23 Jan 2026

Neil Jennings

Transferring data is inherently risky. EU and UK privacy laws don’t require your business to be omniscient. But if your position isn’t defensible, you’re bang in trouble.

As attention shifts toward AI governance, it is easy to treat existing data protection obligations as settled or secondary. Or to simply forget that they exist in the first place. In practice, those obligations help shape where and how AI systems can be built, trained, and deployed. But beyond that, international data transfers are one of those boring, procedural issues that can become big problems if not handled correctly.

What’s the starting point?

Both EU and UK GDPR regulate transfers of personal data to third countries, requiring a lawful transfer basis where such transfers occur. This sounds technical, but it isn’t. The only technical piece is using the right documents at the right time.

This comes from Articles 45 and 46 of the EU & UK GDPR, which require either:

• That the country to which data is transferred is covered by an ‘adequacy’ decision (i.e. their privacy and data protection laws are deemed comparable to those of the UK or EU); or
• That the sender and receiver use a listed mechanism to ensure there is an appropriate level of protection given to the data.

The GDPR framework

Pre-Brexit, the UK was part of the EU. They shared the same rules. Post-Brexit, UK and EU GDPR essentially do the same thing, especially when it comes to international transfers of personal data. However, since the UK enacted the Data (Use & Access) Act (DUAA) in 2025, and the ICO updated its guidance in January 2026, there are a few minor differences, which I explain briefly below. But overall, the UK and EU data protection obligations for international transfers of personal data remain very much aligned.

Art. 45 GDPR permits international transfers of personal data on the grounds of ‘adequacy’. Where a country meets the adequacy requirement, there are no other justifications or protection mechanisms required. This doesn’t mean it can be done blindly, as you will see in countries like the US and Canada.

Where a country does not have an adequacy decision, Art. 46 kicks in. In this case, the transferring entity must ensure the transfer is performed under an appropriately protective transfer mechanism. This typically involves appropriate safeguards such as the Standard Contractual Clauses or, in some intra-group contexts, Binding Corporate Rules. Where Art. 46 safeguards are relied upon, organisations are expected to consider whether those safeguards are effective in light of the destination’s legal environment, often documented through a Transfer Impact Assessment, although this is not expressly set out in the legislation.

Crucially, in both cases, an overarching Data Processing Agreement (DPA) is required by Art. 28 to govern how data is actually processed. But it is separate from the transfer conditions.

Post-Brexit and post-DUAA, the UK has the following idiosyncracies:

• Terminology changes (‘sufficiently similar’ vs. ‘adequacy’; ‘Transfer Risk Assessment’ vs. ‘Transfer Impact Assessment)
• Mechanism substitution (SCCs replaced by International Data Transfer Agreements)
• Overall - it’s the same logic underneath

If we look at some of the key data locations, we can see just how different Arts. 45 and 46 play out.

1) Adequacy, with no additional safeguards

Countries like Israel, Uruguay, South Korea and New Zealand benefit from adequacy without additional safeguards. No specific mechanism, no absolute requirement to undertake a complex risk assessment. Of course, it’s important to be able to explain decisions, so proper record keeping is a no brainer. Once the lawful transfer basis is established, processing still needs to be governed by a DPA.

And for completeness, the UK has adequacy in the EU, and the EU is considered substantially similar in the UK.

2) Adequacy, based on law

Canada does benefit from an adequacy decision under Art. 45 in both the UK and EU, although this is limited to organisations subject to federal privacy law, PIPEDA. While PIPEDA is not always effective, it does govern international or interprovincial commercial data transfers. Importantly, you should double check if it’s health or other public sector data. Where PIPEDA applies (frequently), the transfer is treated the same as above. It does not require any specific mechanism to be used. The main obligation does not relate to justifying the transfer, it’s that the transferring organisation must ensure processing is undertaken appropriately by way of a data processing agreement or similar document.

3) Adequacy based on procedure

The USA is similar to Canada, but presents a slightly different model. Instead of being based on law, adequacy exists only when the recipient has actively opted into the Data Privacy Framework and remains in good standing. In practice, the adequacy position depends on whether the recipient is self-certified under the EU and UK frameworks. Where that procedural commitment is absent, organisations fall back on Art. 46 safeguards. The same destination produces different compliance outcomes depending on the posture chosen.

4) No adequacy

Australia illustrates contractual adequacy most clearly. Despite strong privacy protections, no adequacy decision applies either in the EU or UK. Transfers therefore rely on contractual mechanisms, such as the SCCs or, for UK exporters, the IDTA. In these cases, responsibility is not displaced to a jurisdictional finding, but retained by the exporter through assessment and documentation.

What’s the moral of this story?
Despite differences in language and instruments, EU and UK transfer regimes continue to operate on the same structural assumptions: that cross-border data flows are permissible where the risk they introduce is consciously accepted and appropriately safeguarded. International data transfer rules are technical and procedural, but they are also a key area where accountability and explainability are scrutinised, and it’s really obvious to the regulators if something is lacking! None of this requires organisations to achieve perfect visibility or to map every downstream system; it requires them to understand, and be able to articulate, the position they have chosen to take.

Data breaches can still happen, no matter what mechanisms or DPA provisions are in place. Adequacy decisions and contractual safeguards don’t eliminate risk. But they do allocate it. And that is exactly what matters at the human level. As data flows become more complex and increasingly mediated by AI systems and automated agents, the ability to explain where data goes and why particular transfer postures have been chosen becomes more, not less, important.

EU and UK GDPR are pragmatic enough not to mandate perfection. But you can’t claim the dog ate your homework either. At a minimum, organisations need a defensible assessment, an appropriate transfer mechanism, suitable governing documentation, and records that support the position taken.