The UK’s Data Gamble: Will the DUA Bill Cost It Its EU Adequacy Status?

The UK’s Data Gamble: Will the DUA Bill Cost It Its EU Adequacy Status?

This article is part of Access Partnership’s series ‘The New Privacy Playbook: Adapting to a Shifting Global Landscape’, which explores the evolving landscape of data governance – highlighting both the obstacles and the innovations emerging across sectors and regions.

The high-stakes balancing act

The United Kingdom is taking a calculated risk.

While Brussels itself is considering reforms to GDPR, the UK government has proposed a Data Use and Access (DUA) Bill that fundamentally reimagines how data can be accessed, shared, and utilised across both public and private sectors. The bill’s ambitions are clear: to position the UK as a global hub for data-driven innovation, free from what some policymakers view as the excessive regulatory constraints of its European past. In effect, the billing is: European data protection values, moderated by British pragmatism.

The DUA Bill has become a prism to view post-Brexit EU-UK relations: first, a flagship “bonfire of EU regulation”, latterly a statement of intent for an EU-UK “reset.” Under various names and prime ministers, officials have worked hard to emphasise how much they prize adequacy. They would argue that after the bill passes, the UK’s regime would still be closer to EU GDPR than any other nation, but certain clauses are potential flashpoints in the future depending on how governments exercise them.

But this gamble comes with potentially serious consequences. As the bill makes its way through Parliament, a critical question looms: Could these changes jeopardise the UK’s hard-won adequacy status with the European Union – and with it, the seamless data flows that underpin approximately GBP 85 billion in UK-EU service exports?

Why adequacy matters

For those outside the data protection world, “adequacy status” might sound like regulatory jargon. In reality, it’s the invisible infrastructure that enables modern digital commerce between the UK and its largest trading partner.

An adequacy decision, as defined in GDPR, represents the European Commission’s formal determination that a non-EU country provides comparable data protection standards to Europe’s own regime. This designation isn’t merely symbolic; it’s the legal mechanism that allows personal data to flow freely across borders without costly additional safeguards (the UK maintains an analogous regime).

Without adequacy, UK businesses would need to implement alternative transfer mechanisms like Standard Contractual Clauses or Binding Corporate Rules, adding layers of compliance costs, legal uncertainty, and administrative burden. Only specific exemptions under GDPR Article 49 would provide relief, and these are deliberately narrow in scope.

The DUA Bill’s controversial provisions

Currently in the final stages of approval in the Houses of Parliament, the Data (Use and Access) Bill represents the UK’s most significant post-Brexit deviation from European data protection norms. While presented as a modernisation effort to support digital innovation and public services, several provisions have raised serious concerns:

Removal of the balancing test

Section 70(1) introduces “Recognised Legitimate Interests” (RLIs) that allow organisations to disclose personal data without performing the traditional balancing test that weighs legitimate interests against individual rights. This fundamental shift means certain interests—particularly those related to national security—could potentially override privacy considerations without case-by-case assessment.

Expanded ministerial powers

Sections 70(4), 71(5), and 74(1) grant the Secretary of State sweeping authority to modify core elements of the UK GDPR through secondary legislation. This includes redefining purpose limitations, recognising legitimate interests, and even expanding special categories of data.

Weakened access rights

Section 78(1)(a) limits organisations’ obligations when responding to data subject access requests to providing only information retrieved through a “reasonable and proportionate search.” This subtle but significant change could make it harder for individuals to discover what data is held about them and how it’s being used.

Narrower restrictions on automated decision-making

Section 80(1) significantly reduces the scope of protections against automated decision-making, limiting prohibitions to cases with “significant effect” or involving special category data. This change aims to promote AI innovation but potentially leaves individuals with fewer safeguards against algorithmic decision-making. As Lord Clement-Jones observed, the bill “significantly weakens safeguards around ADM, creates legal uncertainty due to vague definitions, increases the risk of discrimination, and limits transparency and redress for individuals – ultimately undermining public trust in the use of these technologies.”

Lowered international transfer standards

Perhaps most concerning for adequacy purposes, Schedule 8 74AB(1) replaces the EU’s “essentially equivalent” standard for international data transfers with a more permissive “not materially lower” threshold. This creates a clear divergence from the EU’s approach to third-country transfers—the very issue at the heart of adequacy decisions.

Collectively, these changes reflect a deliberate policy choice to prioritise data utility and innovation over the precautionary approach that characterises the EU’s data protection framework. The question is whether this recalibration goes too far.

Between Brussels and Washington

The stakes are high for both sides: losing adequacy imperils exports just as economies across Europe are slowing down and bracing for Trump tariffs. A dispute between the 27-country bloc and the UK over data transfers when many European countries wish to keep London close for defence would clearly be undesirable.

As a December 2025 deadline approaches, the DUA Bill’s departures from GDPR principles create genuine vulnerabilities in the adequacy relationship, and we’ve seen the consequences of adequacy revocation before. When the EU-US Privacy Shield was invalidated in 2020 (the ‘Schrems II’ decision), thousands of companies faced immediate legal uncertainty and compliance challenges. The disruption lasted until the new Data Privacy Framework was established nearly three years later.

This represents perhaps the most significant risk factor in the entire equation. The UK would face an impossible choice: maintain standards close to the EU to preserve adequacy status or align with the US approach to facilitate transatlantic data flows. In attempting to serve as a “data bridge” between its two most important partners, the UK could instead find itself forced to choose sides in a transatlantic regulatory dispute. This could effectively undo much of the diplomatic progress achieved in the broader EU-UK reset, undermine the very EU-UK Trade and Cooperation Agreement that governs post-Brexit relations,  transforming an obscure technical regulation into a critical foreign policy dilemma.

The way forward

The data economy represents one of Britain’s greatest post-Brexit opportunities, but unlocking its potential doesn’t necessarily require abandoning the privacy principles that have become global standards.

What’s needed is not a binary choice between innovation and adequacy, but a more nuanced approach that preserves essential protections while creating space for responsible data use. This means:

  • Maintaining core data subject rights while streamlining their implementation
  • Enabling data access for innovation while incorporating meaningful safeguards
  • Preserving independent oversight while reducing unnecessary bureaucracy
  • Ensuring any national security exemptions remain proportionate and subject to appropriate safeguards

As the bill passes through its final stages, Parliament has a narrow window to refine the legislation to protect both Britain’s digital ambitions and its crucial data relationship with Europe.

For businesses caught in this uncertainty, the prudent approach is to monitor developments closely while preparing contingency plans for a potential adequacy disruption. The UK’s data gamble may yet pay off, but the odds – and the stakes – deserve serious attention.

Navigating the data crossroads

Access Partnership’s specialised team helps organisations navigate the evolving UK-EU data protection landscape through:

  • Development of contingency planning for potential adequacy challenges
  • Engagement with UK and EU policymakers on pragmatic solutions
  • Implementation of compliance strategies that work across diverging regulatory regimes

For organisations concerned about the implications of the UK’s regulatory changes on their data strategy, contact our Data Governance team at [email protected].

Related Articles

Access Alert: Key Takeaways from Our APEC Roundtable

Access Alert: Key Takeaways from Our APEC Roundtable

In 2026 China hosts the Asia-Pacific Economic Cooperation (APEC).  How can APEC remain relevant and effective for the private sector...

5 Jun 2025 Opinion
Access Alert: Swedish Authorities Crack Down on Spoofed Calls and Number Misuse

Access Alert: Swedish Authorities Crack Down on Spoofed Calls and Number Misuse

The increase in scam calls and text messages has propelled regulatory authorities worldwide to tighten Know Your Customer (KYC) requirements...

4 Jun 2025 Opinion
Lifting Off: Capturing the Potential of ASEAN’s Low-Altitude Economy

Lifting Off: Capturing the Potential of ASEAN’s Low-Altitude Economy

The low-altitude economy, a term first popularised in China, refers to economic activities operating in airspace up to 1,000 metres...

3 Jun 2025 Opinion
Access Alert: Private Sector and Global Health After WHA78

Access Alert: Private Sector and Global Health After WHA78

Major developments at last week’s 78th World Health Assembly (WHA78) indicate next steps for industry: Rebuild Regionally: Redirect advocacy and...

30 May 2025 Opinion