Privacy and Data Protection Winter Snapshot 2026
Tuesday 3rd February 2026
Welcome to our Winter Snapshot, which summarises the latest key data protection news and developments.
In this edition we look at the:
- extension of the UK adequacy decision;
- ICO’s new international transfers guidance;
- ICO’s AI strategy;
- new Procedural Rules approved by the European Parliament; and
- ICO’s announcement of an investigation into Grok.
UK adequacy decision extended until 2031
In December 2025, the European Commission confirmed the renewal of its adequacy decision for the United Kingdom, allowing the continued free flow of personal data between the UK and the EU.
The announcement will reassure many businesses, particularly after speculation that the Data (Use and Access) Act 2025 (“DUAA”) may jeopardise the UK’s adequacy status. The DUAA introduced several departures from the GDPR framework, including more flexible rules on automated decision‑making, prompting concerns that the Commission might view the UK’s regime as less protective.
With the adequacy decision now renewed, organisations can rely on seamless data transfers for at least the next six years. UK and EU businesses may continue sharing personal data without the need for additional contractual safeguards, reducing administrative burdens and supporting frictionless cross‑border operations.
International transfers
The ICO has issued updated guidance on how to determine whether a transfer of personal data is a “restricted transfer” under the UK GDPR, setting out a three-step test that looks at: (1) whether the UK GDPR applies to the processing; (2) whether the data is being sent or made accessible to a recipient outside the UK; and (3) whether that recipient is a separate legal entity or individual.
The guidance confirms that a restricted transfer can arise when personal data is made accessible to a recipient whose organisation is based outside the UK, even if the data stays on servers in the UK.
The rules focus on where the receiving organisation is established, not where the data physically resides. As such, contracting with an overseas ‘entity’ in a non-adequate territory generally constitutes a restricted transfer, requiring compliance with the UK GDPR transfer mechanisms.
The guidance can be accessed here.
AI-Driven Futures: The ICO’s AI Strategy
Plans to regulate AI and biometric technologies have prompted the ICO to publish an AI and Biometrics Strategy. The data protection regulator intends to support organisations using these technologies responsibly, while ensuring that personal information is appropriately protected. The strategy outlines how the ICO will have a statutory code of practice, ensure automated decision-making systems are governed and ensure a fair, proportionate use of facial recognition technology.
This strategy forms part of the ICO’s wider objectives, including the ICO25 strategic plan, and reinforces their ongoing commitment to supporting economic growth by addressing risks which cause barriers.
GDPR Procedure Rules approved and set to improve cross border collaboration between DPAs
In December 2025, the Procedural Rules were approved by the European Parliament which are set to improve collaboration between data protection authorities in cross border cases. While Articles 58 and 60 GDPR already requires joint enforcement under a lead supervisory authority in the case of cross border complaints, there have been complaints over the speed and efficiency of decision-making to date.
As such the Procedural Rules provide more detail on the process which supervisory authorities in different territories should follow, with the intention of achieving quicker outcomes.
These involve including clear procedural rights for data subjects; early scoping of a complaint; structured co-operation, and investigation deadlines.
You can read more here.
ICO respond to statement on X regarding Grok AI
*TW: Abuse*
The ICO has opened a formal investigation into X Internet Unlimited Company (XIUC) and X.AI LLC (X.AI) covering their processing o personal data in relation to Grok’s AI system and ‘its potential to produce harmful sexualised image and video content’ following its statement on 7 January stating the ICO had contacted X and x.AI to seek clarity on the measures in place to comply with data protection law and protect individuals’ rights. Ofcom is also investigating in parallel.
You can read more here.
If you would like to discuss these changes in more detail, please get in touch with one of our experts.
