OUT-LAW NEWS 2 min. read

UK ‘open’ to data transfer tools update

Binary code data

International data transfers are an everyday essential for global businesses. Suebsiri/iStock.


The UK government appears open to the idea of updating – or adding to – the mechanisms businesses can access to facilitate their transfer of personal data around the world, a data protection expert has said.

Malcolm Dowden of Pinsent Masons was commenting after the Department for Science, Innovation & Technology (DSIT) opened a call for evidence on data flows on Wednesday.

The information gathering exercise invites businesses to share their own approaches to international data transfers, from their understanding and use of existing transfer tools to the barriers, concerns or risks they see with the UK’s current data transfer framework and the ways they think the government can better support them in transferring data overseas in a way that complies with data protection law.

The UK General Data Protection Regulation (GDPR) places strict conditions on the transfer of personal data outside of the jurisdiction – an activity that is an everyday occurrence for global businesses. The restrictions, contained in Chapter V of the respective regulations, are designed to ensure personal data that benefits from the protections under the GDPR continues to benefit from an equivalent standard of protection even if it is transferred outside the EU or UK.

Chapter V sets out several different options controllers or processors can take advantage of to ensure an equivalent standard of protection applies to data being transferred. These include adequacy decisionsstandard contractual clauses and other “appropriate safeguards”; binding corporate rules; and derogations for specific situations.

Dowden said the DSIT call for evidence implies openness on the part of the UK government to reviewing international transfer mechanisms, highlighting how some questions invite views from business on whether they would find it useful if amendments were made to existing alternative transfer mechanisms or if new partial adequacy decisions were issued, such as on a sectoral basis.

In its paper, the DSIT said the “pace and frequency” of international data transfers has grown in recent years, with the increased reliance businesses have on global cloud service providers coinciding with the increasing criticality of data to the development and deployment of AI systems. It said reforms to the UK’s international transfers statutory framework, made through the Data (Use and Access) Act 2025, offer “an opportunity to examine how the current toolkit is functioning in practice, particularly as data use becomes more complex, global, and dynamic”.

“This includes examining whether existing tools for governing international data transfers support clear, effective, and trusted data flows in practice, and whether safeguards remain responsive and proportionate to an evolving threat and technology landscape,” the DSIT said.

“We are interested in how organisations make decisions and manage risk in real-world settings; how regulatory tools and mechanisms influence behaviour; and what more may be needed to instil trust and confidence in the use of data, while maintaining robust protections, a resilient UK data infrastructure and enabling economic opportunity,” it added.

A separate call for evidence was also published on Wednesday by DSIT concerning data regulation in the age of AI. It also invites organisations to share details of their own practices and governance arrangements, and to give their views on whether they think the data protection regime is fit-for-purpose – including in the context of agentic AI and automated decision-making.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.