Out-Law News 2 min. read
EU proposes renewal of UK data protection ‘adequacy’ decisions
23 Jul 2025, 9:32 am
The European Commission has proposed to renew two decisions that provide organisations based in the EU with a legal basis for transferring personal data to the UK.
EU data protection law places strict conditions on the transfer of personal data outside of the European Economic Area (EEA) – an activity that is an everyday occurrence for global businesses.
One way that organisations can comply with the EU rules around data transfers is if the transfers are within the scope of so-called ‘adequacy decisions’ that the Commission is empowered to issue.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are automatically considered to comply with EU data protection laws.
When the UK was an EU member state, the law provided for the free flow of personal data between the UK and other EU member states. That position changed with Brexit. In 2021, the Commission issued two adequacy decisions in respect of the UK, to enable compliant personal data transfers from the EU to the UK under the EU General Data Protection Regulation (GDPR) and the EU’s Law Enforcement Directive, respectively.
The current EU-UK adequacy decisions are due to expire on 27 December 2025. The Commission has, however, now issued a draft implementing decision (33-page / 751KB PDF) in which said it continues to assess UK data protection standards as being “essentially equivalent” to those in force in the EU. It has proposed to renew its UK adequacy decisions for a period of six years.
The Commission’s assessment of the UK’s data protection framework included a review of the recently enacted Data (Use and Access) Act (DUAA), which provides for some divergence between the EU and UK in some areas of data protection law.
Data protection law expert Malcolm Dowden of Pinsent Masons said: “The draft decision includes a review of the DUAA and confirms that on all points considered potentially risky for UK adequacy during the initial parliamentary debates on the legislation – such as changes to the rules relating to automated decision-making and the new corporate structure of the UK’s data protection authority, the ICO – UK law continues to give adequate protection.”
“The draft decision is also more positive than its predecessor in relation to law enforcement processing, broadly approving the safeguards provided by Investigatory Powers Act 2016,” he said.
The Commission’s draft adequacy decisions have to be formally approved by representatives of EU member state governments and are also subject to a non-binding opinion of the European Data Protection Board (EDPB).
Without the adequacy decisions being in place, organisations wishing to transfer personal data from the EU to the UK would face much greater compliance costs.
Dowden said: “The draft decision will now have to be considered by the EDPB and other EU institutions, but its publication so soon after royal assent for the DUAA should provide UK businesses and organisations operating in the UK and other jurisdictions with a strong indication that the decision is likely to be approved and adopted ahead of the 27 December 2025 deadline.”
Contact an adviser
