EU-UK Adequacy Decisions Update

/in /by

As mentioned in our previous article, the EU-UK adequacy decisions which were first issued in June 2021 were set to expire on 27 June 2025.  On 24 June 2025, the European Commission (“the Commission”) extended the validity of these decisions for a period of six months until 27 December 2025. This time-limited technical extension allowed the Commission to finalise its assessment as to whether or not there was still an adequate level of protection for personal data afforded in the United Kingdom (“UK”) further to the recent legislative change by the enactment of the Data (Use and Access) Act 2025 (“DUAA”) which was enacted in June 2025 .

Adequacy decisions are formal findings by the Commission that a third country or international organisation ensures an ‘essentially equivalent’ level of protection for personal data to that within the EU. Since Brexit, the UK has been classified as a third country under the EU General Data Protection Regulation (“GDPR”).

On 22 July 2025, the Commission published their draft decision amending the EU-UK adequacy decisions issued in June 2021 and renewing the EU-UK adequacy decisions for an additional six years until 27 December 2031 (“the Draft Decision”).

The Draft Decision

The DUAA has amended several aspects of the UK data protection regime and aims to maintain high standards of protection, whilst addressing a lack of clarity in existing legislation that impedes the safe development and deployment of some new technologies.[1] In the Draft Decision, the Commission considered relevant developments regarding:

  1. the rules applying to the processing of personal data; and
  2. the access and use of personal data transferred from the European Union by Public Authorities in the UK.

Despite these targeted reforms, the UK continues to ensure an adequate level of protection for personal data such that they are essentially equivalent to the GDPR.

The Commission concluded that the DUAA has a relatively limited practical impact, with modifications primarily aimed at accommodating future technological and societal advancements.[2] One such amendment included the expansion of specific definitions under UK GDPR relating to the processing of personal data for scientific, historical and statistical purposes.[3]

However, the Commission did raise concerns in some areas, namely the UK’s membership of the Global Cross-Border Privacy Rules (“CBPR”) Forum. The Commission noted that the CBPR did not provide for a sufficient legal of protection for personal data originating from the EU. The UK explained that any transfer of personal data from the UK to third countries or international organisations needs to meet the conditions set out in UK legislation which requires the standards of protection afforded to be “not materially lower” than those under the UK GDPR.[4]

Overall, the Commission found that the UK continued to ensure an adequate level of protection within the meaning of the GDPR, and this assessment was based on the UK’s domestic law but also the UK’s continued submission to the European Court of Human Rights.[5]

In accordance with the GDPR, the Commission will periodically review this decision to determine whether the adequacy of the level of protection ensured by the UK is still factually and legally justified.[6]

Future for transfers between the UK and EU

This six-year renewal presents a positive step for organisations relying on cross-border data and a significant step in eliminating uncertainty.

However, the Draft Decision is still a draft and is not yet finalised. The Draft Decision is now subject to the approval of a committee composed of representatives of the EU Member States for its approval (under the Comitology procedure) and the European Data Protection Board must also issue their opinion.

Further to the publication of the Draft Decision Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection commented that: “The unobstructed flow of personal data between the EU and the UK is essential for many businesses, public authorities and individuals on both sides of the Channel. With this step, we are ensuring that this vital link stays open – not only to support commerce and research, but also to enable effective cooperation in criminal justice and law enforcement.”

The Commission’s press release with Commissioner McGrath’s comment can be found here:

https://ec.europa.eu/commission/presscorner/detail/en/mex_25_1884

The Draft Decision can be found here:

https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#documents

For more information, please contact our Data Protection Team.  

Judith Curtin
jc@ofx.ie
021 4277788

Niamh Carey
nca@ofx.ie
021 4277788

 

[1] Page 9, para 6 of the Explanatory Notes on Data (Use and Access) Act 2025:  https://www.legislation.gov.uk/ukpga/2025/18/pdfs/ukpgaen_20250018_en.pdf

[2] Para 26, page 8 of the Draft Decision.

[3] Para 17, page 5 of the Draft Decision.

[4] Para 49 and 50, page 15 of the Draft Decision.

[5] Para 107, page 30 of the Draft Decision.

[6] Para 108, page 30 of the Draft Decision.