Contributors
The European Commission and the European Data Protection Board (EDPB) have approved new EU-UK adequacy decisions. While endorsing continuity of frictionless personal data flows, the EDPB signalled areas for continued scrutiny to ensure the UK’s framework remains “essentially equivalent” to EU standards over time.
The background and a timeline
An adequacy decision by the EU allows for the free flow of data from the EU to a third country without controllers having to put any additional measures in place (such as Standard Contractual Clauses). This is important for businesses because it simplifies cross-border data transfers, reduces legal complexity, and facilitates smooth and efficient operations.
Post-Brexit, with the UK no longer part of the EU, it was crucial to establish a legal framework that recognized the UK's data protection standards as equivalent to those of the EU. The UK's two adequacy decisions did just that and ensured seamless data transfers between the European Union and the United Kingdom.
The Data (Use and Access) Act 2025 (DUAA) came into force this year. It introduces changes to UK data protection law with the goal of promoting innovation and economic growth. A number of the changes will be brought into force by secondary legislation and it will be 2026 before all of the changes are implemented and the accompanying guidance is ready. The European Commission has been assessing whether the reforms impact on the UK's ability to provide adequate protection for data flowing from the EU to the UK, without additional regulatory protections being required.
EU-UK adequacy, a timeline:
| 28 June 2021 | EU-UK adequacy decisions put in place for a 4 year period. There are two adequacy decisions, one covering general data protection under the GDPR and another for law enforcement data under the Law Enforcement Directive. |
| 19 June 2025 | DUAA received Royal Assent. |
| 24 June 2025 | On this date, the Commission adopted a six-month extension of the two adequacy decisions with the United Kingdom, with the approval of the EDPB. This was to give the Commission time to assess the adequacy of the data protection regime in the UK following the changes introduced by DUAA. Otherwise the EU-UK adequacy decisions would have expired on 27 June 2025. |
| 22 July 2025 | European Commission issued a press statement which indicates it will approve the UK's new data protection regime post DUAA. The Commission concluded that the new framework provides safeguards that are essentially equivalent to those provided by the EU. |
| 20 October 2025 | EDPB adopts two opinions on the European Commission’s draft decisions on the extension of the validity of the UK adequacy decisions. |
| 27 December 2025 | EU/UK adequacy decisions extended until this date. We anticipate the extended adequacy decisions will be in place on or before this date. |
| December 2031 | The new EU-UK adequacy decisions are proposed to be extended for a 6-year period. This is the anticipated end date. It is proposed the new EU-UK adequacy decisions will contain built‑in sunset/review mechanisms. |
The EDPB's opinions
The EDPB is broadly content that the UK's data protection framework continues to be aligned with the EU's. The EDPB notes that the reforms introduced by the UK Government largely serve to "clarify and facilitate compliance with the law" and that the regimes are aligned on key provisions such as transparency, data subject rights, and special categories of data. As a result, the EDPB is satisfied that the two adequacy decisions can be extended.
As you would expect, the EDPB did not stop there and highlighted a number of areas which need further analysis as well as some issues which the Commission should closely monitor over the coming years:
- The Retained EU Law (Revocation and Reform) Act 2023 removed the principle of the supremacy of EU law. In addition, the effects of general principles of EU law were removed from UK law, as of 1 January 2024. The EU fundamental rights are the foundation of the GDPR regime and the EDPB is concerned about the impact of their removal from the UK's data protection framework. There are also questions about whether and to what extent the UK courts will depart from retained EU case-law in the future.
- The DUAA gives powers to the Secretary of State to make changes via secondary legislation on key issues such as international transfers, automated decision-making, and the governance structure of the Information Commissioner's Office (ICO). The EDPB is concerned about the possibility of further divergence from EU law as a result of these, as yet not fully known, changes. It questions whether the changes will have an impact on the standard of protection of personal data in the UK.
- Changes to international transfers and the methodology the UK will use to assess the adequacy of a third country.
- The restructuring of the ICO and the new triage system for complaints handling. The EDPB recommends that the Commission monitors the independence of the newly formed Information Commission.
- The national security exemptions to the law enforcement framework. The EDPB considers that the UK must maintain the principle of proportionality when applying national security exemptions.
Impact on businesses
UK businesses will be pleased to hear that the status quo will be preserved and that personal data can flow smoothly from the EU to the UK, without the need for additional transfer tools.
Knowing that the EDPB has identified issues for monitoring, which may have a future impact on adequacy, prudent organisations will maintain contingency tools and governance processes to adapt quickly to future reviews or changes.
Businesses should note that the EU-UK adequacy decision only applies to data transfers between the EU and the UK. When transferring personal data outside the UK, they must comply with UK GDPR rules. It's important to stay informed about which countries have adequacy decisions and any additional measures that may be required.
Next steps and ongoing reviews
To complete the process of approval of the UK's adequacy decisions, the Commission now has to seek approval from a committee composed of representatives of the EU Member States. The European Parliament also has a right of scrutiny over adequacy decisions. It is not anticipated this will be problematic.
After Brexit, the UK Government sought to reform our data protection system. The full impact will be clear once the DUAA is fully implemented in 2026. The EDPB is generally satisfied with the UK's alignment with EU standards, but significant reforms are limited if the UK wants to keep its adequacy decision. The EU Commission must monitor countries with adequacy decisions and can change or revoke them if standards drop. The UK's framework will be closely watched to ensure compliance.
However, the ground may also be shifting under the Commission's feet. Recently leaked proposals to modify the EU GDPR would reduce privacy protections with the aim of making the EU more competitive – particularly around AI – which would seem to move the EU GDPR in the same direction as the UK has taken.
Do you want to know more about the EU-UK adequacy decisions, the DUAA, and how they might impact on your business? Or want support with international data transfers or updates to your privacy programme?
Simply reach out to Sheilah Mackie, Andrew Kimble or Sarah Daun.
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.
