simply avoid the LIA by treating EU data subjects’ information under the recognised legitimate interest framework. The divergence creates two separate compliance obligations, not a tiering of requirements.

The DUAA also relaxed the rules on automated decision-making. Article 22B UK GDPR flips the EU model from prohibition to permission. The EU GDPR prohibits decision-making “solely” on automated processing of personal data where the decision has legal or similarly significant effects unless the data subject has given consent, a contract exists, or law requires or authorises the processing. The UK instead permits ADM for non-special category data provided the controller has implemented adequate safeguards, even without consent or contractual necessity. This is a core structural difference. An algorithm for customer segmentation that complies with UK rules may violate EU GDPR Article 22 if it produces meaningful effects for EU data subjects without explicit consent or contractual justification.

International transfer standards have also shifted. The UK’s “not materially lower” test under the DUAA differs from the EU’s “essentially equivalent” standard for adequacy assessment. The UK test is intentionally less onerous. Where a third country’s data protection regime meets the UK threshold, an organisation can transfer data there under UK law. The same transfer might fail the EU GDPR’s sterner “essentially equivalent” test. This creates operational tension. An organisation cannot protect EU data by reference to a UK adequacy decision if the EU Commission has not granted equivalent adequacy to the recipient country.

Data subject access rights also diverge. The UK GDPR now permits controllers to limit the scope of a DSAR to information discoverable “based on a reasonable and proportionate search”. The EU GDPR contains no such statutory limit. The European Data Protection Board’s guidance suggests that reasonableness and proportionality do not excuse elaborate searching; controllers must disclose all responsive data. UK courts have begun to accept the inverse: controllers need not “leave no stone unturned”. For organisations managing dual-jurisdiction DIP and potential litigation disclosure, this creates an asymmetry. A UK-based disclosure may satisfy UK standards but fall short of EU expectations.

The EU Commission renewed UK adequacy decisions in December 2025, valid until December 2031. However, the EDPB’s opinions flagged continued divergence as a future risk factor. Should the UK depart further from EU standards, a future adequacy review could be jeopardised. Organisations should not assume perpetual stability. The adequacy renewal is a six-year reprieve conditional on the UK not diverging so sharply as to undermine adequacy. The DUAA changes passed that test. Further changes might not.

---

Where organisations misread the divergence

The most common failure is assuming that UK adequacy means the rules are the same. They are not. Adequacy means the EU considers the UK’s overall protective framework sufficiently equivalent to allow free data flows. It does not mean that every UK legal rule mirrors its EU counterpart. Organisations applying UK-only standards to EU personal data processing are exposed. A second failure is conflating the UK regime with exemption from compliance. The DUAA did not deregulate data protection. It created permission-based pathways where the EU retains prohibition. Permission means the processing is lawful if conditions are met. It does not mean there are no conditions.

A third failure is poor record-keeping around which jurisdiction applies to which processing. Many organisations maintain unified records of processing activity without jurisdictional tags. This makes it impossible to apply the right legal test. An RPA tool that processes employment data for UK and EU payroll cannot use a single LIA that relies on UK recognised legitimate interests. The LIA must be split by jurisdiction, with EU personal data assessed against EU balancing standards and UK data assessed against either the traditional balancing test or the recognised legitimate interests basis.

Privacy notices that reference “GDPR” without specifying which regime create a fourth failure point. A notice that states “we rely on legitimate interests” is ambiguous in a dual-jurisdiction context. Does the organisation intend to rely on the recognised legitimate interest basis (UK only) or the standard balancing-based legitimate interests test (EU and UK alternative)? The notice must be clear. A fifth failure is drafting controller-to-processor agreements without specifying the governing data protection regime. A DPA may state that the processor will comply with “applicable GDPR”. If processing is dual-jurisdiction, this is incomplete. The agreement must identify which processing activities fall under which regime and what compliance obligations attach.

A sixth failure is LIAs that rely on UK recognised legitimate interests for EU processing. The recognised legitimate interests listed in Annex 1 to the UK GDPR (public administration, security, prevention of financial crime, and similar) may feel applicable to an EU use case. They are not. An EU-facing LIA must be built on the standard balancing framework, regardless of whether the same processing is permitted under UK recognised legitimate interests for equivalent UK data.

---

What dual compliance looks like in practice

Bratby Law’s approach to multi-jurisdiction compliance begins with a clear map of processing activities by jurisdiction. For each processing operation, we identify the legal basis (or bases) available in each jurisdiction and flag where the UK and EU standards diverge. We then build compliance frameworks that satisfy both regimes without unnecessary duplication. This might mean two separate LIAs for a single processing activity if the UK DUAA recognised legitimate interests basis cannot be used for EU data. It might mean a single control architecture for ADM that implements both the UK safeguard framework and the EU’s stricter consent-plus-consent or contractual-necessity rules. The goal is justified duplication where necessary and ruthless elimination of wasteful documentation.

For corporate structures, we advise on whether processing should be architecturally separated by jurisdiction (UK controller handling UK data, EU controller handling EU data), combined under a single controller with dual-regime compliance matrices, or handled through a data processor model where responsibility is formally allocated. Each structure carries different compliance costs and operational friction. We help clients choose the structure that minimises both. For international transfers, we map the transfer mechanism (adequacy decision, contractual safeguards, binding corporate rules) against both the UK “not materially lower” test and the EU “essentially equivalent” standard. A transfer that relies on EU adequacy but not UK adequacy creates exposure if the organisation later needs to justify the transfer under UK law.

We also advise on practical compliance tools. Unified RPA processing may require dual coding to separate UK and EU processing. Consent management platforms must distinguish between UK and EU data subjects and apply jurisdiction-specific consent requirements. Privacy impact assessments should include a jurisdictional matrix identifying where standards diverge and how risks are mitigated. Incident response procedures should account for different notification and investigation timelines between the UK and EU.

---

When to instruct specialist divergence advice

Internal compliance teams typically manage day-to-day compliance under a single regime without difficulty. Specialist divergence advice is most valuable in five circumstances. First, where DUAA 2025 implementation is underway and the organisation operates across both jurisdictions. Second, where corporate restructuring post-Brexit has created dual-jurisdiction processing without formal legal separation. Third, where an adequacy risk assessment is needed (for instance, ahead of a financing round or M&A) and the lender or acquirer has asked about divergence. Fourth, where international transfer mechanisms are under review and the organisation needs to satisfy both UK and EU standards simultaneously. Fifth, where transaction structure is being negotiated and divergence affects deal shape or representations.

---

Frequently asked questions about UK/EU data protection divergence

Does the EU adequacy decision mean UK and EU rules are now the same?

No. Adequacy is not equivalence. The EU’s renewal of UK adequacy decisions in December 2025 (valid until December 2031) confirms that the UK’s overall protective framework is sufficiently strong to permit data flows. It does not mean individual UK rules mirror EU rules. The DUAA created material divergences on recognised legitimate interests, automated decision-making, DSAR scope and international transfer standards. Organisations must apply both standards simultaneously for dual-jurisdiction processing.

Can we rely on the recognised legitimate interest basis for EU data subjects?

No. The recognised legitimate interest basis (Article 6(1)(ea) UK GDPR) applies only to UK data. For EU personal data, you must use one of the six standard Article 6 bases and, if relying on standard legitimate interests (Article 6(1)(f) EU GDPR), conduct a full Legitimate Interests Assessment with balancing. The recognised legitimate interests list provides no shortcut for EU processing.

Does the UK’s ADM regime work for EU data subjects?

No. The DUAA’s permission-based approach to automated decision-making (Articles 22A to 22D) applies to UK processing. For EU data, Article 22 EU GDPR retains the prohibition-plus-exceptions model. If your ADM has legal or similarly significant effects on an EU data subject, you need consent, a contractual necessity, or a law-based justification. Permission-based safeguards alone are insufficient.

How does the “not materially lower” standard work for international transfers?

The UK’s “not materially lower” test is intentionally less onerous than the EU’s “essentially equivalent” standard. A third country may meet the UK threshold without meeting the EU threshold. Where you transfer data outside both jurisdictions, you must satisfy both tests. A UK-only adequacy assessment is insufficient if the organisation also processes EU personal data. Build your transfer architecture to satisfy the stricter EU standard where dual-jurisdiction processing is involved.

What should our privacy notice say about divergence?

Clearly identify which regime applies to which data. A notice that states “we rely on legitimate interests” is ambiguous in a dual-jurisdiction context. Instead, specify: “For UK personal data, we rely on legitimate interests” (and note the recognised legitimate interests basis if applicable). “For EU personal data, we rely on the balancing-based legitimate interests basis under Article 6(1)(f) EU GDPR.” Clarity reduces enforcement risk from both the ICO and supervisory authorities.

When should we split our processing into separate UK and EU systems?

Only when necessary. Architectural separation (UK controller, EU controller) is expensive and operationally complex. Instead, maintain unified processing with dual-compliance matrices. Separate systems are justified where: processing differs fundamentally by jurisdiction; audit and control segregation is required by group governance or M&A; or transfer mechanisms are materially different. For most organisations, a single processing operation with dual-regime documentation is more efficient.

Representative experience

Recent and representative matters include:

• Advised a global telecoms group on maintaining dual compliance with the UK GDPR and EU GDPR following the UK’s departure from the EU, including the restructuring of data processing agreements and transfer mechanisms.
• Prepared an impact assessment of the Data Use and Access Act 2025 reforms for a financial services client, identifying the practical divergences from the EU GDPR and the implications for the UK’s adequacy status.
• Advised on the risks to UK adequacy arising from proposed changes to the legitimate interests processing condition, including contingency planning for alternative transfer mechanisms.
• Reviewed a multinational’s privacy programme to ensure it addressed both UK and EU requirements, including the differences in regulatory guidance from the ICO and EU supervisory authorities.
• Advised a data-intensive business on the application of the UK’s reformed research processing provisions under the Data Use and Access Act 2025, assessing the scope of the new exemptions against the EU position.

Rob Bratby advises on the practical implications of UK-EU data protection divergence for businesses operating across both jurisdictions. Bratby Law is recognised by Lexology as a Global Elite Thought Leader for data protection.

Related data protection pages

See also our other data protection pages:

• Data Protection (pillar page)
• UK GDPR and Regulatory Compliance
• AI and Automated Decision-Making
• Sector-Specific Data Protection
• Data Governance, Transfers and Accountability
• Data Breach Response
• Privacy and Electronic Communications (PECR)
• Data Protection Impact Assessments

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

• Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
• The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
• Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology

Primary sources

• Retained EU Law (Revocation and Reform) Act 2023
• Data (Use and Access) Act 2025
• Regulation (EU) 2016/679 (EU GDPR) on EUR-Lex
• European Commission — Adequacy decisions (including the UK adequacy decision)